THANK YOU FOR REVIEWING THE

IT DUE DILIGENCE GUIDE SAMPLE CONTENT

This sample document shows you the overall structure and style of the IT Due Diligence
Guide, but it includes only one of the twenty+ chapters focused on key areas of IT due
diligence found in the book.

The book also comes with a detailed IT due diligence report template to help you create a
report in a format that will be useful and understandable to executives running the deal. In
addition, it includes data collection spreadsheets to help the process go as quickly and
smoothly as possible and an IT implementation plan template to get you started on the
post-due diligence phase of the transaction.

Visit this link to purchase the IT Due Diligence Guide:

https://www.itduediligenceguide.com/buytheitduediligenceguide/

IT Due Diligence Guide 2

Copyright 2017 Alzhan Development LLC. All rights reserved.

No part of this document may be sold, copied, distributed, reproduced, or
transmitted in any form or by any means, mechanical or digital, including
photocopying and recording, or by any information storage and retrieval system,
without permission in writing from the author.

WARRANTY DISCLAIMER
ALL CONTENT IS PROVIDED "AS IS" AND ANY AND ALL WARRANTIES
ARE DISCLAIMED, WHETHER EXPRESS OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

LIABILITY DISCLAIMER
Our cumulative liability to you or anyone else for any loss or damages resulting from
any claims, demands, or actions arising out of or relating to use of this document
shall not exceed the amount you have paid to us for the document. In no event shall
we be liable for any indirect, incidental, consequential, special, or exemplary
damages or lost profits, even if we have been advised of the possibility of such
damages. You agree that the foregoing constitutes your sole and exclusive remedy.
SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF
LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE
ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.

SHARING THIS DOCUMENT

Significant time and effort went into the creation of this document. Please do not
give it away to others. If you believe it would be useful to someone investing in or
purchasing a company, it is priced low enough to be affordable to them. Thank you!

TRADEMARKS
Product and company name references in and third-party website content linked
from this document may be trademarked. All trademarks belong to their respective,
registered owners. Trademark designations are used for identification purposes, and
in an editorial fashion, with no intention of infringement. Use of trademarks is not
meant to convey endorsement or affiliation, nor should they be inferred.

ISBN: 978-0-9961348-4-2

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 3

TABLE OF CONTENTS

Introduction to the Fourth Edition......................................................................... 5

Authors Note ....................................................................................................... 7
Document Conventions ......................................................................................... 8
IT Due Diligence Overview .................................................................................... 9
Due Diligence Requests ....................................................................................... 18
IT Staff ................................................................................................................ 19
Products and Services .......................................................................................... 28
Software Development Process ............................................................................ 35
Documentation .................................................................................................... 43
Software and Services Utilized ............................................................................. 47
Hardware ............................................................................................................ 57
Network Infrastructure........................................................................................ 62
Backup and Recovery .......................................................................................... 68
Network Security................................................................................................. 71
Cybersecurity ...................................................................................................... 93
Compliance ....................................................................................................... 108
Agreements ........................................................................................................ 112
Intellectual Property .......................................................................................... 117
Customers ......................................................................................................... 120
Quality .............................................................................................................. 123
Financial ............................................................................................................ 125
Other Issues ....................................................................................................... 127
The Due Diligence Report and Integration ......................................................... 128
Part II: IT Due Diligence in Healthcare .............................................................. 130
Healthcare: General ........................................................................................... 136
Healthcare: Clients ............................................................................................ 145

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 4

Healthcare: Business Associate Agreements ....................................................... 148

Healthcare: Vendors and Other Third Parties .................................................... 151
Healthcare: Staff ................................................................................................ 154
Healthcare: Documentation ............................................................................... 158
Healthcare: IT Security ...................................................................................... 161
Part III: IT Due Diligence Resources .................................................................. 172
How to Find an IT Due Diligence Consultant .................................................... 173
Recommended Third Party Audits ..................................................................... 175
Further Reading................................................................................................. 179
Notes................................................................................................................. 182

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 5

INTRODUCTION TO THE FOURTH EDITION

The need to include an IT review during M&A due diligence is greater than ever.
Identifying IT shortcomings that can jeopardize a transaction and put a companys
future at risk is critical. Other issues that are uncovered may not be so serious that
they lead to an acquisition being cancelled, but can still carry a high price tag to
address, and its important to find these problems prior to the deal closing.

