Mergers and acquisitions (M&A) usually require considerable due diligence on the part of the acquirer. Before entering into the deal, the acquirer may want to ensure that they understand what they are purchasing and what responsibilities it entails, the existence and scope of the contractual liability of the target entity, controversial agreements, legal threats, and intellectual property concerns and much more.[i] This is especially relevant for M&A deals of private entities, i.e. the target business may not have been subjected to public sector oversight and therefore the bidder has limited (if any) opportunity to access the details it needs from public sources[ii]. The method of compiling and evaluating the information necessary on a target company is called “due diligence.” Due diligence is a detailed review of the activities of the target company; its strengths and disadvantages, its financial and competitive role within the market. Many studies have shown that due diligence during the planning process of a deal is one of the main success factors in M&A[iii].
This article explores one of the aspects of due diligence done under the M&A processes – this is the Technological Due Diligence Process. Despite consensus amongst business executives regarding the importance of due diligence, this aspect of the M&A process is still relatively unexplored in literature. Through this process, acquiring companies receive and verify the accuracy of public and private information regarding the technologies sought to be acquired alongside the target company. Obtaining better quality information through the process of due diligence may lead to improved identification and valuation of the technology assets intended to be acquired.
Nature of merger and acquisition
Merger is the combination of two or more companies in which the assets and liabilities of the selling firm are absorbed by the buying firm[iv]. Although the buying firm may have a considerably different organization after the merger, it retains its original identity. Simply put, a merger is a combination of two or more distinct entities into one; the desired effect being not just the accumulation of assets and liabilities of the distinct entities, but to achieve several other benefits such as economies of scale, acquisition of cutting edge technologies, obtaining access into sectors/markets with established players etc.[v] Generally, in a merger, the merging entities would cease to be in existence and would merge into a single surviving entity.
Acquisition, on the other hand, can be said to be the purchase of an asset such as a plant, a division or even the entire company[vi]. Thus, acquisition or takeover is the purchase by one company of controlling interest in the share capital, or all or substantially all of the assets and/or liabilities of another company.
M&As in the broad sense, may imply several different transactions ranging from the purchase and sales of undertakings, a concentration between undertakings, alliances, cooperation, and joint ventures to the formation of companies.[vii]
However, acquiring a company is risky, especially because relevant information of a target’s business is beyond the reach of the acquirer and he/she needs to rely on or make assumptions about the state of the business.[viii] Such information asymmetry occurs when the acquirer does not get reliable information to carry out a thorough evaluation and determine the fair acquisition price. In line with the literature, the term information risk is used to describe the uncertainty surrounding information relevant to the acquirers’ valuations and expectations for future economic development.[ix] The main challenge for the acquirer is to obtain adequate information about the target company’s business. Even if the acquirer gets information in the acquisition process, there will be information buried within the target firm’s bookkeeping and records, and thus difficult to find and consider in the evaluation efforts. The higher the quality of information, the better the acquirer can make qualified decisions about the economic benefits of a potential acquisition. In a cross-border context, the situation is riskier, since there is even higher information asymmetry including characteristics from different countries.[x]
In M&A transactions, due diligence serves to overcome the information asymmetry, and thus, it is defined as an audit of potential investment confirming material circumstances related to the acquisition. The final purpose is to give confidence in fully understanding and evaluating risks associated with the acquisition.[xi]
Importance of due diligence
In the corporate world, due diligence allows companies to evaluate new acquisitions to obtain as much information as possible. This information is then used to assess the attractiveness of the investment. Due diligence represents an auditing process of a potential deal or investment opportunity to verify all relevant facts and financial information and any other information produced during an M&A deal and/or investment process.[xii] Due diligence represents a critical preparatory stage in the acquisition process. Most often, it is conducted before a deal closes to give assurance to the acquiring party of what they are getting.
Another powerful argument in favour of due diligence lies in the fact that the effect of corporate acquisitions and competitive and financial market practices on the future target in an increasingly dynamic environment is not clear to the buyer without a systematic and thorough review, even if the target is from the same industry as the acquirer. Thus, a thorough and systematic review is an essential requirement for maintaining the clarity required to make a buying decision[xiii].
