Insights & White Papers

Technical Due Diligence: Importance and Approach

By Caroline Ritter

Mergers & Acquisitions

Technical due diligence provides an acquirer peace of mind that there are no issues in the infrastructure or security of a potential target.

Technical Due Diligence assesses risk and ensures fit

As a standard step in a merger or acquisition, an acquiring firm performs due diligence on the target company to assess risk and to ensure the target is fit for the intended purpose. For many, these due diligence efforts focus on financial, legal, and operational factors but perform no more than a cursory scan of the technology landscape supporting the target company. Over the last decade, technology has become so interwoven into a company’s operational infrastructure that is difficult to think of an industry where a technological outage or security breach would not be significantly impactful to the company’s operations and even balance sheet. Appropriate technical due diligence can significantly avoid these outcomes, yet such skills are scarce in acquiring firms.

What is Technical Due Diligence?

Technical due diligence brings into focus many areas of company operations that rely on technology. From the shop floor to the office cubical or home office, technology has become the central nervous system to many industries. As reliance has increased, so too has the complexity of the technology landscape. Gone are the days of the standalone PC, with back-office software loaded by a stack of floppy disks and very limited external connectivity. We are now in an environment with global connectivity from any device, and the hardware and software we use could be located anywhere in the world. Although this has provided more flexibility, it has also increased the risk of operational disruption, and security breaches, and increased the need for higher levels of trust in third parties who create, support, host, and update the technology we use.

Technical due diligence first needs to answer the following question about a company’s IT landscape:

  • Is the software and supporting infrastructure appropriate for the intended application and business criticality?
  • What are the current operational issues?
  • Is the environment secure and protected?

Once the basics are covered, we can take a step back and look at the intended use aspects:

  • Does the technology scale in the event of future acquisitions?
  • Is there significant technical debt, adding risk and/or limiting growth?
  • Is there risk in vendor arrangements/contracts or the use of open-source code?

Depending on the technology landscape – level of custom application development, on-premises infrastructure, etc. the due diligence process also needs to extend to an assessment of the IT organization, which also needs to be “appropriate for use”.

  • Do the IT team and technology vendors have the necessary knowledge and skillsets?
  • Do processes, policies, and procedures support the effective use of technology, best-supporting company needs?
  • Is the entire organization trained to recognize security threats?

Time is of the essence

With the average cost of a data breach increasing by 10% from 2020 to 2021 to an average accidental cost of $4.11m1, uncovering a significant issue in any of these categories could be enough to end a deal. However, frequently there is very little time to perform the appropriate level of research and leading to companies finding critical technology flaws after the deal has closed. Frequently managed as a single milestone on the M&A project plan, the expectation is often for technical due diligence to be completed in a matter of 2-3 weeks. Given this limitation, it is critical to engage experienced resources who use a time-tested playbook, optimizing every available hour.

How is technical due diligence performed?

With the need for a timely response, it is critical to have a proven process to establish the target’s technology risk profile and to be able to make recommendations for investments that will help to mitigate the identified risks. If the acquiring company has already identified the target for a potential merger or carve-out actions, the identification of synergies or carve-out pitfalls can be baked into the approach.

  • Review the data room
  • Compile and send a data request list
  • Finalize document review
  • Interview key resources
  • Assess the risks
  • Create the report

Technical Due Diligence at Liberty Advisory Group

Liberty Advisory Group provides a comprehensive technical due diligence service, executed by a skilled team with a wide range of technical and industry experiences. Executing hundreds of diligence engagements a year, the team has created a comprehensive, yet flexible playbook that enables the team of experts to map out the target’s application architecture very quickly from the documents provided. By seeking to understand the business value drivers, and acquisition goals, the team can minimize the amount of time the acquiree team will spend in workshops and be able to turn around the diligence report in a matter of days, once the interviews are complete. With such a valuable deliverable, Liberty also finds that they are requested for engagements with companies looking to be acquired, enabling prospective acquirers to quickly see the assets which support the business processes.

Summary

Technical due diligence can quickly provide an acquirer with the peace of mind that there are no glaring issues in the technology infrastructure or security posture of a potential target. If issues are found, the team can provide input rapidly as to mitigation efforts and activities and possible impacts. With the complexity of technology increasing year over year and the impacts of production and security failures becoming catastrophic, engaging with an experienced partner to perform technical due diligence, should be the easiest decision you can make during an acquisition. Here are five benefits of conducting technology due diligence for your next M&A.

References

1 Cost of a Data Breach Report 2021, IBM Security, July 2021 – Link to Article

By Caroline Ritter