Crowe Horwath: Five key factors for IT due diligence

Ignoring IT during the due diligence process exposes a company to unnecessary post-investment risk and might cause it to miss the opportunity to uncover potential inhibitors to advance its investment thesis.

An IT advisor must understand the company’s investment thesis prior to the investigation in order to provide insightful feedback. In many cases, the goal of minimizing operational expenses runs contrary to recommendations related to moving infrastructure to the cloud or paying subscription fees for software.

Many IT shops have been underfunded for a period of time and have accumulated “technical debt,” which can take the form of obsolete hardware or unsupported software. Does it make sense to replace it, upgrade it, or leave it as is? The answer depends on the company’s eventual exit strategy timing and tolerance for risk.

Additionally, the target’s valuation as it relates to IT needs to be considered. Are there pressing capital expenditures that have not been divulged or software licensing fees that have not been properly captured? Will the current operating budget meet the minimum acceptable level of support to sustain the business?


Fear in the marketplace surrounding cybersecurity breaches and loss of employee or customer data is justified. Within the current calendar year, Crowe Horwath clients report:

An $8 million client was hacked and had five years of credit card information stolen;

A $400 million manufacturing client was spoofed into sending $300,000;

A $20 million client was held ransom and had to pay $6,000 to recover its data.

These are real examples. Hackers attack small to mid-market companies that do not have the focus or skills to protect their data. Does this translate to concerns an investor should have for its particular target? An experienced IT advisor will consider the target’s customers, industry and data categories before answering this question. Is there an e-commerce component for which there are Payment Card Industry Data Security Standard concerns? Is personally identifiable information or protected health information being properly secured? Many security breaches are internal. An article in the Harvard Business Review reporting on IBM’s global 2016 Cyber Security Intelligence Index reported that “IBM found that 60 percent of all attacks were carried out by insiders.” Are controls in place to mitigate these internal risks?


Information technology is more than just overhead; it can and should be an enabler to the business. Depending on the duration of the investment hold, small and large investments should be considered. Exploit short holds for low-cost, high-value opportunities. Consider the next investor’s buy-side diligence. Will the next buyer quickly see through a “coat of paint” and decrease valuation accordingly?

Many system or application issues are tightly intertwined with operational efficiencies. An enterprise resource planning application or suite of applications might suffer from the technical debt issue highlighted earlier. Strong IT project managers maintain a road map of prioritized projects that directly supports executive management’s overall business strategy. IT diligence can uncover deficiencies in this area and provide recommendations highlighting resources, cost and time necessary to address these deficiencies.


Companies with strong IT management and staff already will have considered the strategic implications of their department on the organization’s finances, risk position and opportunities. An IT diligence investigation will highlight the competencies and deficiencies in an IT department. Does the chief information officer or IT director or manager have input into the C-suite or receive directed feedback from the business? Do the skills of the people in the department align with the needs of the organization? Are vendor relationships established that complement the in-house skill sets? A competent diligence investigation will speak to these questions.

Additionally, an advisor refers to the benchmarks on salary spend and staffing levels to give the investor an understanding of the target’s position in the industry. Are there opportunities to use a managed service provider to incrementally scale operations or add hard-to-obtain skills? Do training opportunities exist to bolster in-house skills? Answers to these questions will have an impact on operating expenses.


Platform company add-ons present a unique set of opportunities and challenges to an investor. If a target will be merged onto an existing portfolio company’s platform, it is critical to understand both entities’ infrastructures, suites of applications and capabilities. In some cases, a reporting solution that consolidates financial and operational data is sufficient, while in other cases, systems will be merged or integrated and a shared services model implemented. These situations increase the scope and the price of the diligence investigation if conducted properly.

Often, add-ons are less about diligence and more about integration planning. What are the costs and timelines to integrate? What are the resource constraints that need to be addressed to successfully merge platforms? Are there carve-out or transition services agreement fees and timelines to be considered? Integration diligence investigations need to be properly scoped in advance so the IT advisor focuses on the right issues.

Understand the process to make the most of IT

An IT diligence investigation typically occurs toward the end of the diligence process. The buyer will engage an advisor after receiving positive initial financial diligence results. In order to expedite the process so the IT diligence does not hold up the overall deal, the buyer should issue the IT request for documentation at the same time as the formal financial document request list (DRL) submission. Often, the maturity of an IT organization can be gauged by the completeness of the DRL response. It is also prudent to schedule the IT fieldwork at the beginning of the project to minimize logistical delays.

Once the IT advisor has been debriefed on the investment thesis, fieldwork typically will take a day or two for a mid-market company without any integration concerns, or it will take three days to a week for a larger organization with a decentralized IT structure. Report writing quickly follows with final report delivery within a week. A brief phone call immediately after the fieldwork gives the advisor an opportunity to inform the investor of any red flags that could affect valuation.

A buyer’s awareness and understanding of an IT due diligence investigation can advance its investment thesis and help the buyer incorporate technology considerations into its overall portfolio strategy.

Marc Baker is a director with Crowe Horwath