Q&A: Technology due diligence

July 2022  |  SPECIAL REPORT: MERGERS & ACQUISITIONS

Financier Worldwide Magazine

July 2022 Issue

FW discusses technology due diligence with Jenna Aira-Ventrella, Adam Bartnik, Jared Crafton and Mike McDermott at BDO USA, LLP.

FW: Could you explain why it is important for a potential acquirer to assess the technology infrastructure of a target company?

Crafton: With every business increasing its reliance on data, an acquisition target can be a potential gold mine or land mine depending on the maturity of its technology. All businesses require investment in technology, and the level of investment for the first few years should be a consideration in both the attractiveness of the target and the sale price. Investors should assess both the current state as well as the future performance of the technology and ask questions such as: is the current enterprise resource planning (ERP) system going to sustain the level of growth targets? It is like buying a house with two years left on its roof. The smart homeowner will factor this into the negotiation and their budget for improvements.

Aira-Ventrella: The world of technology is in constant flux. Proper due diligence upfront can ensure better valuation, financial modelling and risk mitigation. On a practical level, the pre- and post-merger integration workflow of systems is a critical component of any acquisition. It can be valuable to understand if redundant systems can be integrated into one to create an optimal overall IT spend. Conversely, different back-office systems for core services can cause integration challenges and drive up costs. Back-office assessments, strategy alignment and business process improvement analyses can provide valuable insights, address potential pitfalls and reveal if IT expenditures have negatively impacted business performance.

Bartnik: The buyer needs to assess the risk of the organisation across several domains to fully understand the investment required to bring the newly acquired target under management or as a standalone entity. Significant technology, process or debt could position the deal in such a way that it may not be worth the investment.

Buyers need an adviser that knows the diligence process and can evaluate, quantify and qualify the risk in a manner that is transparent to the buyer.
— Mike McDermott

FW: Drilling down, what specific aspects of technology should be examined as part of a due diligence process?

Aire-Ventrella: If the acquirer is looking at the whole target – as opposed to retaining a specific asset and divesting the rest of the target – the operational, accounting, infrastructure, products, product roadmap and associated security elements should be assessed, as well as proprietary and specialised applications. This should include contracts, equipment, associated applications, software, policies and procedures to understand the health of these systems from a contractual through security and privacy lens. For systems that house personally identified information (PII) or other sensitive data governed by data privacy laws, the acquirer should understand potential exposure and compliance requirements. Examining the IT strategy, risk profile and financial and operational wellness will inform whether IT was managed proactively as a strategic asset or if there are potential issues to consider.

McDermott: Organisation and support structure are at the top of the list. Additionally, applications and systems, infrastructure and cloud issues, security, governance, compliance and assets, and investments should also be put under the microscope.

Crafton: From the technology side, there are many different factors that can make or break a deal. Fundamentally, the assessment should start with a look at the current technology stack, its service life and the individual contracts that govern it. Analyses should focus on whether the target has been regularly upgrading its stack and updating contracts to reflect an increasing focus on owning data, cyber security and privacy. It is also critical to understand what the data lifecycle looks like within a target. How does it move from origination through business processes? Determining how the data moves into products and services and management reports will provide great insight into how efficient an operation the target is, especially for targets that regularly compile, protect and monetise valuable customer data.

With every business increasing its reliance on data, an acquisition target can be a potential gold mine or land mine depending on the maturity of its technology.
— Jared Crafton

FW: Given the volume of different software components and applications used by modern companies, how important is software analysis in conducting a comprehensive review of a target company’s technology base?

Bartnik: This depends on the size of the target and how important the system is in the operations of the business. For example, an ERP or a custom-designed system is more critical to review than a United States Postal Service (USPS) mailing system. Not all systems require a comprehensive review.

Crafton: This is an area where we place greater importance on the governance and oversight of technology, rather than any individual software tool. Bringing technology into an organisation is an investment, and they do not always work out well. How nimble the company is at reacting to bad investments while also looking at the overall vision will give great insight into the strategic and tactical aspects of the target’s technology maturity. Traditionally, it has been a challenge to gather the necessary information to conduct this assessment as it typically cuts across many different areas of an organisation. Legal will have the contracts, IT will have the service records, internal audit will have system and organisation control (SOC) reports, and so on. Companies must use advanced techniques to quickly gather and analyse this information.

