Due diligence is the process of verifying, investigating or auditing a potential investment opportunity to confirm that the investor or buyer has all of the relevant information needed. This is done before the deal closes and, if it’s not done right, may terminate the deal.
The Role of Due Diligence in M&As
On the buyer’s side, for a merger and acquisition (M&A), failure to go through due diligence significantly increases risk. On the seller’s side, proper due diligence increases the buyer’s trust and increases the likelihood that the deal will proceed as hoped. Going through the due diligence process beforehand may also benefit the seller, as it may help to determine that the fair market value for the company is higher than originally estimated.
M&A due diligence usually involves several different components, with varying degrees of scrutiny that depend on the strengths and weaknesses of the company. Financials, for example, are always a part of due diligence, while marketing strategy, management and workforce are also often a part of the process, as is technology.
What is Technical Due Diligence?
The role of technical due diligence is to analyze the technical aspects of a company. For tech companies, this includes their products or services. For all companies, this can include their technical architecture, web servers, databases, security software and more. Technical due diligence may involve one broad investigation, or a series of specific investigations on different areas.
Due Diligence for Tech and Non-Tech Companies
For tech companies, technology will always be front and center in due diligence, as the hardware or software the firm produces will be the primary asset behind the company’s valuation. Beyond technology products, however, for tech and non-tech companies alike, the technology supporting the organization should also be a consideration.
For non-tech companies, the importance of tech due diligence will vary, but should almost always be a consideration. If any part of a company’s valuation consists of data, for example, how that data is stored, secured and transmitted should be subject to due diligence. If the skills of a remote workforce are part of the company’s valuation, then the infrastructure connecting them should also be subjected to due diligence.
This basically means that technology due diligence should be a factor for just about any M&A deal, including marketing companies, engineering firms, ecommerce websites and pharmaceutical companies. Landscape service providers and hot dog vendors may be exceptions, unless the landscaper has a database of established clients, or the hot dog vendor accepts mobile payment transactions — in these examples, count them in, too.
An Overview of the Technical Due Diligence Process
For the buyer, due diligence can start before they’ve even contacted anyone at your company. It takes just a moment to find your website and begin exploring. Its features, its speed and its professionalism is visible to anyone. For anyone with a modest degree of know-how, your website provider, your platform choices, your security features and much more detailed information are also available with just a few clicks.
Introduction: From the first email and first meeting, the buyer is already getting a sense of your professionalism, personality and honesty. Often, the best tech talent on a team can be a bit…quirky…by business standards. If that’s the case, don’t try to present them as something they are not, but have a business manager restate or reinterpret their answers, if needed.
Documentation: The buyer will examine your business plan, financials and other documentation. Not only are they reviewing the contents of these documents but, from a tech perspective, they will also examine how you store, protect and transmit this information.
Due Diligence: Most buyers will enlist a third party with technical expertise to conduct a tech due diligence review. Expect this to include meetings, requests for additional documentation and real-time demonstrations that can be analyzed as they run. With follow-up questions, this can take a few days.
Report: The third party will present a report to the buyer, who will examine the contents and will often have their own follow-up questions for the seller.
Preparing for IT Due Diligence
Technology due diligence covers a wide range of areas, but it depends primarily on how reliant the seller is on that technology. For any organization reliant on data, security, as well as architecture and infrastructure, will be the prime considerations. Firms that have tech-based intellectual property should also be prepared to have their IP examined, something that is no longer limited to tech companies alone.
Architecture and Infrastructure Checklist
Architecture and infrastructure can include everything from user laptops to the security software used to protect the web servers. Below is a list of some common items that might be checked in a due diligence review.
- Hardware and software inventory, including computers, servers, operating systems, software licenses, firewalls and routers
- Architectural descriptions and diagrams, including organizational charts for IT personnel and server locations
- API documentation and use of third-party services
- Network performance metrics
- Data backup logs and audits
Intellectual Property Checklist
Intellectual property is always of vital interest to sellers. For tech-based companies, due diligence includes proprietary software or hardware they have developed. Areas of particular interest include the following.
- Domestic and foreign patents, registered trademarks and copyrights
- Documented measures to protect IP, like confidentiality agreements and invention assignment agreements
- Reliance on third-party licensing and its relationship to the seller’s IP
- Infringements on third-party IP, if that has happened, including any threats of litigation
- Royalty obligations that could be affected by the M&A agreement
- Liens or encumbrances on the seller’s IP
IT Security Checklist
IT security can include any aspect of a company’s hardware, software and technology policies and procedures, especially in regard to the organization’s data. Some of the questions the seller should be prepared to answer encompass such areas as the following.
- Privacy and cybersecurity risks the seller may face based on its business sector and the products or services it offers
- Computer network, systems architecture and data storage, including any cloud service providers or third-party applications used
- Types of personal or confidential information collected from customers and how this information is secured and stored, including data collected from business partners or government agencies
- User documents related to data privacy, including information privacy agreements, restrictions on the use of data, assurances of its protection, and any agreements with third parties related to this data
- History of cybersecurity incidents, including data breaches, DDoS attacks, viruses, malware, ransomware and other cyber threats
- Documented security policy, including safeguards and controls, and disaster recovery procedures
The Due Diligence of Document Sharing
When it comes to document sharing, the medium is the message. How the seller chooses to secure and share vital documentation will be a key component to any technical due diligence. The firm that chooses to send financial records with an email attachment or a link to a Dropbox folder, for example, will send a completely different message to the seller, compared to the firm that takes adequate safeguards to protect their documents using digital rights management software. This, of course, may be secondary to the risks the seller takes if they choose not to secure their documents.
For years, the virtual data room (VDR) has been the de facto standard in document sharing for M&As. An experienced buyer or investor knows this and will consequently know what to look for, such as the following.
- DRM: Digital rights management, including expiration dates and revocation of access to downloaded documents
- Digital watermarking, including user identification and IP address, as well as time and date stamps on downloaded documents
You can explore Caplinked’s document security options for yourself, without cost or obligation, with a free trial account.
Corporate Finance Institute: https://corporatefinanceinstitute.com/resources/knowledge/deals/due-diligence-overview/