Escolar Documentos
Profissional Documentos
Cultura Documentos
The book also comes with a detailed IT due diligence report template to help you create a
report in a format that will be useful and understandable to executives running the deal. In
addition, it includes data collection spreadsheets to help the process go as quickly and
smoothly as possible and an IT implementation plan template to get you started on the
post-due diligence phase of the transaction.
https://www.itduediligenceguide.com/buytheitduediligenceguide/
IT Due Diligence Guide 2
WARRANTY DISCLAIMER
ALL CONTENT IS PROVIDED "AS IS" AND ANY AND ALL WARRANTIES
ARE DISCLAIMED, WHETHER EXPRESS OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
LIABILITY DISCLAIMER
Our cumulative liability to you or anyone else for any loss or damages resulting from
any claims, demands, or actions arising out of or relating to use of this document
shall not exceed the amount you have paid to us for the document. In no event shall
we be liable for any indirect, incidental, consequential, special, or exemplary
damages or lost profits, even if we have been advised of the possibility of such
damages. You agree that the foregoing constitutes your sole and exclusive remedy.
SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF
LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE
ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
TRADEMARKS
Product and company name references in and third-party website content linked
from this document may be trademarked. All trademarks belong to their respective,
registered owners. Trademark designations are used for identification purposes, and
in an editorial fashion, with no intention of infringement. Use of trademarks is not
meant to convey endorsement or affiliation, nor should they be inferred.
ISBN: 978-0-9961348-4-2
TABLE OF CONTENTS
The need to include an IT review during M&A due diligence is greater than ever.
Identifying IT shortcomings that can jeopardize a transaction and put a companys
future at risk is critical. Other issues that are uncovered may not be so serious that
they lead to an acquisition being cancelled, but can still carry a high price tag to
address, and its important to find these problems prior to the deal closing.
2016 and early 2017 saw the trends of substantial data breaches and related public
relations disasters continue. Ransomware attacks spread rapidly and were covered
by the mainstream news. Some companies have even begun to keep a stock of
bitcoins on hand to pay the ransom.
Overall, in 2016, more than 4 billion records were leaked, breached and hacked.
The average IBM client organization experienced more than 54 million attempted
security intrusions in 2016. 2
In 2017, CEOs and boards of even the largest companies learned hard lessons related
to IT security:
Hackers obtained copies of the new season of the TV series Orange is the New
Black and demanded a ransom be paid to prevent them from being released for
free online. The ransom was not paid, and the shows were in fact released. 3
Yahoo! CEO Marissa Mayer was forced to give up millions of dollars of bonus
and equity because of a 2014 hacking incident that affected 1.5 billion (yes, with
a B) Yahoo! user accounts. 4
Target paid $18.5 million to 47 states to settle claims related to its infamous
2013 data breach. 5
The insurance company Anthem agreed to a $115M settlement in a class-action
lawsuit related to a data breach that affected 78 million patients in 2015. 6
If some of the largest companies in the world can be hacked, the risks to small and
middle-market companies is likely even greater.
In fact, many security experts now see hacking as something that cant be prevented,
accepting the fact that its almost inevitable when a skilled and determined criminal
is involved. The focus is now more on being able to quickly detect and mitigate
security incidents.
With the leak in early 2017 of hacking tools used by the US National Security
Agency, hacks that were beyond the capacity of organizations without the resources
of nation states can now be performed by almost anyone with the desire.
These developments have led to a new way of thinking during IT due diligence. Not
that many years ago, a hacking incident would have probably been difficult to
overlook when evaluating a company. With so many large company data breaches
demonstrating how hard it is for even organizations with supposedly sophisticated
IT resources to protect against determined hackers, it seems unfair and unrealistic to
look at past IT security shortcomings at a smaller target company as a deal killer.
The focus now should be on becoming comfortable with lessons learned, process
improvements, and the current level of vigilance at the target.
In this fourth edition, the IT Due Diligence Guide has been further expanded and
reorganized to address the latest IT security and operational concepts. Questions
have been added and explanations have been revised.
In addition, given the fact that over 80% of ransomware attacks in early 2016 were
targeted at healthcare organizations 8 and the special considerations related to IT
due diligence in healthcare, a new section dedicated specifically to that industry has
been added in this new edition.
Using the IT Due Diligence Guide and the related tools included with the book, both
seasoned due diligence professionals and those working on behalf of the infrequent
investor can uncover the technology risks and opportunities in any company.
AUTHORS NOTE
Ive been lucky to work in several companies that were very active in M&A.
Ive participated in due diligence projects on both the buy and sell side. In some
cases, Ive lead the due diligence team, in some Ive worked on only the technology
aspects, and sometimes Ive been the only person responsible for the entire due
diligence effort. The values of the transactions have been as low as a $50,000
investment and as high as a $375 million company sale.
Ive been involved in the acquisition and evaluation of technology companies for
over twenty years. The due diligence process explained in this book includes the
practices that Ive found to uncover the most useful information during due
diligence.
