Reviewing IT in Due Diligence

Reviewing IT in Due Diligence: Are you buying an IT asset or liability

Copyright Date: 2015
Published by: IT Governance Publishing
Pages: 110
  • Cite this Item
  • Book Info
    Reviewing IT in Due Diligence
    Book Description:

    Mergers and acquisitions - are you getting an IT asset or liability?

    "I found this book very interesting. Due diligence is one of those functions that happens way before us 'IT'ers' get involved and so this is a useful insight into the work that happens up front and the evidence we can obtain for our work even if we were not involved in the initial due diligence."

    Chris Evans, ITSM Specialist

    "Being new to this subject I found the guidance solid and presented in an excellent style. I found it an excellent and informative read."

    Brian Johnson, CA

    When you merge with or acquire another business, you also gain their IT and data. In an ideal world this integration would be seamless and easy. In reality, however, this is often not the case. Mergers can, for example, lead to the loss of sales systems or to badly configured data. The problems don't stop in the computer room, either - they affect the whole of the business and the success of the merger/acquisition.

    Don't make a risky mistake

    Businesses and investors use due diligence reviews to ensure such deals do not have nasty hidden surprises. Many overlook the IT systems and services of the businesses they are acquiring, however, and push information risk management (IRM) professionals to the sidelines in the due diligence process. In a world of increasing cyber attacks and information security threats, this can be a very risky mistake to make.

    Product overview

    Reviewing IT in Due Diligenceprovides an introduction to IRM in due diligence, and outlines some of the key IT issues to consider as part of the due diligence process. For those new to the process, it explains how to conduct an IT due diligence review, from scoping to reporting, and includes information on post-merger integration to realise business benefits from the deal.

    For more experienced practitioners, Reviewing IT in Due Diligence provides fresh insight into the process, highlighting issues that need to be addressed, and provides a business case for IRM involvement in the due diligence process.

    Topics covered include:

    Why IT is important to due diligenceThe importance of IT securitySystem reviews and data reviewsReviewing projects and changes in progressIT service provision value for moneyIT due diligence reportingPost-merger integration

    Comprehensive case studies are included throughout the book.

    About the authors

    Bryan Altimashas over 32 years' experience of technology risk management, having led teams performing technology due diligence, and having advised organisations in numerous business sectors, locations and circumstances on the effectiveness of their technology strategy in delivering business objectives. He is a qualified accountant, Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC). He left KPMG in 2014 after 17 years, having contributed to their IT due diligence methodology.

    Chris Wrightis a qualified accountant and Certified Information Systems Auditor (CISA) with over 30 years' experience providing financial and IT advisory and risk management services. He worked for 16 years at KPMG, where he managed a number of IT due diligence reviews and was head of information risk training in the UK. He has also worked in a wide range of industry sectors including oil and gas, small and medium enterprises, public sector, aviation and travel. He is the author ofAgile Governance and Audit, which is also available from ITGP.

    Understand the key IT issues that need to be considered in the due diligence process - buy this book now.

    eISBN: 978-1-84928-721-0
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
    (pp. 5-7)
    Chris Wright

    Over the past few years there has been a re-emergence of merger and acquisition activity, both on a mega scale, with very large mergers, and on a smaller small and medium enterprise (SME) level. The increasing dependency on IT and online commerce/channels, increase of cyber security attacks and changes in development processes for new systems have increased the significance of IT within these deals. For larger organisations/deals, IT consultants are now asked to advise and assist more during due diligence reviews. At last, IT is recognised as a key component of any deal as it can be a very costly...

    (pp. 8-9)
    Bryan Altimas
    (pp. 10-11)
    (pp. 12-12)
  6. Table of Contents
    (pp. 13-15)
    (pp. 16-33)

    Due diligence is the care a reasonable person should take before entering into a transaction or agreement with someone they don’t know. However, when that transaction is for large amounts of money, and could lead to the failure of an acquiring company, special care needs to be taken. Due diligence has hence come to relate to a more formal audit or investigation process for potential transactions, to confirm all material facts for the deal. These facts may relate to legal, business, financial or even information and IT issues and may impact the deal value/price or willingness to do the deal...

