Technical due diligence (TDD) is a more specialized type of business due diligence, usually conducted by a third party. The consulting firm that conducts technical due diligence for you should both be able to ask about and understand the technology used by the target company, as well as have the sector knowledge to accurately judge the target company’s position in the market.
Considering the depth and breadth of knowledge needed, technical due diligence, also commonly called IT due diligence (IT DD), can be a challenge for any business. At Penser, we have a comprehensive 100-question checklist that we’ve put together over the years that serves as a strong foundation for our process. We’ve pulled eight key questions out of them that we think are essential to developing a clear picture of the target company when considering a merger or buyout.
The eight questions to ask during your IT due diligence
Q1. What is your roadmap?
The technology landscape is ever-changing. Well-established services like Amazon Web Services and Azure now live alongside technology architecture constructs such as microservices, deployment approaches such as OS-level virtualization and software containerization through Docker, and container-orchestration systems (like Kubernetes). This could lead to a more confused approach, with company IT heads sometimes deciding to go with what’s trending currently, or conversely, choosing to ignore trends completely in order to not rock the boat. The ideal target company should be able to assess this dynamic landscape and articulate what is on its technology development roadmap and why. This allows for an objective evaluation of the direction and eventual destination of their roadmap, which can inform the company’s projection for the future.
Q2. How do you deal with data security and infrastructure security?
With the increasing focus on security and privacy, the target company needs to have addressed system vulnerabilities and made sure that firewalls and data encryption are implemented. The infrastructure – namely, the network, hosting environment, the monitoring tools, etc. – also needs to be assessed for integrity, along with the licenses that the target company holds.
Q3. How scalable is the platform to allow for new features or for more users and transactions?
The key objective here is to assess how well the target company has been set up, and whether it can handle rapid growth. The target company’s technology architecture needs to be adaptable to new technological advancements and support the incorporation of new features that reflect the changing needs of its consumer. The infrastructure should also be reliable enough to handle a multifold increase in volume without breaking down. Assessing the target company’s readiness for scale is an important part of the technical due diligence process.
Q4. What is your software development process?
How the target company approaches the software development process is another crucial question. What tools and environments do they use? How do they manage different versions? What processes and methodologies do they use for both the development as well as for controlling quality? Do they provide customised solutions for clients? A structured approach to the software development process is ideal because it allows for an assessment of the target company’s speed to market, the effectiveness of the process in identifying and correcting bugs, and how capable they are when compared to other similar companies.
Q5. What is your plan for business continuity in the face of attacks and malware or natural disasters?
The target company needs to ideally have a clearly defined approach to handling disasters – both natural and man-made. Understanding how resilient the system is to malware and other similar attacks is an important part of an effective technical due diligence assessment. Along with this, it’s important to understand their backup policies – security, restorability, frequency, etc. – so as to get a clearer picture of the target company’s ability to deal with any eventuality. Having a documented process that can ensure that service delivery continues with minimum interruption allows an IT due diligence firm to fairly review and assess the target company’s business continuity plan.
Q6. How do you meet the data-related regulations required?
With the new regulations being enforced across the world, a business must be aware if they are compliant with all the legal requirements of the region. Making sure that the target company has a process in place to ensure compliance with the legal requirements is a step that tends to be overlooked. This process should also have contingencies in place in case there are conflicts, and steps to mitigate these conflicts need to be outlined.
Q7. How do you implement security updates?
In order to maintain the integrity of the business’s application, it is likely that frequent security updates will be required. We would want to know how these security patches are maintained, and what is the process for rolling these out to clients.
Q8. What is your software and technology stack?
It is important to understand what external software and technologies are required to run the target company’s operations effectively. This stack needs to then be examined for vulnerabilities in turn in order to better understand the target company’s dependencies. If there are any utilities that are not part of the business’s system but are required to administer, manage or configure operations, these must be called out and assessed as well.
At Penser, we provide our clients with the guidance they need to make informed decisions in the banking and payments sector. With our extensive industry expertise, we cover all the important questions you need answers to and provide a clear, comprehensive report that outlines the strengths and weaknesses of the target company.
If you’d like to learn more about our m&a (M&ADD) and vendor due diligence (VDD) services, please contact us by clicking here.