This book can be a valuable tool in a broader due diligence effort that should involve
legal, financial, and accounting experts, at a minimum. The information in the book
can provide an excellent base for further discussions involving technology subject
matter experts, and should not be the only resource related to technology due
diligence.
Finally, let me state that this book is not a substitute for obtaining expert
professional advice. Acquisitions and mergers are inherently complex. Both sides in
a transaction should retain expert legal, financial, accounting, and subject matter
experts to represent their interests.
Jim Hoffman
July, 2017
DOCUMENT CONVENTIONS
Most of the book is structured as a series of topics with questions from the IT due
diligence checklist that comes with the book. Each question is followed by an
explanation of why the question is being asked and what the responses might tell
AcquiringCo about TargetCo, and maybe most importantly, any appropriate next
steps and follow-up questions that will help you to draw out the most useful
information during the process.
Each due diligence request is marked with one or more of the following icons:
CHAPTER 2
It would be very unusual for every one of these questions to apply to a given
due diligence effort. I recommend that you utilize the initial information
gathering process to determine the due diligence requests that are most
applicable to TargetCo. If you overwhelm your contact with a huge list of
requests upfront, youll likely get complaints from TargetCo and youll also
probably soon hear from the unhappy person in charge of the overall due
diligence effort at AcquiringCo.
Keep the initial due diligence request list limited to the items that will help
make your onsite visit more productive, and cover the other issues that you
think are important in person.
The IT due diligence checklist template included with this book provides a
column to number or otherwise identify each requested item. Its a good idea
to number the requests, as it makes it easier for you to track the responses
and for your TargetCo contact to indicate the request to which theyre
responding. There is less confusion for everyone if the files provided by
TargetCo as they respond to the due diligence requests include the item
number in the file name.
Many due diligence projects utilize a virtual data room. This is a service or
website that manages all the documents and other information gathered
during due diligence and securely stores it. The checklist includes a column
to indicate the location or identifier in the data room if youre using one.
Finally, some questions are sensitive or otherwise best asked in person instead
of in writing, and those are noted in the discussion where applicable, along
with the appropriate icon.
CHAPTER 5
Software Development
Process
DUE DILIGENCE REQUEST
A description of the version control process and system(s) utilized.
Version control systems can also store other items that change over time, such
as product documentation, database structures, etc.
Even when there is only a single developer, a version control system is very
useful. If TargetCo doesnt use any type of version control process or tool,
its often a sign of amateur software development.
If the user interfaces of the products are designed by the software developers,
chances are they're not as good as they can be. It's very difficult to find
somebody who's both an excellent programmer and a qualified user interface
designer. The more expertise that has gone into TargetCo's products, the
better. To be fair, its not common to find a small to medium sized software
company that has this expertise on staff or has made the commitment to
obtain it through consultants or contractors.
Again, the latter situation is not unusual, but the database should be reviewed
during the source code review to determine if a scalable design is present. This
very much behind the scenes functionality can require an expensive rewrite
if its not up to the task of the planned growth.
One quick way to determine how carefully security has been considered is to
determine how users access the companys products. If there is a login
required, does the same login work for every product? A separate login for
each product most likely means a separate security mechanism for each
product and therefore more chances for errors.
In its Cyber Risk Report 2016, Hewlett Packard Enterprise found that 35%
of web and a shocking 99% of mobile applications it tested suffered from
common security errors that have been well-understood by both software
developers and hackers for many years. 13
Source code review tools exist that can automatically scan source code for
common errors. This may be an option worth considering if your high-level
investigation of TargetCos security awareness during software development
reveals any areas of concern.
standards, naming conventions, and the specific technology choices that will
be used in the companys software development efforts.
Without a defined and enforced process, every developer may create software
source code with a different style and technique. This makes it difficult for
another employee to take over the work, or for a new employee to come up
to speed on the companys source code. A lack of coding standards can make
the company very dependent on a specific employee to always be available to
support a piece of software.
In addition, since April 2015, Google has given more weight the mobile-
friendliness of websites when calculating its search result rankings. 15 If
TargetCo counts on search engine traffic from Google, mobile compatibility
should be a key consideration. Google provides tools that allow you to easily
test the mobile friendliness of a websites pages, 16 so if this a concern in the
case of TargetCo, you should make use of them during due diligence.
If no one at TargetCo can explain the thought process the company has gone
through up to this point regarding mobile strategy, consider that to be a
warning sign.
If TargetCos market situation requires a mobile presence and one does not
already exist, youll want to consider that in the post-integration budget and
the overall cost structure of the transaction.
The book also comes with a detailed IT due diligence report template to help you create a
report in a format that will be useful and understandable to executives running the deal. In
addition, it includes data collection spreadsheets to help the process go as quickly and
smoothly as possible and an IT implementation plan template to get you started on the
post-due diligence phase of the transaction.
https://www.itduediligenceguide.com/buytheitduediligenceguide/