A Due Diligence check list

1. www.drpete.co.ukwww.drpete.co.uk
What is IT (Technology)
Due Diligence?
A high level checklist
Roelof Iball & Paul McCormack
Senior Consultants,
Dr Pete Technology Experts

2. www.drpete.co.ukwww.drpete.co.uk
Contents
1. What is IT Due Diligence?
2. Why bother with ITDD?
3. Who undertakes the ITDD?
4. Understand the process of ITDD
5. People
6. Infrastructure
7. Software
8. Processes and controls
9. Documentation
10. Strategy and Management
11. Need help?

3. www.drpete.co.ukwww.drpete.co.uk
Due diligence is the name given to an investigation to provide reassurance
that a transaction is fair and true, before completion.
The concept has been in place for many years and is important for IT systems
in particular, as they affect the smooth running and efficiency of the
business.
It is commonly performed in the following circumstances:
● A company (Acquirer) is buying another company (Target), whole or in
part.
● A company is raising money, either via loan or equity, and the lender
(e.g. bank or prospective shareholder) wants assurance that IT is
effective and is value for money.
● Owners/shareholders wants to demonstrate that systems are fit before
selling part or all of the business, or receiving an investment. (Vendor
ITDD)
What is IT Due Diligence (ITDD)?

4. www.drpete.co.ukwww.drpete.co.uk
● Imagine buying a house without a survey - you would
ask a surveyor to assess the house to make sure it is
in good condition and to avoid expensive repair bills
and to strengthen your bargaining position.
● All businesses now rely on technology (even if it is
only a smartphone), it is imperative to ensure
systems are adequate.
● For example, a failure in key business systems (e.g.
eCommerce, warehousing, communications,
manufacturing, logistics) could be expensive and
damage your reputation.
● Businesses experiencing a disaster scenario have a
high failure rate; the business could effectively be
worthless.
Why bother with ITDD?

5. www.drpete.co.ukwww.drpete.co.uk
An ITDD may be performed internally or externally:
● An IT director or chief technology officer from
the Acquirer may investigate the Targets
technology setup.
● However, a preferred approach for both parties
would be to undertake an independent IT DD to:
o Ensure impartiality for both vendor and
acquirer.
o Offer transaction experience.
o Bring additional resource that may not be
available internally.
Who undertakes the ITDD?

6. www.drpete.co.ukwww.drpete.co.uk
To complete the assessment, the independent ITDD assessor will need
information from the IT Team.
● Staffing - skills, expertise, key-person dependency issues.
● Technology - architecture and extensibility, scalability, robustness,
security.
● Processes & procedures - policies, governance, documentation (systems
and strategic papers), suppliers and contracts.
● Strategy and management - a review of strategic plans and management
information.
A formal report on findings and recommendations will provide a clear
snapshot of the current IT situation and its capability to support the business
strategy.
Understand the process of ITDD

7. www.drpete.co.ukwww.drpete.co.uk
The Due Diligence Process

8. www.drpete.co.ukwww.drpete.co.uk
ITDD Example Checklists

9. www.drpete.co.ukwww.drpete.co.uk
People
☐ Do IT staff have the right skills available to support the
systems?
☐ Check there are no key-person dependencies (especially in
critical system support and/or software development).
☐ Is there staff cover for service availability demanded by
the business?
☐ Is there reporting on analysis of staff turnover, appraisal
processes, development and training plans?
☐ Are procedures/processes documented including a staff
guide?
☐ Does everyone have a current job description and how do
salaries compare to the market rates?
People are often the biggest risk and cost; it’s important that the right
capabilities exist and are appropriately deployed.

10. www.drpete.co.ukwww.drpete.co.uk
Infrastructure
☐ Is the hardware old and in need of imminent replacement?
☐ Is the current hardware (and firmware) appropriate, supported and
scaleable?
☐ Are systems robust, reliable and resilient - including infrastructure
such as data centres and internet provision?
☐ Do reports exist for security breaches (virus outbreak, network
hacks, data loss, physical impediment such as fire or flood)?
☐ Have the systems been tested for vulnerabilities?
☐ Is there an up-to-date record of all IT assets, including equipment
and licenses?
☐ Is there a backup regime; has a data restore been recently tested?
☐ Are plans in place for business continuity and disaster recovery?
Are the current hardware/infrasture systems capable of supporting the
business strategy?