    (pp. 34-44)

    On many deals the value proposition may be underpinned by IT systems or data (e.g. future growth needs to be supported by more system or project investment, projects to deliver cost-savings/new capabilities, etc.). In addition the cost/investment assumptions around IT may not be realistic – exposing the purchaser to unforeseen costs and inadequate benefits from projects. When acquiring new businesses buyers often do not consider the IT systems and services for the company they are buying. Even large companies can have problems – for example, in 2012 computer issues impacted the ability of United Airlines to take reservations and to service customers...

    (pp. 45-55)

    We now understand what IT due diligence is and why it is important. Here we discuss how we actually plan and undertake these reviews. Our initial focus is on reviewing systems. Systems are defined as the IT infrastructure, hardware, middleware and software required to support the key business processes. We should remember that IT is an enabler; it is not a business process in its own right but facilitates such processes. Consequently it is very rare that IT due diligence is carried out independently of financial due diligence, so we should plan to work as an integrated team. It is...

    (pp. 56-66)

    IT security was rarely a separate topic in the scope of IT due diligence until five years ago and the high risk for intellectual property to be accessed and stolen by hackers. It deserves its own chapter because if intellectual property is being stolen, the value of the company reduces the longer it remains defenceless and the hack goes undetected. Due to the high risk of hacking in many sectors, IT security is now a boardroom topic and chief executive officers (CEOs) and chief financial officers (CFOs) have at least an appreciation of it. There have even been cases where...

    (pp. 67-77)

    A survey by Symantec (the data security company) in 2012 found that respondents said that information/data represented about 49% of organisations’ total value. However, the value of data and the costs of transforming, merging, storing and securing it are often excluded from a due diligence review. Also the value of the data to the new company may be different to that given to it by the existing company. There could be a synergy by merging the data, for example, within certain constraints, providing marketing access to new markets, or other information based on geographies. Consider, for example, a luxury goods...

    (pp. 78-85)

    Change programmes and projects are frequently a business as usual activity for many organisations with projects on the go all the time and naturally have an impact on due diligence exercises.

    Failed IT projects cost the world’s largest 500 companies more than $14billion per year says the National Association of Corporate Directors in the US.

    We need to ascertain which projects are material to the due diligence exercise. To a certain extent we need to cross-refer to the systems review (seeChapter 3). If a project impacts any of the key systems or processes then this project must be included...

    (pp. 86-98)

    Our due diligence project is progressing well and we have completed most of the things auditors are in their comfort zone reporting on. Now we come to something we need to make a judgement on: value for money (vfm) of IT service provision.

    Here we review:

    whether there has been adequate investment in IT.

    the capability and cost of the IT team.

    the licensing terms of the IT being transferred.

    the key third-party service providers.

    In some respects vfm of IT is relatively straightforward when looking at the IT investment and IT team and it is very easy to overcomplicate...

    (pp. 99-102)

    Having completed the hard work of reviewing IT issues for the due diligence assignment, it is now important to present these findings in a way that have an impact on the stakeholders. In this chapter we consider the following specific issues relating to due diligence reporting:

    specific IT due diligence reporting.

    checklist of issues to include.

    It is very rare that a due diligence review only consists of IT due diligence. Usually the work of the IT specialist is incorporated into the whole review and reporting. We have seen cases where the IT specialist has just written a report in...

    (pp. 103-105)

    IBM ( IBM-DAMA-Feb-2012.pdf) states that “$2 of every $5 of merger synergy comes from IT.”

    Realisation of the benefits from the deal can only be achieved if the post-merger integration process is successful. The degree of integration depends on the objectives for the deal, e.g. it may be that the acquirer wishes not to fully integrate the new business so that it can be sold on at a later stage. In most cases, however, it is likely that integration, either fully or partially, is required.

    Hard evidence is difficult to obtain; however, there are estimates that only 30–50%...

    (pp. 106-110)