Distinction between the different forms of due diligence
Many forms of due diligence offer companies the confidence and information to get exactly what they expect from a prospective transaction. Some forms of due diligence will allow businesses to detect problems before they cause harm, while others will include useful insight into the true cost of a business transaction.[xiv] Due diligence processes allow businesses to acquire knowledge to convince their business decisions. According to the majority of professional bodies and commentators, the major types of due diligence in business or corporate activities include: financial, commercial, M&A, customer and vendor due diligence.[xv] Technology due diligence is a novel branch of due diligence that has become very essential as IT has become an ever more strategic component and growth leverage in most businesses mergers or acquisitions.[xvi] Thus, it can be said that technology due diligence is a subset of modern M&A due diligence. Technology Due diligence is an imperative activity that companies must conduct during Mergers and Acquisitions.
Merger and Acquisition (M&A) due diligence is performed when two companies intend to merge into one or when one company is considering whether to acquire another. M&A due diligence is undertaken to assist the purchaser in determining whether to proceed with the proposed agreement. Thus, once they understand to a greater extent how an integration or acquisition will play out, the buyer can adjust their expectations. M&A due diligence helps the buyer to understand potential risks, and also to plan with greater clarity for integrating the target company. In summary, M&A due diligence enables the acquirers to do three important things:[xvii]
- Confirm the criteria behind the agreement
- Collect data for transition preparation
- Identify undisclosed threats
Concerning Technology due diligence, this consists in a technical risk review carried out by auditing the target company’s IT system to help investors determine its strengths and weaknesses and therefore determine the value of the business with a view to sustainability, maintenance cost, integration, ramp-up, scalability and evolution capabilities. Performing IT due diligence before mergers or acquisitions has become a key step in ensuring better valuation, financial modelling and risk mitigation. The primary goal of the due diligence is to assess if there are insurmountable risks that may affect the deal or post-transaction integration. The scope and concentration of due diligence will be customized to the purposes of the deal. Technological differences between the two companies can create risks to the efficient integration and future operations of the emerging company. Focusing on Technology due diligence helps companies obtain information about future synergies, identify security vulnerabilities and review IT personnel and structures. Quite similar to M&A due diligence, a comprehensive and well-managed Technology due diligence process should[xviii]:
- Evaluate overall IT strategy effectiveness, including processes, project portfolio, support structure, and alignment to business goals.
- Identify operational improvements, synergies or cost savings opportunities such as rightsizing the IT support model and vendor contracts.
- Assess capability to integrate core business processes and systems (e.g., ERP, supply chain management, CRM).
- Assess the security and controls framework to minimize exposure to costly litigation for data exposure or theft.
- Evaluate the health of IT infrastructure to determine ability to scale, integrate, or maintain current operational demands.
- Identify single points of failure that require mitigation planning.
- Identify hidden or buried IT costs resulting in a higher than expected operating model.
- Identify deferred or unplanned software license costs, which may create post-transaction investment.
- Identify transition issues to consider post-transaction, which would help to assess the cost and timing of integration.
- Evaluate intellectual property, which may impact the valuation of the target company.
Procedure for technology due diligence
Computer and services corporations acquire their valuation based on their worth in technological advancements. In a deal which involves the transfer of technology or IT companies, the commodity is software or software powered, and the interest is based on the intellectual properties contained in the technology. And, whilst an acquirer may have to dive through all of the above points, it is of utmost importance to validate, prepare, and recognize risks in the technology[xix]. Technology due diligence is the process designed to find a clear and comprehensive picture of the Total Cost of Ownership (TCO) of a company’s IT infrastructure as well as the risk associated with any future mergers or acquisitions.[xx]
Framework for technology due diligence
Technology due diligence comprises the following components[xxi]:
- Enterprise applications and data: The buyer hopefully understands these facets of the target and blends into his own business. Yet they may like to go further during due diligence through more detailed presentations, a study of the strategy details, and strategic conversations with product leaders.
- IT organization and structure: Although the buyer knows the senior officers of the company, more personnel of the target company would be engaged through due diligence. This is the time to assess the potential talent of the organization, to prepare post-acquisition positions, and to recognize key and vulnerable players in the mix.
- IT operational processes: If the project team is retained unchanged and existing procedures remain, evaluation of the related enabling systems and resources is crucial. For private equity acquisitions, that may almost always be the case, while a strategic acquirer will intend to incorporate the team into their structure. It needs resources and time to modernize inefficient processes. Bad processes or lack of processes can pose issues about management skills. Finally, greater inspection efforts will be focused on vulnerable process areas.
- IT infrastructure, security, intellectual property, and privacy: Due diligence on the software involves evaluating its architecture and code. As with a home inspection, a firm foundation is critical to maintainability. Finding out how well the software is being applied in code exposes the technical debt in the form of glitches, security vulnerabilities, compliance concerns, and other code-modifying problems.