11. www.drpete.co.ukwww.drpete.co.uk
Software
☐ Is the software very old and in need of imminent replacement?
☐ Is the software current and supported?
☐ Are there any proprietary/ bespoke systems?
☐ Is any software developed in-house, and if so, is it developed
using a recognised software development framework (SDLC)?
☐ Is the source code carefully maintained?
☐ Understand the ownership of any IP (intellectual property).
☐ Does the helpdesk/service desk system fulfil its requirements
to provide (and report) IT support to the business?
☐ Is licensing adequately controlled and managed?
Understand the software utilised in the business, its effectiveness and
ownership.

12. www.drpete.co.ukwww.drpete.co.uk
Processes and controls
☐ Key IT suppliers: Understand contracts & exit plans. Identify alternative suppliers and any
mitigation plans.
☐ Are key supplier performance metrics reviewed regularly? Benchmark costs to ensure value
for money and hold regular reviews (quarterly).
☐ Are Access Control measures in place, including password policy and “break- glass”
measures?
☐ Is there a policy for BYOD (bring your own device)?
☐ If WiFi is available, is there segregation between staff and guests?
☐ Has the business gained any assessment certification, such as ISO 27001?
☐ Are helpdesk and ITIL / Cobit adopted?
Understand procedures and authority to carry out the BAU (business as
usual).

13. www.drpete.co.ukwww.drpete.co.uk
Documentation
☐ Is there a published SOP (standard operating procedures) guide?
☐ Are documents up-to-date and version controlled?
☐ Is there an IT standard product catalogue that’s published and
known across the business?
☐ Do documents exist relating to service level agreements (SLA)
with suppliers and internal business groups?
☐ Are bespoke software systems adequately documented?
☐ Is documentation available for IT strategy, project management
and change control?
Understand how documentation supports the IT operation.

14. www.drpete.co.ukwww.drpete.co.uk
Strategy and Management
☐ Is the IT strategy planning process in place?
☐ How is the strategy or roadmap documented?
☐ Is the IT budgeting reasonable and adequate?
☐ To what extent does technology feature at the Board
level?
☐ Is the IT strategy aligned with the business strategy?
IT is critical to efficiency and staying ahead of the competition. IT DD
should address the following questions:

15. www.drpete.co.ukwww.drpete.co.uk
● Our checklist is a simplified snapshot/highlight
of typical questions, to provide food for
thought.
● In reality, every business will be different - for
example, online gaming will be different to
eCommerce - in terms of types of systems and
peak usage and security.
● We have over 30 experts, many from the Big 4
IT audit practices, who have undertaken
technology ITDD.
● We can tailor a cost effective plan based on
your requirements in the UK or around the
world.
Need help?

16. www.drpete.co.uk
Roelof Iball
Senior
Consultant
Roelof is a seasoned IT professional, corporate
(BP, Ernst & Young, Rentokil Initial, BDO) IT
problem solver, experienced across a range of
industries encompassing both mid-size and
enterprise organisations.
Reporting on IT investment and performance
issues for private equity and corporate finance
due diligence.
Paul
McCormack
Senior
Consultant
Paul is a seasoned IT professional, having
served as a Head of IT for a variety of
corporates. Prior to joining DrPete, Paul was
an an IT Consultant advising clients of BDO
LLP. He also undertook a discrete project
assignment for Google.
Paul has worked in many diverse sectors, from
natural resources, to property management
and cryogenics, providing IT reviews, due
diligence and IT project management services.
About the authors

17. www.drpete.co.uk
Our services
DrPete Inc provides
Consulting service in
the following
technology areas:

18. Our clients

19. www.drpete.co.uk
We use the latest cloud apps and technology paradigms.
DrPete Technology Experts:
Thought leadership
We are members of the
European Cloud Industry
body - Eurocloud, where we
have presented.
Our firm is regularly
featured as thought
leaders. We have been
featured in broadsheets
such as the Financial
Times, the Guardian, and
leading portals like the
Huffington Post.
We have regular columns in
CloudPro and Techradar.

20. Providing inspirational technology remedies to business challenges