Below is a list of areas that I generally cover during an IT Due Diligence process, which can also be known as an IT Assessment, IT Strategic Review or just an IT Review. Personally, I see an IT Assessment as validating an IT Strategic Plan whereas an IT Review is more focussed on the overall IT service & department.
However, whether working on an IT Due Diligence or as an IT Assessor or IT Reviewer, many of the steps are common to all three activities. For me, the key outcome is to identify the most significant risks and find focussed, practical and deliverable outcomes for that organisation. Such organisations can range from turnarounds or technology businesses where the growth has stalled, through to potential acquisitions by venture capital or private equity funds.
For each sub section, there are a number of standard questions that I use as a starting point in the conversation. Based on the answers, how they are answered and the areas that I need to focus on, I follow up with further questions as necessary. I also use the scope and focus of the IT Due Diligence process, in order to guide me towards which areas I need to drill down into and which areas I can safely cover with only a cursory look. If you would like the full IT Due Diligence template document (it is in Word format) then please contact me and I would be delighted to send it to you. Below are the key headings of the template.
IT Due Diligence template headings
-Scope & Caveats
-Structure & knowledge
-Development, QA & testing processes
-Security (application, infrastructure & data)
-Compliance, DR & BCP
-AI & Machine Learning
-Specific hardware devices
-Hosting & Cloud
Summary of findings
What risks could undermine the transaction or the organisation?
As I mentioned at the beginning of this post, I take a risk based approach to IT assessments and this is particularly so when carrying out Due Diligence ahead of a potential transaction. Therefore, there are two risks that I look for before anything else. The first one is potential IT or Cyber Security breaches. Even if the potential breach is historic, I am very interested in what has been changed and have those changes been fully tested. I do understand that breaches are an all too common occurrence but it is the controls that prevent, mitigate and improve the security post breach that give me insight into the importance an organisation places on its data and reputation. As a result, I am able to assess the risk of a breach occurring again.
The second risk applies to software that the organisation might use or sell, particularly if it is a commercial differentiator. Almost all bespoke code has libraries in it, or referenced from it, and each of those libraries will come with a license agreement. Many of those licenses, particularly open source ones, are open enough to not cause any commercial challenges. However, licenses such as copyleft can have a significant legal impact on commercial software usage and distribution, so it well worth asking the question in the early stages of the Due Diligence as to whether such licenses are being tracked by the software developers across the entirety of the code base.
There are a number of secondary risks that are worth considering whilst going through this process. I consider these to be secondary in that they may not be deal breakers but they could change the commercial terms/budgets/plans as they currently stand.
For example, some brand or reputational damage risks might fit into this category. Imagine there is a supply chain where part or all of the product being distributed is manufactured in another country. The factories, the working conditions or even the security of the local staff can result in a secondary risk, if not mitigated sufficiently.
Another secondary risk is around product fit although I accept that if the fit is wildly out and as a result has no market, then the risk is much more than secondary and could even be a deal breaker. Nonetheless, a partial miss in terms of product fit, can also be a significant commercial risk.
Finally, a common secondary risk is around over optimistic plans. This can manifest as recruitment and training plans for staff being wildly off from reality. I tend to assume a 4-6 month lead time to find staff and a further 3 months of training before they can be assigned to a project or initiative. This can have a significant impact on both time to market as well as the cash required (versus budget) to deliver those plans.
Initial meeting questions
There is usually a kick-off meeting for any IT Due Diligence or Assessment. In advance of the meeting, it is worth sharing a few initial questions as these can form an agenda and provide some structure to the meeting. Obviously, introductions, terms of reference and scope are clarified first but after that, these questions can prove very helpful in the discussion.
- High level architecture overview
- Key 3rd parties & their responsibilities
- Project & resource plans - current & future and assumptions
- Platform performance testing & scaling plans
- Platform last penetration test & results
- Capex & Opex - current & future and assumptions
- Multi year tech strategy
Web site and Digital questions
Almost every organisation has some sort of web presence so questions in this area are always of interest and therefore in scope for an IT Assessment. However, the importance attached to the findings can tend to vary by organisation. Below are some questions to start the assessment in this area.
- What is the content management system?
- A list of plugins and are their license requirements satisfied?
- How is the Admin area secured e.g. linked to AD (Active Directory) domain, use keys, access from certain IP addresses and are logged?
- How is content uploaded?
- What content is uploaded and how is it used?
- Is there any user generated content?
- How is the website monitored and by who?
- How is the website tested e.g. Selenium?
- Is MVT (Multi Variant Testing) used and is so, where on the site(s)?
- Has the corporate/production web site(s) had a penetration test done on it? If so, what were the results?
- Are payments taken on the web site?
- Is the data at rest (database) and in transit encrypted?
- Define how to test (and roll back if necessary) any upgrades or updates to the web site or its plugins?
- Consider a support contract with whoever created the template, themes and any custom modules for the web site(s)?
This area is covered in every IT Due Diligence or Assessment as it covers servers, laptops, networks, databases and, of course, cloud. Clearly not all of the questions below are always applicable but they do give a starting point. In addition, I tend cover services such as CDN (Content Delivery Network) in this section despite them being often used by Digital services (the previous section). This is because there is often crossover between Digital Services and Infrastructure and the split varies by organisation.