Steps and procedure for technology due diligence assessment
Technology due diligence needs a variety of tools to carry out several investigations. For example, senior technical executives or advisors of the acquirer would have developed a view based on publicly accessible knowledge and pre-diligence consultations. Diligence typically causes demands for specific details from the target in the form of disclosures. Assessing code reports regarding rules, workflow documents, open-source content payments, security violations, and other information relevant concerns will aid guide understanding of the software itself. In summary, the preceding can be represented in three steps[xxii]:
Step one: gather requirements and assess snags in capabilities
The first phase involves establishing an overall assessment of all technical challenges posed by the merger by the IT team of the acquirer. Firstly, the requirements of the IT department are evaluated. They will build an analysis of the infrastructure on all sides of the transaction, to decide how the two companies would be integrated, where synergies are feasible, and where there are challenges to integration.
Step two: prioritize initiatives
Given that the IT resources would be stretched during the due diligence process, the IT team must ensure a systematic approach in the deployment of its IT resources to encourage effectiveness. These priorities should be considered across three dimensions: (a) Business impact, including regulatory compliance and risk management; (b) Ease of implementation, including technical complexity, personnel demands, the interdependence of projects; and (c) Expected business benefits.
Step three: develop an integrated implementation road map
Once the integration priorities have been identified for both the IT department and the new corporate structure, the IT Team should develop an implementation roadmap that includes subprojects, timelines, and contingency plans. A detailed implementation plan is essential since it would assist to overcome the various challenges of the unique nature of IT systems and processes evaluation.
Risks assessed during technology due diligence
Acquirers need to ensure that the target has the right to use the third-party code incorporated into their software. The extreme misuse of software can result in lawsuits or even loss of proprietary intellectual property. Today it is typical for half or more of a target’s code to be third-party code—mostly open source. The starting point is to generate a comprehensive list of open source and other third-party code. Buyers often request this in disclosure from the target, but few targets manage they are open-source well enough to provide anywhere near an accurate list. The complexity of software requires specialized tools as well as auditor expertise to create a comprehensive list.
Once the list (also known as a software bill of materials) is established, an auditor can identify associated licenses and obligations for each component. Understanding how the third-party components are implemented, auditors can suggest license conflicts and where obligations may not be met. Obligations can range from simply putting copyright information in a notice file to making source code available; and concerning commercial code, the obligation is often to pay license fees. Although a competent auditor can give directional advice on issues, software licensing can be complex and so it is prudent to involve a knowledgeable IT lawyer.
In today’s climate, the software must be secure[xxiii]. That doesn’t require a lot of explanation. Security vulnerabilities are defects in the code that can be exploited by bad actors. An acquirer’s security experts may be able to perform some level of security analysis themselves but to examine the code for vulnerabilities will require more access, which most targets aren’t willing to provide.
A comprehensive security evaluation must first identify high-level design flaws—which account for 50% of all security vulnerabilities—and ensure security controls are designed into the architecture. Next, it must analyze the proprietary code for security bugs from the outside via ethical hacking and from the inside out via application security testing tools. Finally, it should draw upon the bill of materials from the open-source audit to evaluate known vulnerabilities in the components. Here again, most targets do not have processes to keep open source components patched with the latest security fixes.
Software quality risk may not be as acute as legal or security risks, but it’s more insidious. It’s the “gift that keeps on giving.” Low-quality software written in a non-modular way is hard to maintain which makes it difficult to add features, fix bugs, and patch vulnerabilities. Thus, poor quality imposes a burden that steals resources from the future by requiring non-value-added work and by reducing developer productivity to perform it.
The first step in evaluating overall software quality is to assess the quality of the design and architecture to determine whether the software is hierarchically structured and modular, and therefore scalable. It’s not unusual for the actual architecture to differ from what is on paper. As such, this evaluation needs to go beyond reviewing a diagram and get into the real code. Great architecture can have a poor implementation, and vice versa, so it’s also important to dig into the quality of the code with specialized static analysis tools and human review. Ideally, the proprietary code is well-written and the open-source components are up-to-date and supported by the community.
