Spring 2014 issue of Horizons

Today’s businesses are more reliant on information technology (IT) than in any other time in U.S. history. IT risk is no longer confined to entities involved in processing significant numbers of financial transactions or subject to complex regulation; rather, IT risk is pervasive across all industries in today’s world and is an often overlooked area for due diligence when executing a merger or acquisition. Given that most studies suggest 70% to 90% of mergers and acquisitions (M&A) fail, thorough due diligence is an absolute must and IT cannot be overlooked. IT due diligence is not a “one size fits all” approach. There are different considerations depending upon whether the acquirer is a strategic or financial buyer, and whether the target company is a new platform company or if the target company will be rolled into another company. A thorough understanding of the strategic purpose for acquiring the target is critical. Additionally, the buyer should have a robust 120-day post-deal plan with a significant component of that plan being IT. The buyer should take the opportunity during due diligence to establish an IT plan for the business going forward.

IT Due Diligence Defined IT due diligence can generally be thought of as an assessment of the target company’s state of information technology. Throughout this assessment, key questions should be asked:

∙ Will we own the technology?

∙ Will there be a gap in IT skills post-deal? If the entity is a carve-out, IT support may be lost.

∙ Do we have to replace the technology?

∙ Has there been downtime due to technology?

∙ What information (including transactional and intellectual property) is important?

∙ Is the technology, such as the ERP, scalable?

∙ Where is the information? Is it housed with unknown third parties (i.e. Dropbox)?

∙ Do we have risk related to our web presence that will require additional spending? ∙ What is “technology” for the entity (i.e. computers, servers, network, telecom, data center/server room, websites, software)?

∙ Who has the control of the technology? Is there a limited group with access to “all”?

∙ Is there a key man risk? The loss of certain key IT individuals could be detrimental to the company.

Security For companies in certain industries that are collecting personally identifiable information or credit card information, regulatory and reputational risk for a security breach should be of significant concern to a potential buyer. Identifying gaps or weaknesses in security over such information can help inform the buyer as to future costs or risks associated with owning the business.

Scalability IT due diligence is critical in assessing the potential for future capital investment in the business. For example, many financial buyers of businesses will require significant amounts of financial data at a disaggregated level to run the business post-transaction. It is critical to understand,

www.RubinBrown.com | page 19