Aira-Ventrella: The assessment of various software components can provide a lens into the overall health of an organisation. It can provide insights on the ability of a company to potentially scale, and insights on the health of its cyber security and business continuity programmes. The review can provide immediate insights into where investment may be needed post-acquisition to divest of legacy systems, migrate to the cloud and convert data to the acquirer’s system, as well as how quickly an integration can be achieved.

FW: What steps need to be taken during technology due diligence in order for a potential buyer to gain an accurate view of the target company’s true value and potential for growth, as well as associated risks?

Crafton: Like any due diligence, there is typically a short turnaround, limited access and great pressure with technological due diligence. Being prepared with the types of metrics that are valued will give a great head start. These can vary with different types of businesses, but generally a buyer will want to understand the overall vision and the target’s ability to execute on that vision. As an example, a bespoke, web-accessible software evaluation survey will facilitate a quick and easy solution for multiple departments – legal, IT, business lines, finance and internal audit, among others – to gather real detail about the current technology stack. Understanding elements such as implementation dates, disaster recovery plans, service contracts, out clauses, privacy and security measures, and other key metrics enables analysts to easily move through projections of risk, resiliency, cost and revenue. This can be further streamlined by aggregating the collected metrics into scores for these different areas. A platform like this also offers the ability, particularly for private equity (PE) firms, to build a repository of these assessments as they move from target to target. This provides invaluable data that can further differentiate projections and predictive models.

Aira-Ventrella: Buyers should create a developed methodology to look through the lens of the chief information officer, chief risk officer, chief privacy officer and chief revenue officer. Given that the process and timeline are accelerated, a tailored and systematic approach is necessary to obtain a clear understanding of the technology. The process, however, cannot be passive. It needs to determine how the technology is being used throughout the organisation, how it is helping to drive the target’s business and mitigate overall risk, and how it is aggregating data that can be leveraged or integrated into the acquiring firm to maximise its competitive advantage. If the analysis indicates substantial impact on the model, the information may be leveraged during negotiations or to determine if this is the right target.

McDermott: The necessary steps include an exchange of information that allows for analysis of requested artefacts and interviews with the target. Additionally, it is important to include an analysis of collected information by small and medium-sized enterprises (SMEs) in those specific areas.

Understanding the IT environment will always allow a buyer to get a better insight into risks and costs, in addition to providing a head start in planning for successful integration.
— Adam Bartnik

FW: Are there ways a buyer might offset technology-related risks associated with an M&A transaction? To what extent does technology due diligence give them the opportunity to explore risk transfer options, or to decide to walk away from a deal, for example?

Aira-Ventrella: Understanding technology and how it plays into the overall operational model of the target can provide a clear roadmap to the proposed value of the target, whether it dilutes or enhances the viability of the deal and whether it has a meaningful impact on value creation. If a breach is revealed during the due diligence period that exposes major cyber deficiencies, proprietary technology is not able to execute against what was presented or is not as developed as indicated without a clear product roadmap, the acquirer will have the opportunity to walk away from the deal or negotiate.

Crafton: The availability of advanced analytics has really changed the game for assessing the inherent risk within a technology stack. Another element to this is the ability to assess the insurance coverage and resiliency measures in place to protect it. With an understanding of what costs are coming due, as well as the risk of catastrophic failure – such as a cyber breach, IP theft, litigation or disaster – buyers can be better positioned to negotiate on price, deal killers and escalators. Understanding insurance market trends and the value of the target’s policies can give confidence or be a giant red flag. Buyers need to understand this holistic picture of technology to make smart decisions.

Bartnik: Technology due diligence identifies risks, cost to remediate, plans to operationalise and projected spend. Should costs exceed acceptable risk, a potential acquirer can walk away from the deal.

FW: What essential advice would you offer to a potential buyer or investor when it comes to evaluating a target’s technology systems, processes and assets, to fully understand their value and liabilities? What are the likely consequences of overlooking this aspect of an M&A deal?