According to the Boston Consulting Group, 63% of acquisitions are completed by

companies that purchase no more than one company per year. 1 Its not reasonable
to expect that such companies have resources dedicated to M&A, let alone an IT
due diligence expert. This book can help fill that gap.

2016 and early 2017 saw the trends of substantial data breaches and related public
relations disasters continue. Ransomware attacks spread rapidly and were covered
by the mainstream news. Some companies have even begun to keep a stock of
bitcoins on hand to pay the ransom.

Overall, in 2016, more than 4 billion records were leaked, breached and hacked.
The average IBM client organization experienced more than 54 million attempted
security intrusions in 2016. 2

In 2017, CEOs and boards of even the largest companies learned hard lessons related
to IT security:

Hackers obtained copies of the new season of the TV series Orange is the New
Black and demanded a ransom be paid to prevent them from being released for
free online. The ransom was not paid, and the shows were in fact released. 3
Yahoo! CEO Marissa Mayer was forced to give up millions of dollars of bonus
and equity because of a 2014 hacking incident that affected 1.5 billion (yes, with
a B) Yahoo! user accounts. 4
Target paid $18.5 million to 47 states to settle claims related to its infamous
2013 data breach. 5
The insurance company Anthem agreed to a $115M settlement in a class-action
lawsuit related to a data breach that affected 78 million patients in 2015. 6

If some of the largest companies in the world can be hacked, the risks to small and
middle-market companies is likely even greater.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 6

In fact, many security experts now see hacking as something that cant be prevented,
accepting the fact that its almost inevitable when a skilled and determined criminal
is involved. The focus is now more on being able to quickly detect and mitigate
security incidents.

With the leak in early 2017 of hacking tools used by the US National Security
Agency, hacks that were beyond the capacity of organizations without the resources
of nation states can now be performed by almost anyone with the desire.

These developments have led to a new way of thinking during IT due diligence. Not
that many years ago, a hacking incident would have probably been difficult to
overlook when evaluating a company. With so many large company data breaches
demonstrating how hard it is for even organizations with supposedly sophisticated
IT resources to protect against determined hackers, it seems unfair and unrealistic to
look at past IT security shortcomings at a smaller target company as a deal killer.
The focus now should be on becoming comfortable with lessons learned, process
improvements, and the current level of vigilance at the target.

In this fourth edition, the IT Due Diligence Guide has been further expanded and
reorganized to address the latest IT security and operational concepts. Questions
have been added and explanations have been revised.

Not everything in IT due diligence is focused on cybersecurity. In fact, most of this

book is related to other issues. With the cost of the average data breach reaching
over $3.6M however, 7 IT security needs to be a key focus of any transaction if major
unanticipated costs and risks are to be avoided.

In addition, given the fact that over 80% of ransomware attacks in early 2016 were
targeted at healthcare organizations 8 and the special considerations related to IT
due diligence in healthcare, a new section dedicated specifically to that industry has
been added in this new edition.

Using the IT Due Diligence Guide and the related tools included with the book, both
seasoned due diligence professionals and those working on behalf of the infrequent
investor can uncover the technology risks and opportunities in any company.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 7

AUTHORS NOTE

Ive been lucky to work in several companies that were very active in M&A.

Ive participated in due diligence projects on both the buy and sell side. In some
cases, Ive lead the due diligence team, in some Ive worked on only the technology
aspects, and sometimes Ive been the only person responsible for the entire due
diligence effort. The values of the transactions have been as low as a $50,000
investment and as high as a $375 million company sale.

Ive been involved in the acquisition and evaluation of technology companies for
over twenty years. The due diligence process explained in this book includes the
practices that Ive found to uncover the most useful information during due
diligence.

The book is not intended to be an academic exercise. It focuses on real-world

examples and experiences. My goals were to provide information that I was only
able to gain through trial and error and to give the reader a head start on the IT due
diligence process through the advice in the book and the additional material such as
the report templates and data collection spreadsheets.

This book can be a valuable tool in a broader due diligence effort that should involve
legal, financial, and accounting experts, at a minimum. The information in the book
can provide an excellent base for further discussions involving technology subject
matter experts, and should not be the only resource related to technology due
diligence.

Im located in the United States, and my due diligence experience is based on US

transactions. Although I believe most of the information in the book is applicable in
much of the world, there may be local differences in due diligence practices.