A company’s preparation and organization for efficient M&A presents an important precondition for its successful implementation, as it facilitates a professional investigation of the possibilities for creating added value. Due diligence includes the required details for assessing the target business, initiating discussions, and carrying out post-acquisition integration. Due diligence would eventually reveal issues; buyers anticipate that and would have focused on the intention of remediation in their bid and plans. Some problems arise to a level of importance where they need to be handled with language in the definitive agreement. Sellers may commit to a remediation plan and a promise or assurance for persistent problems that they consider to be of low risk. For example, if there might be actual danger of failure, a breach of a license with legal liability, acquirers can raise the hold-back value or the period. Often serious complications in due diligence contribute to an alteration of the valuation. Agreements often collapse when one of the parties quit, although that isn’t necessarily focused on technological difficulties alone. However, tech threats will certainly be a big underlying factor for an M&A if the costs exceed the returns on investment.
To ensure long-term success in technology acquisition, the best approach is to share a clear understanding of the state of the art technology in Acquisition Aspect and Target Business. An in-depth assessment enables buyers to know and plan accordingly. Although due diligence technologies can come up with surprises, it is always better to find them before the transaction is concluded.
- Andrew J and Milledge A. H, Mergers & Acquisitions from A to Z Latest Trends and Best Practices for Structuring Profitable Deals(New Delhi Jaico Publishing 2009). p. 147
- Bernd W., MergersMergers & Acquisitions Management: Strategie Und Organisation Von Unternehmenszusammenschlüssen (Springer Gabler 2017). p. 12
- Philippe Very and David Schweiger, “The Acquisition Process as a Learning Process: Evidence from a Study of Critical Problems and Solutions in Domestic and Cross-Border Deals” (2001) 36 Journal of World Business 11 at 15
- Christina Schlachter and Terry Hildebrandt, “The Reasons for Mergers and Acquisitions” (Dummies, 2016) https://www.dummies.com/business/corporate-finance/mergers-and-acquisitions/the-reasons-for-mergers-and-acquisitions/
- Corporate Finance Institute, “Due Diligence – Overview of Due Diligence in an M&A Transaction” (Corporate Finance Institute, 2019) <https://corporatefinanceinstitute.com/resources/knowledge/deals/due-diligence-overview/>
- ERGOS Technology, “What Is IT Due Diligence and Why Does It Matter?” (ERGOS Technology, March 1, 2016) <https://www.ergos.com/it-due-diligence/> accessed July 15, 2020
- Firstbrook C, “Transnational Mergers and Acquisitions: How to Beat the Odds of Disaster” (2007) 28 Journal of Business Strategy 53
- Gaughan P, Mergers, Acquisitions, and Corporate Restructurings(3rd edn, John Wiley and Sons 2002)
- Harroch R and Lipkin D, “20 Key Due Diligence Activities in A Merger and Acquisition Transaction” (Forbes, December 19, 2014) <https://www.forbes.com/sites/allbusiness/2014/12/19/20-key-due-diligence-activities-in-a-merger-and-acquisition-transaction/#1320cf094bfc> accessed May 10, 2020
- Jacobus Severiens, “Creating Value through Mergers and Acquisitions: Some Motivations” (1991) 17 Managerial Finance
- Jones G, “Enhancing Due Diligence Examination Of The Organisational Culture Of A Merger And Acquisition Target” (2011) 6 Journal of Business & Economics Research (JBER)
- Malik MF and others, “Mergers and Acquisitions: A Conceptual Review” (2014) 1 International Journal of Accounting and Financial Reporting 520
- Nils V. K., “Changes in Due Diligence Requirements” in M Blatz, KJ Kraus and S Haghani (eds), Corporate Restructuring(Springer 2006) https://link.springer.com/chapter/10.1007%2F3-540-33075-5_6 accessed May 10, 2020.
- Protiviti, Guide to Mergers and Acquisitions Frequently Asked Questions I Guide to Mergers and Acquisitions(Protiviti 2016) <https://www.protiviti.com/sites/default/files/united_states/insights/guide-to-mergers-acquisitions-faqs-protiviti.pdf>
- Schlachter C and Hildebrandt T, “The Reasons for Mergers and Acquisitions” (Dummies, 2016) <https://www.dummies.com/business/corporate-finance/mergers-and-acquisitions/the-reasons-for-mergers-and-acquisitions/>
- Severiens J, “Creating Value through Mergers and Acquisitions: Some Motivations” (1991) 17 Managerial Finance 3
- Sherman AJ and Hart MA, Mergers & Acquisitions from A to Z Latest Trends and Best Practices for Structuring Profitable Deals(New Delhi Jaico Publishing 2009)
- Theophanis C Stratopoulos, “Exercising Due Diligence in Studies of Duration of Competitive Advantage Due to Emerging Technology Adoption”  SSRN Electronic Journal.