McDermott: Buyers need an adviser that knows the diligence process and can evaluate, quantify and qualify the risk in a manner that is transparent to the buyer. Overlooking this may incur significant extra costs that were missed during the deal. On top of this, representations and warranties need to be accounted for.

Crafton: Data is king. Understanding how data flows through a company is the thread that holds all functions and processes together. To understand this, you need to collect data. Once this data is in your hands, tear it apart with analytics, and slice it every way you can. Do not assume that the target can easily provide you with the information you are going to need. You will need to cross most of the bridge yourself. Unfortunately, there are many public instances of buyers not understanding technology and data, which can lead to very embarrassing results.

Aira-Ventrella: A proper technology assessment can help to outline whether the acquirer is looking at the right target. In today’s environment, ask informed questions, seek the hard answers and push for transparency. Understand your business objectives for the transaction, the impact – if there are any weaknesses – and locate where the risks are embedded.

Savvier M&A teams and PE firms will likely lead the pack due to their lens toward value creation and how technology infrastructure has a meaningful impact on their strategic goals.
— Jenna Aira-Ventrella

FW: To what extent do you expect to see a rise in demand for technology due diligence in the years ahead? Ultimately, how vital is technology due diligence in helping acquirers make smart decisions?

Bartnik: Demand will always exist as long as M&A occurs. The focus will shift as it pertains to the priorities and practices of the day, similar to how cyber security has become a larger component in recent years. Understanding the IT environment will always allow a buyer to get a better insight into risks and costs, in addition to providing a head start in planning for successful integration.

Aira-Ventrella: With the rate of cyber attacks increasing well over 200 percent, the constant barrage of new phishing schemes, the mix of the human element being caught in the schemes, and the explosion of data, the demand, and more importantly business needs, will drive more adoption. Savvier M&A teams and PE firms will likely lead the pack due to their lens toward value creation and how technology infrastructure has a meaningful impact on their strategic goals. Creating the appropriate approach and methodology nimble enough to account for this dynamic environment will help achieve informative models to highlight risks and advantages within a possible transaction.

Crafton: Demand for technology due diligence is likely to generally follow projected data volume growth rates. Many of these show that the volume of data worldwide will double by 2025. Data three years from now will also look different and move at different speeds than what we see today. Most of it will be in the cloud, and it will move around the world with amazing velocity that connects previously unconnected parts of global organisations and economies. This will bring increased risk and increased rewards. Buyers that get ahead of this curve will have a significant advantage for the foreseeable future. Creating a vision for what technology due diligence looks like in three to five years and mapping this to data trends will provide tactical guidance on smart decisions.

 

Jenna Aira-Ventrella is a principal in the forensics practice, serving on the practice’s leadership team. She sits on BDO’s global leaders global forensic committee, responsible for global forensic technology services. With more than 20 years of experience leading large scale domestic and international projects, Ms Aira-Ventrella works with clients to understand cross-border data challenges involving data privacy, and devises appropriate global team coordination strategy.  She can be contacted on +1 (310) 557 8256 or by email: jaira@bdo.com.

Adam Bartnik is a senior manager in BDO Digital’s IT services practice, having more than 16 years of experience in technology architecture across several industries, including healthcare, non-profit and others. His experience has enabled him to lead the architecture team where senior architects and engineers discuss roadmaps, strategy and other business impacts with the technology leaders across a client’s organisation. He can be contacted on +1 (630) 371 9513 or by email: abartnik@bdo.com.

As head of innovation for BDO’s forensic practice, Jared Crafton brings over 19 years of experience advancing the scientific maturity of his clients’ investigations, compliance programmes and litigation matters. He specialises in forensic data science providing clients with effective strategies for tackling complex data environments with easy-to-understand analyses and mitigations. He can be contacted on +1 (203) 905 6248 or by email: jcrafton@bdo.com.

Mike McDermott is a business development director for BDO Digital, a division of BDO USA. He has more than 20 years of experience in working with clients in technology strategy, across all industries including healthcare, non-profit, and others. His experience has enabled him to help BDO Digital’s clients make technology decisions that have impacted their businesses and provided outcomes to align to their goals now and in the future. He can be contacted on +1 (630) 371 9423 or by email: mmcdermott@bdo.com.

© Financier Worldwide

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.