Finally, let me state that this book is not a substitute for obtaining expert
professional advice. Acquisitions and mergers are inherently complex. Both sides in
a transaction should retain expert legal, financial, accounting, and subject matter
experts to represent their interests.

Thank you for purchasing the book.

Jim Hoffman
July, 2017

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 8

DOCUMENT CONVENTIONS

Throughout the book, Ill refer to the acquiring or investing company as

AcquiringCo and the target company as TargetCo.

Most of the book is structured as a series of topics with questions from the IT due
diligence checklist that comes with the book. Each question is followed by an
explanation of why the question is being asked and what the responses might tell
AcquiringCo about TargetCo, and maybe most importantly, any appropriate next
steps and follow-up questions that will help you to draw out the most useful
information during the process.

Each due diligence request is marked with one or more of the following icons:

Informational request. Many of these due diligence responses

will serve as the basis for further discussion. It would not be
surprising if TargetCo cant supply all the information
requested, or if large company best practices are not being
followed. These issues can usually be remedied after the
transaction closes without significant expense or risk. These
requests can also be used to begin integration planning.

Important request. Depending upon the answer received, you

may have concerns about TargetCos qualifications or
professionalism. Issues identified can be addressed, but there
may be significant expense involved.

Critical request. Unsatisfactory responses to these requests may

be significant enough to consider abandoning the transaction or
considering an allowance or adjustment in the transaction
pricing or other terms.

A question that should only be asked when youre face-to-face

with the TargetCo staff. Dont include this question in your
written due diligence request list.

A data collection spreadsheet for this due diligence request is

included with the book materials.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 18

CHAPTER 2

Due Diligence Requests

The following chapters organize the due diligence requests into logical
categories matching the sections in the IT due diligence checklist that comes
with the book.

It would be very unusual for every one of these questions to apply to a given
due diligence effort. I recommend that you utilize the initial information
gathering process to determine the due diligence requests that are most
applicable to TargetCo. If you overwhelm your contact with a huge list of
requests upfront, youll likely get complaints from TargetCo and youll also
probably soon hear from the unhappy person in charge of the overall due
diligence effort at AcquiringCo.

Keep the initial due diligence request list limited to the items that will help
make your onsite visit more productive, and cover the other issues that you
think are important in person.

The IT due diligence checklist template included with this book provides a
column to number or otherwise identify each requested item. Its a good idea
to number the requests, as it makes it easier for you to track the responses
and for your TargetCo contact to indicate the request to which theyre
responding. There is less confusion for everyone if the files provided by
TargetCo as they respond to the due diligence requests include the item
number in the file name.

Many due diligence projects utilize a virtual data room. This is a service or
website that manages all the documents and other information gathered
during due diligence and securely stores it. The checklist includes a column
to indicate the location or identifier in the data room if youre using one.

Finally, some questions are sensitive or otherwise best asked in person instead
of in writing, and those are noted in the discussion where applicable, along
with the appropriate icon.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 35

CHAPTER 5

Software Development
Process
DUE DILIGENCE REQUEST
A description of the version control process and system(s) utilized.

WHY THIS IS IMPORTANT

A version control system allows every change to a projects source code to be
tracked and stored. Think of it as the vault for the software, which in many
cases might be a companys most valuable asset.

Sometimes a new version of a software product or website can cause

unexpected problems in the real world, even when its been tested prior to
being released. In that situation, a version control system allows the company
to roll back the software to an earlier, stable version quickly and easily. A
version control system also protects against accidental deletion of source code
on a developers computer.

Popular version control systems include Git, Bitbucket, Microsoft Team

Foundation Version Control, and Subversion. There are many others, and
they can be open source or proprietary.

Version control systems can also store other items that change over time, such
as product documentation, database structures, etc.

Even when there is only a single developer, a version control system is very
useful. If TargetCo doesnt use any type of version control process or tool,
its often a sign of amateur software development.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 36

DUE DILIGENCE REQUEST

A description of the process for approving and developing new software
products or features.

WHY THIS IS IMPORTANT

You want to know if there is good control over the companys technology
direction. There are many potential follow-up questions. Is there an overall
plan or just reaction to problems? Does TargetCo have the business domain
experts to develop its own ideas, or are all product features the result of
customer suggestions? Is there a product manager? Are requirements
documents developed? A traditional practice is a functional requirements
document, which explains what the new feature or product does, and a
technical specifications document, which defines how it is to be developed.

