Reviewing IT in Due Diligence
eBook - ePub

Reviewing IT in Due Diligence

Are you buying an IT asset or liability

  1. 110 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Reviewing IT in Due Diligence

Are you buying an IT asset or liability

About this book

Mergers and acquisitions – are you getting an IT asset or liability?

"I found this book very interesting. Due diligence is one of those functions that happens way before us 'IT'ers' get involved and so this is a useful insight into the work that happens up front and the evidence we can obtain for our work even if we were not involved in the initial due diligence."

Chris Evans, ITSM Specialist

"Being new to this subject I found the guidance solid and presented in an excellent style. I found it an excellent and informative read."

Brian Johnson, CA

When you merge with or acquire another business, you also gain their IT and data. In an ideal world this integration would be seamless and easy. In reality, however, this is often not the case. Mergers can, for example, lead to the loss of sales systems or to badly configured data. The problems don't stop in the computer room, either – they affect the whole of the business and the success of the merger/acquisition.

Don't make a risky mistake

Businesses and investors use due diligence reviews to ensure such deals do not have nasty hidden surprises. Many overlook the IT systems and services of the businesses they are acquiring, however, and push information risk management (IRM) professionals to the sidelines in the due diligence process. In a world of increasing cyber attacks and information security threats, this can be a very risky mistake to make.

Product overview

Reviewing IT in Due Diligence provides an introduction to IRM in due diligence, and outlines some of the key IT issues to consider as part of the due diligence process. For those new to the process, it explains how to conduct an IT due diligence review, from scoping to reporting, and includes information on post-merger integration to realise business benefits from the deal.

For more experienced practitioners, Reviewing IT in Due Diligence provides fresh insight into the process, highlighting issues that need to be addressed, and provides a business case for IRM involvement in the due diligence process.

Topics covered include:

  • Why IT is important to due diligence
  • The importance of IT security
  • System reviews and data reviews
  • Reviewing projects and changes in progress
  • IT service provision value for money
  • IT due diligence reporting
  • Post-merger integration

Comprehensive case studies are included throughout the book.

About the authors

Bryan Altimas has over 32 years' experience of technology risk management, having led teams performing technology due diligence, and having advised organisations in numerous business sectors, locations and circumstances on the effectiveness of their technology strategy in delivering business objectives. He is a qualified accountant, Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC). He left KPMG in 2014 after 17 years, having contributed to their IT due diligence methodology.

Chris Wright is a qualified accountant and Certified Information Systems Auditor (CISA) with over 30 years' experience providing financial and IT advisory and risk management services. He worked for 16 years at KPMG, where he managed a number of IT due diligence reviews and was head of information risk training in the UK. He has also worked in a wide range of industry sectors including oil and gas, small and medium enterprises, public sector, aviation and travel. He is the author of Agile Governance and Audit, which is also available from ITGP.

Understand the key IT issues that need to be considered in the due diligence process – buy this book now.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Reviewing IT in Due Diligence by Christopher Wright,Bryan Altimas, Bryan Altimas in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Science General. We have over one million books available in our catalogue for you to explore.

CHAPTER 1: INTRODUCTION TO DUE DILIGENCE

Overview

Due diligence is the care a reasonable person should take before entering into a transaction or agreement with someone they don’t know. However, when that transaction is for large amounts of money, and could lead to the failure of an acquiring company, special care needs to be taken. Due diligence has hence come to relate to a more formal audit or investigation process for potential transactions, to confirm all material facts for the deal. These facts may relate to legal, business, financial or even information and IT issues and may impact the deal value/price or willingness to do the deal at all. In this chapter the aim is to provide sufficient background information for a full consideration of the importance of IT in due diligence. We consider:
  • history and definition.
  • what is it? how do you do a review?
  • what could possibly go wrong?
  • summary and key take-aways.

