This article was written by Charlie Wood, FoxPointe Practice Leader
Purchasing or selling a business is fraught with complexities, from financial statement due diligence, to ensuring that the right resources are in place before, during, and after the transaction. Legal and even environmental considerations also can be complex, time consuming, and resource intensive. One area that often gets overlooked is the technology component.
Tracing data through a complicated IT network can be difficult given the speed with which transactions can occur.
In order to facilitate a smooth transition of the IT environment, potential investors must get a full population of:
- People
- Processes
- Technology
Technology
Having a complete and accurate population of applications is critical to the integration of complicated systems. If you are the acquiring organization, you will want to know:
- Who manages the technology at the target client? Acquirers will want to know if an external managed service provider is performing the IT oversight function or if internal fulltime resources are being leveraged.
- What hardware and software are being used at the target organization? Understanding the makeup of the IT environment will help the Acquirer determine whether it has the appropriate resources to provide oversight over the environment and/or the migration of data into its existing environment.
- Where is the technology stack located? Is it on premises or in the cloud? This will impact whether physical security protocols need to be addressed as part of the IT due diligence process.
Processes
Having clear and sustainable IT processes in place to ensure the completeness, accuracy, and restricted access to the target client’s information is critical. Acquirers will want to know the following:
- Have audits been conducted against the security protocols at the target organization? Regular audits against the IT environment can give the Acquiring organization a sense of comfort that security protocols are in place and operating to the extent that they limit the risk of unauthorized access to data. The audits could include internal and external penetration testing, vulnerability, and sensitive data scans, SOC1 and SOC2 audits, and/or regulatory assessments such as PCI DSS or nationally recognized assessment against the NIST or ISO frameworks; these could enable the Acquirer to gain the aforementioned comfort level.
- Do comprehensive policies and procedures exist? Understanding the policies and procedures created by the target organization will give the Acquirer a better sense of the security protocols implemented by the organization. They can also potentially provide insight relative to gaps in necessary IT controls.
People
- How does this compare to the Acquirer’s environment? Understanding the current and the future state of the environment will help the Acquirer determine whether it has the right people in place to support the systems as well as any system migration. This will help drive IT staffing needs throughout the transaction lifecycle.
IT due diligence is vital for any transaction. Understanding the processes and technology stack will help the acquiring organization determine whether it has the right people resources to protect the environment before, during, and after the transaction is complete.
If you need further guidance or have any questions, we are here to help. Please do not hesitate to reach out to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.