Are new market opportunities carefully considered, or are resources

committed without adequate research and thought? Does TargetCo perform
competitive and market analysis before embarking upon new product efforts?
You want to get a sense of the care of the decision-making at TargetCo before
they start spending AcquiringCos money.

Be particularly wary of a company that developed its main product based on

the needs of one early or large customer. In this situation, the product that
has been built may meet the specific needs of that one customer, but may not
be something needed or desired by the market at large. If this client is the
source of most new product or feature ideas, consider it a warning sign.

DUE DILIGENCE REQUEST

A description of any outsourced software development arrangements and
copies of the related agreements.

WHY THIS IS IMPORTANT

If TargetCo outsources or offshores any critical software development or IT
functions, there are several issues to investigate:

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 37

What is TargetCos future ability to support the software if it was not

developed in-house?
How well-documented is the software?
Does TargetCo physically possess or own the legal rights to the source
code? There are many issues around contract language and proper
copyright assignment when it comes to contracting for software
development. You can easily end up not owning the rights, even for
custom development, without the proper contract language in place. At
the same time, in certain states and countries, you can inadvertently create
an employment relationship with the contractor if the wrong language is
used.
Where was the software developed? If outside the United States or EU, are
the copyright laws in that country enforceable? If critical software was
developed offshore, youll never really be sure that a copy of it isnt
floating around in cyberspace.

Seeing the agreements will allow you to understand the contractual

obligations of both sides, including any ongoing commitment to use or pay
the outside developer or company.

If TargetCo is using outsourced development resources, take a hard look at

the costs involved. This kind of development has become more expensive in
recent years, and AcquiringCo might want to consider bringing the work in-
house where they would be more control over the process with possibly better
outcomes.

DUE DILIGENCE REQUEST

A description of the software development model that is used.

WHY THIS IS IMPORTANT

Potential answers include agile or waterfall (although this is considered
outdated), and may include more specific frameworks such as Scrum. You
may see the term DevOps thrown into the mix in the response to this
question, but that is more of a way to fully implement an agile software
development and product release methodology within an organization. Its
beyond the scope of this book to explain these models in detail. At a very

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 38

high level, agile software development is an iterative, fluid, and inherently

flexible process that is a relatively new concept. Waterfall is a more
traditional, structured software development process that has its origins in
manufacturing industries. Neither is inherently right or wrong, and the best
choice depends on the situation.

Software development methodologies can be a compatibility issue between

AcquiringCo and TargetCo. Developers are often very attached to the
methodology they use to create their software, and making a change to
accommodate the standards of AcquiringCo may be very disruptive to
TargetCo's technology staff. In addition, if there is no specific development
methodology, or if no one you speak with can describe it clearly, that raises
a red flag and would tend to make you question the professionalism of the
software development team at TargetCo.

DUE DILIGENCE REQUEST

A description of the process in place for identifying, tracking, and correcting
product bugs.

WHY THIS IS IMPORTANT

This is a yet another good indicator of the overall organization and
professionalism of TargetCo. Is there a product roadmap that guides software
development, or is the company constantly in reactive mode in which newly
discovered bugs derail new functionality?

Ideally there is a separate group or individual developer that works on

product bugs and issues while the main development team drives product
features and functionality according to the product plans.

A well-organized software development process will include a tool to track

problems, bugs, and feature requests and to manage their resolution and
development.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 39

DUE DILIGENCE REQUEST

A description of the process for designing product user interfaces.

WHY THIS IS IMPORTANT

Here is another area where you get to judge the professionalism of TargetCo.

If the user interfaces of the products are designed by the software developers,
chances are they're not as good as they can be. It's very difficult to find
somebody who's both an excellent programmer and a qualified user interface
designer. The more expertise that has gone into TargetCo's products, the
better. To be fair, its not common to find a small to medium sized software
company that has this expertise on staff or has made the commitment to
obtain it through consultants or contractors.

DUE DILIGENCE REQUEST

A description of the database design process.

WHY THIS IS IMPORTANT

Similar to the previous issue related to user interface design, it's a rare
software developer who is also an excellent database designer. Has a true
database expert designed TargetCos databases, providing a good foundation
upon which to scale and grow, or did the programmer for the product that
uses the database create something that was just good enough?"