History and definition

Some say that accountancy is the second-oldest profession (no prizes for guessing the first). This may not be true, but whenever there is trade or bargaining there is always a concern by both parties to get the best deal that they can. Cavemen may have asked the question “Is a wheel worth one deer hide or two?” Certainly we know that by the Roman era the Latin phrase ‘Caveat Emptor’ or buyer beware was in common use. During the Middle Ages there was a need for trust among merchants, and the ability to check out whether the guy you were trusting with your valuable shipments of silk or tea was a ‘good chap’. Anyone who has travelled to the Middle East will also be aware of the bartering and bargaining and the need for vigilance. We find it somewhat ironic that so much due diligence is now performed in Wall Street, deals of $bns, when the whole of Manhattan Island is thought to have been bought from the Canarsie Indians for a few dollars. Maybe the Indians should have had better advisors, although maybe so should the settlers as some historians believe the island did not belong to the Indians to sell!
We all perform ‘due diligence’ whenever we buy anything. It might be just checking the best before date on a box of eggs, considering whether we can buy them cheaper somewhere else or looking at their size and whether they are free range or organic. The buying decision is based on our value judgements. For bigger, higher-risk purchases we may seek advice from a knowledgeable friend – if we wanted to buy a second-hand car, for example. For even larger purchases such as a new house, purchases most of us make only irregularly, we might seek professional advice – to ensure we are not being ripped off and that the seller has the correct title for the transaction. Big businesses and other potential investors such as private equity houses, making significant investment purchases by buying other businesses are no different. The process they go through is known as due diligence. This is an audit of the potential investment, to confirm all significant facts and assumptions, conducted before entering into a contractual agreement with the other party. The process followed is usually formal as it forms the basis of any subsequent contracts or agreements.
With an increasing litigious society the process of due diligence has become more formal and legal/financial based. Some trace this growth to the American securities laws, and certainly the issuing of shares and other securities, coupled with a loss of faith and trust in securities markets, has increased the need for due diligence reviews.
Due diligence could hence be described as healthy cynicism when considering a deal, helping to understand the evidence to support the assertions behind the deal and to understand the people you are doing the deal with. It involves getting an independent third-party opinion – but this can only be an opinion and there may be other factors that the deal parties consider when deciding how to proceed. A cynical view of due diligence could be:
“Due diligence is an expensive, secretive process, to tell you what you already know, but in a virtually unintelligible way, by someone who does not know your business and who will try to wriggle out of any liability for their advice, but could probably still be sued for large amount of money if it all goes horribly wrong.”
Yes, this view is cynical, but it does give an insight into some key elements of due diligence:
Cost – Investigations can involve large teams of specialist lawyers, auditors, managers, and capital and other professionals, working long hours under very tight deadlines (all at extremely high hourly rates!). Add in the risk elements and costs go up rapidly. The cost of the investigation needs to be considered alongside the cost of the deal, the likelihood of it going ahead and the potential loss if the identified benefits are not achieved.
Confidentiality – If any of the information about the deal, in some cases even that the deal is being considered, were to be published, the share price of the companies involved could be impacted. Due diligence assignments are therefore often given project names, non-disclosure agreements and have specific rules around data rooms and use of data.
Clarity of reporting – With clear recommendations and advice, both on the deal itself and post-deal issue(s).
Facts versus opinions – Yes, the information may be known, but also it could be hidden, or misinterpreted. Experienced due diligence specialists know the right questions to ask, including requesting specific information. This can then be presented by setting out the facts and their sources in a clear format.
Business knowledge – Due diligence investigators are employed for their independence, business knowledge of the sector and specific specialisms, including IT, required by the investigation. Some of these skills are rarely available in businesses other than those routinely undertaking merger and acquisition activities. Although most clients or the acquirer may understand the business environment in which the entity operates, they may not have the context of wider risks likely to impact the entity. What is required is good communication between the client and advisors to ensure the review is focused on agreed business, including IT, risks.
Liability of investigators – Investigators’ contracts for due diligence assignments do contain many of their own caveats, but the review can be high risk (see “What could possibly go wrong?” later).
Due diligence is hence a process to ensure decisions regarding a transaction are made on the basis of sound information and advice. By being aware of risks and issues before the deal is made, the parties can ensure contracts are based on a realistic understanding of the deal, e.g. to negotiate best terms based upon the true value of the deal to all parties. In some cases, for strategic reasons, the deal may go ahead regardless of the due diligence review. In these cases the review is more focused on gathering information and making plans for integration post-deal. Good due diligence is more than risk and compliance; it’s about basing decisions, and post-deal predictions, on sound information and judgement over:
Commercial risks such as cyber security, business continuity and compliance.
Finances – Understanding the underlying financial health and performance of the business (income and expenditure, profitability, assets, tax/other liabilities and cash flows). This is to understand past performance and assess whether this is sustainable post-deal.
Business/commercial issues – Considering the market positioning of the business and its products and services, strategic and business plan assumptions and predictions.
Legality – Understanding the legal basis of the deal and what is being transacted, including assets and intellectual property, contracts, loans and pending litigation, all of which could impact the future success of the entity. Legislation may also impact the nature of the deal itself, e.g. special anti-money laundering or anti-trust considerations.
IT systems and information can be a key element of each of these. For example:
  • Finances depends on accurate, complete and reliable financial data often held in IT systems.
  • IT has legal, compliance and business implications.
The two most common types of due diligence review are for:
  1. M&A
  2. IPO (Initial Public Offering).
M&A is a wide term used to cover the strategic changes to an organisation, not just registered companies, and its ownership. It covers buying, selling, dividing and combining of different entities. It can be confusing as to whether a change is a merger or an acquisition, especially in some cases where the brand or name of the company acquired is used as the name for the new organisation.
An IPO is the process by which a company sells its shares, on a securities or stock exchange, to the public for the first time. These have become famous in recent years with some of the large ‘.com’ companies listing and immediately making large gains (or in some cases losses). Their purpose is to raise capital, and/or to release funds for previous investors. After the IPO the shares of the company are traded on the relevant stock exchange in the usual way. The choice of stock exchange impacts the style and content of the due diligence review. For example, a US-listed company needs to comply with specific U.S. Securities and Exchange Commission (SEC) requirements including the Sarbanes-Oxley Act. This requires additional preparation and auditing of the company. The key output for an IPO due diligence is usually a prospectus, and accompanying documents such as long-form and short-form reports, which are used to sell the shares. These are highly structured and the specific information depends on the specific stock exchange where the listing is to take place.
For all markets, it is likely that the company has greater compliance requirements, and has to publish more financial and other commercial information openly.