- Von K. N., “Changes in Due Diligence Requirements” in M Blatz, KJ Kraus and S Haghani (eds), Corporate Restructuring(Springer 2006) <https://link.springer.com/chapter/10.1007%2F3-540-33075-5_6> accessed May 10, 2020
- Wirtz B, Mergers & Acquisitions Management: Strategie Und Organisation Von Unternehmenszusammenschlüssen(Springer Gabler 2017)
[i] Richard Harroch and David Lipkin, “20 Key Due Diligence Activities in A Merger and Acquisition Transaction” (Forbes, December 19, 2014) https://www.forbes.com/sites/allbusiness/2014/12/19/20-key-due-diligence-activities-in-a-merger-and-acquisition-transaction/#1320cf094bfc accessed May 10, 2020.
[ii] Corporate Finance Institute, “Due Diligence – Overview of Due Diligence in an M&A Transaction” (Corporate Finance Institute, 2019) https://corporatefinanceinstitute.com/resources/knowledge/deals/due-diligence-overview/.
[iii] Randall Schuler and Susan Jackson, “HR Issues and Activities in Mergers and Acquisitions” (2001) 19 European Management Journal 239; Marc J Epstein, “The Determinants and Evaluation of Merger Success” (2005) 48 Business Horizons 37 https://www.sciencedirect.com/science/article/pii/S0007681304000990
[iv] Andrew J Sherman and Milledge A Hart, Mergers & Acquisitions from A to Z Latest Trends and Best Practices for Structuring Profitable Deals (New Delhi Jaico Publishing 2009). p. 147
[v] Muhammad Faizan Malik and others, “Mergers and Acquisitions: A Conceptual Review” (2014) 1 International Journal of Accounting and Financial Reporting 520. http://dx.doi.org/10.5296/ijafr.v4i2.6623
[vi] Patrick Gaughan, Mergers, Acquisitions, and Corporate Restructurings (3rd edn, John Wiley and Sons 2002). p. 7-10
[vii] Bernd Wirtz, Mergers & Acquisitions Management: Strategie Und Organisation Von Unternehmenszusammenschlüssen (Springer Gabler 2017). p. 12
[viii] Philippe Very and David Schweiger, “The Acquisition Process as a Learning Process: Evidence from a Study of Critical Problems and Solutions in Domestic and Cross-Border Deals” (2001) 36 Journal of World Business 11 at 15.
[ix] Jacobus Severiens, “Creating Value through Mergers and Acquisitions: Some Motivations” (1991) 17 Managerial Finance 3.
[x] Caroline Firstbrook, “Transnational Mergers and Acquisitions: How to Beat the Odds of Disaster” (2007) 28 Journal of Business Strategy 53 at 56.
[xi] Ibid. p. 37
[xii] Grant Jones, “Enhancing Due Diligence Examination Of The Organisational Culture Of A Merger And Acquisition Target” (2011) 6 Journal of Business & Economics Research (JBER).
[xiii] Nils von Kuhlwein, “Changes in Due Diligence Requirements” in M Blatz, KJ Kraus and S Haghani (eds), Corporate Restructuring (Springer 2006) https://link.springer.com/chapter/10.1007%2F3-540-33075-5_6 accessed May 10, 2020.
[xiv] Grant Jones, n. 1215, p. 11
[xv] Christina Schlachter and Terry Hildebrandt, “The Reasons for Mergers and Acquisitions” (Dummies, 2016) https://www.dummies.com/business/corporate-finance/mergers-and-acquisitions/the-reasons-for-mergers-and-acquisitions/
[xvi] Richard Harroch and David Lipkin, n. 1
[xvii] Phil Odence, “Technology Due Diligence in a Deal: What You Need to Know | Synopsys” (Software Integrity Blog, October 28, 2019) https://www.synopsys.com/blogs/software-security/technology-due-diligence/ accessed May 10, 2020.
[xviii] Theophanis C Stratopoulos, “Exercising Due Diligence in Studies of Duration of Competitive Advantage Due to Emerging Technology Adoption”  SSRN Electronic Journal.
[xix] Phil Odence. n. 17
[xxi] Protiviti, Guide to Mergers and Acquisitions Frequently Asked Questions I Guide to Mergers and Acquisitions (Protiviti 2016) https://www.protiviti.com/sites/default/files/united_states/insights/guide-to-mergers-acquisitions-faqs-protiviti.pdf. p. 27
[xxii] Protiviti, n. 21, p. 28-29
[xxiii] Phil Odence. n. 17
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: