For a typical merger and acquisition, a company will usually go through an evaluation process to gain an objective view of the potential investment subject “target”. This process of due diligence has in the past been focused primarily on financial, tax, and legal aspects of the transaction and target.
However, this has meant that IT processes, including information security are often overlooked, even though these are ever growing key areas in today’s ever increasing technological and digital world. With the ever-increasing technological footprint, the due diligence process should always include an examination of processes, principles, activities, systems, and IT methods.
To be able to acquire complex information about investment subjects it is crucial to perform an analysis of the maturity level of information security and IT infrastructure asset landscape.
Key reasons to perform IT due diligence -
- Identification and potential elimination of risks for are aspects of due diligence: financial, tax and legal. As businesses today are heavily reliant on IT systems, including ERP systems which are interconnected with nearly all business processes, if there are inherent weaknesses with the IT systems it can cause downstream effects on other areas of the business and even ultimately influence the final decision
- IT Operating costs and investments in IT are becoming one of the main expenses of every company. Thus, a potential buyer should want to better understand the IT expenses of the new company and any additional investments required in IT before making their decision.
Key steps in performing IT due diligence analysis -
- Identify the main information assets. Information assets can be broken down into different forms such as, physical paper and electronic documents, database, and data files, etc. and the means of processing or storing those assets such as software, hardware, IT systems, and services. Every modern company uses different IT systems that join to form informational assets. However, information assets will have different values placed on them with different levels of security and scrutiny which needs to be placed on them. Prioritisation and planning from both a financial and resource management perspective needs to occur to set priorities in how different assets are secured.
- Classification of information based on how much damage to the company it would cause if it was unavailable or at risk. Information classifications or groups are necessary to enable informed decision making on the separate methods and requirements for the level of information security. Classification should be placed not only the stored information (data), but also the means of its processing and distribution. With classification of information, it also provides a way to logically perform analysis on the economic feasibility of implemented or potential security measures.
- Account for any regulatory and governing documents which describe the processes of governing IT and operationalising the information security function. Policies, principles and internal standard documents should exist and provide an overview of how the usage of both hardware and software IT assets is governed and standardised. This provides unified processes and procedures for maintaining the IT environment and provides a centralised management approach to IT which in turn will reduce expenses and potential issues.
- Assess the key specialists who are involved in the management and development of IT systems and services critical to the company’s mission and purpose. An analysis of the professional competency key staff and IT functions should be performed. Not performing, or having insufficient analysis of the operating activity of the IT department can lead to potential loss of key competencies and additional costs to re-hire needed specialists or engaging third party support.
- Determine issues for integration of IT environments from the merging companies as this can introduce various problems once connected. These problems can range from customised development processes or known security issues. As there may be use of different standards of services, types of information systems, management methods, etc. Due to the complex nature of integrating IT environments, it is key to give ample time to understand both environments in order to build a cohesive and homogenous IT environment after the merger for governance of IT and information security. As this usually required substantial investment, this should be planned and executed properly.
- An analysis of IT infrastructure and the current state of IT security is required. An analysis of the IT infrastructure management and operation processes and evaluation of the information security tools in use and their effectiveness. These information security tools include, cryptographic protection, anti-malware, patch and update management, vulnerability scanning, network security, etc. Performing this analysis provides a view of the current state of information security and any potential vulnerabilities of the current IT infrastructure.
Deciding on the level of IT Environment Integration
Having performed an analysis of the IT structure, a decision can be made on the level of integration of IT environments of the target company and purchasing company. Typically, there are 3 main options:
- Leave everything as it is: In the short-term, this is the fastest and least expensive option. However, further down the line investment may be inevitable and may cost even more than originally. This option also means that both IT environments are operating in isolation from one another and requires additional support and costs to maintain both environments.
- Partial integration: This option assumes a partial optimisation and integration of the primary critical IT processes. In comparison with full integration, expenses are reduced in the short term, but there is a possibility of degradation of some functions of IT processes
- Full integration: This option means optimising and integrating all IT processes of the bought company. This option is the most demanding for the initial investment, but long-term, this approach provides predictable economic expenses for the development of IT processes of the joining company.
How to begin the process for IT Due Diligence
- IT organization and IT processes – securing of organizational structure of the IT department and mapping out the processes in the company
- IT strategies, projects, investments – analysis of the current role of IT in the company, current expenses, and potential investments into IT
- ERP system, business systems, and software – making an overview of all systems and software that maintain the organization of IT
RSM Solutions:
Our specialists in IT due diligence offer you a clear overview of the IT side of the potential investment object. They will identify and evaluate key threats in the IT environment and will analyse their potential impact on the entire business.