Again, the latter situation is not unusual, but the database should be reviewed
during the source code review to determine if a scalable design is present. This
very much behind the scenes functionality can require an expensive rewrite
if its not up to the task of the planned growth.

DUE DILIGENCE REQUEST

A description of how product security is considered during product
development.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 40

WHY THIS IS IMPORTANT

Does TargetCo have a consistent approach to security from product to
product, or does every product handle it differently? It can be very difficult
and potentially expensive to add good security to a product once its already
developed.

One quick way to determine how carefully security has been considered is to
determine how users access the companys products. If there is a login
required, does the same login work for every product? A separate login for
each product most likely means a separate security mechanism for each
product and therefore more chances for errors.

In its Cyber Risk Report 2016, Hewlett Packard Enterprise found that 35%
of web and a shocking 99% of mobile applications it tested suffered from
common security errors that have been well-understood by both software
developers and hackers for many years. 13

Does the TargetCo software development team perform code reviews? In a

code review, programmers examine each others source code to provide a
second set of eyes to identify bugs and vulnerabilities and to help ensure
that the original developer implemented a good solution. Code reviews can
be very helpful in identifying security risks.

Source code review tools exist that can automatically scan source code for
common errors. This may be an option worth considering if your high-level
investigation of TargetCos security awareness during software development
reveals any areas of concern.

DUE DILIGENCE REQUEST

A description of the software development coding standards used by the
company.

WHY THIS IS IMPORTANT

A professional software development organization, no matter the size, will
have this. A coding standards document lays out the in-house programming

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 41

standards, naming conventions, and the specific technology choices that will
be used in the companys software development efforts.

Without a defined and enforced process, every developer may create software
source code with a different style and technique. This makes it difficult for
another employee to take over the work, or for a new employee to come up
to speed on the companys source code. A lack of coding standards can make
the company very dependent on a specific employee to always be available to
support a piece of software.

Ive seen independent, individual developers with a coding and naming

standards document to keep their own work organized and consistent, so its
not too much to expect that this exists in a company of any size or maturity.

DUE DILIGENCE REQUEST

A summary of the companys mobile development strategy.

WHY THIS IS IMPORTANT

In 2016 mobile devices accounted for around two thirds of Internet time
spent by users. 14 This means that if TargetCo has a website, youll want to
be sure it works well on mobile devices.

This is especially important if there is any ecommerce component to the site.

Companies without a website that is usable on phones and tablets will be at
more and more of a disadvantage going forward, and could be losing sales.

In addition, since April 2015, Google has given more weight the mobile-
friendliness of websites when calculating its search result rankings. 15 If
TargetCo counts on search engine traffic from Google, mobile compatibility
should be a key consideration. Google provides tools that allow you to easily
test the mobile friendliness of a websites pages, 16 so if this a concern in the
case of TargetCo, you should make use of them during due diligence.

There are a number approaches to mobile development, including responsive

web design, a designated mobile site or native mobile apps. As of 2016,
smartphone apps accounted for over 80% of overall digital media minutes, 17
so keep this user preference in mind as the options are weighed.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com
IT Due Diligence Guide 42

If no one at TargetCo can explain the thought process the company has gone
through up to this point regarding mobile strategy, consider that to be a
warning sign.

If TargetCos market situation requires a mobile presence and one does not
already exist, youll want to consider that in the post-integration budget and
the overall cost structure of the transaction.

Copyright 2017 Alzhan Development LLC. All rights reserved.

www.ITDueDiligenceGuide.com


THANK YOU FOR REVIEWING THE

IT DUE DILIGENCE GUIDE SAMPLE CONTENT
This sample document shows you the overall structure and style of the IT Due Diligence
Guide, but it includes only one of the twenty+ chapters focused on key areas of IT due
diligence found in the book.

The book also comes with a detailed IT due diligence report template to help you create a
report in a format that will be useful and understandable to executives running the deal. In
addition, it includes data collection spreadsheets to help the process go as quickly and
smoothly as possible and an IT implementation plan template to get you started on the
post-due diligence phase of the transaction.

Visit this link to purchase the IT Due Diligence Guide:

https://www.itduediligenceguide.com/buytheitduediligenceguide/