How do you do a due diligence review?

The objectives for a due diligence review can be stated as:
  • Obtain all the confirmed data and information required to assess the financial, legal & regulatory, and commercial information required to make decisions about the deal.
  • Provide an insight into the target’s business proposition including strategy, products, customer base, supply chain, operations, culture & style, people, tools and processes.
  • Be able to form an opinion on whether and how the deal should proceed, by identifying any deal stoppers and confirming the right price to be paid (as per the initial offer ‘heads of terms’). This is based on the business and the buyer’s own medium to long-term objectives.
  • Provide a basis for planning of the post-deal integration of people, processes and tools.
There are many approaches and tools for conducting due diligence assignments to achieve these objectives. Many organisations, especially the large accounting or legal firms, have also developed their own. For the purpose of this book we will follow the cycle:
image
Each step is described next.

Step 1 Understand the business and the deal

Like all tight deadline/budget-restricted projects a due diligence exercise needs to be well planned and co-ordinated. Before planning can commence we need to obtain a high-level understanding of the business to identify potential risks and all benefits of the deal, including any not apparent from the information provided. This is sometimes referred to as the ‘preparation step’. We have known deals be stopped at this stage because the information r...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Foreword
  5. Preface
  6. About The Author
  7. Acknowledgements
  8. Contents
  9. Chapter 1: Introduction to Due Diligence
  10. Chapter 2: Why is IT Important in Due Diligence?
  11. Chapter 3: Systems Reviews
  12. Chapter 4: IT Security
  13. Chapter 5: Data Reviews
  14. Chapter 6: Reviewing Projects and Changes in Progress
  15. Chapter 7: IT Service Provision and Value for Money
  16. Chapter 8: Reporting It Due Diligence Assignments
  17. Chapter 9: Post-Due-Diligence
  18. ITG Resources