- What is the CDN (Content Delivery Network)? Is it used for both offloading load e.g. images as well as security e.g. WAF (Web Application Firewall)?
- What is the DDoS (Distributed Denial of Service) mitigation?
- Is 3rd party Escrow in place?
- How is the website and its data backed up?
- Are the backups inside the UK or EU?
- Are the backups encrypted?
- What vulnerability management is in place?
- What patch management is in place?
- Is DevOps an objective?
- How is the infrastructure, web & application monitored and by who?
- How are log files (infrastructure, web and application) collected & monitored and by who?
- Are gold build images used?
- What back office systems are there e.g. billing/finance, email?
- Is a zero trust security model in place?
- What is the process for remote access to the production systems?
- What IT infrastructure is coming end of life over the next 3 years and what plans & budget are in place to mitigate?
- Are there any Exchange servers?
- What is the policy around BYOD?
- How is old, unused equipment disposed off?
- Who installs, patches & maintains the PC/tablets/phones of outsourced partners?
- Is Infrastructure as Code in place?
- Investigate Salesforce Shield (encrypt PII) and Salesforce Health Check (check config settings)?
- Oversight of hosting/colo/cloud provider from a performance & security standpoint?
- Is there any automation between systems or environments?
IT and Cyber Security
The next section is also always on the list to be assessed. As mentioned previously, IT and Cyber Security are increasingly focussed on, particularly by investors. Not only are there concerns around potential fines relating to GDPR or the ICO, but there is also awareness of the potential reputational damage. After all, would you use your credit card with an organisation that has just been on the news as it has been breached? Below are some questions to start the assessment in this area.
- Can I see the GDPR data breach log?
- Who has access to customer data?
- Who has access to employee & contractor data?
- Is there MDM (Mobile Device Management) in place for laptops, tablets and phones? Can they be bricked remotely?
- What phishing & ransomware training is in place?
- Are there Secure Coding Guidelines in place?
- Are code reviews in place?
- Is pair programming used?
- What is current release & deployment model?
- How are security events captured & reviewed and by who?
- Is there any Cyber Insurance in place?
- Have the scripts for external communication in the event of a breach been pre-approved?
- Have InfoSec staff reviewed and approved the security processes of key suppliers/outsource partners?
Software Development and Testing/QA
This area is often only focussed on if there is a software product that is being used or distributed commercially. As mentioned earlier, it covers the types of open source licenses used by libraries within the code base. It is also interested in how efficient and scalable the processes are in this area, as alongside recruitment, they can be one of the biggest bottlenecks to product shipment.
- Is there a code scanner in place?
- Are the licenses for all of the open source libraries referenced in the software, satisfied?
- What is the type of license for each open source library referenced in the software?
- What is the plan for dealing with technical debt?
- What is the plan re refactoring the code?
- What is used for CI/CD (Continuous Integration/Continuous Deployment)
- Is there 100% unit test coverage?
- Is SIT (System Integration Testing) automated?
- Is regression and smoke testing automated?
- Who is responsible for product management?
- How is the backlog defined and prioritised?
- Are there any patents, intellectual property rights, AI/ML models or algorithms?
- How is configuration management carried out?
Risk and Compliance
This area is enormous and highly varied. It can depend on sector, physical locations and regulation to name just a few. I start with just three base questions and let the organisation specific factors then drive the remainder of the assessment in this area.
- What are the BCP (Business Continuity Planning) plans?
- What are the DR (Disaster Recovery) plans?
- Is PCI DSS (Payment Card Industry Data Security Standard) compliance necessary?
People and Management
The last section should, perhaps, be the first one. In this area, I am looking at the people, their skills and how well they are motivated and managed. Ideally, I should start to get some insight into the culture at this point. All of these data points will help me assess the likelihood of on time, on budget, on quality delivery by the organisation.
- Are there any key man risks and if so, does succession planning help mitigate?
- Are there any pay rises planned or being considered?
- How often are replacement PCs/tablets/phones purchased?
- Any new offices planned?
- Any plans for follow-the-sun support?
- Do any key suppliers/outsourced partners carry out background checks on their staff?
- Are there Data Access/Transfer agreements in place with key suppliers/outsource partners?
- Have key suppliers/outsource partners been reference checked and had Due Diligence carried out on them?
- What new resources are planned to come on board and what are the assumptions for when to add usefully?
- Are there any succession plans in place?
- Can I have the tech org chart please?
- What is the tech strategy e.g. build vs buy, cloud vs hybrid vs on premise?
- What is the expected growth in load on the platform over the next 5 years?
- What is the total cost of IT & Development as a % of revenue?
If you would like the template, complete with my initial questions for each section, then please let me know where to send it, using either my contact details at the bottom of this page or the contact tab on the right.
Finally, it is worth pointing out that this template and some of the questions within it, do not apply well to Supplier Due Diligence activities. This is because the focus shifts from investment risk to service risk and therefore the emphasis on the questions change too.