IT Due Diligence approach
| Sieuwert van Otterloo |
IT Due Diligence (IT DD) research is an investigation started by an investor to the IT systems and organization of a target company (a company that wants an investment). These investigations need to be done extra carefully because of the high financial stakes and because there are multiple parties involved (investor and target company). We have a solid process to conduct a thorough IT DD research in a short period of time.
Team and goals
For a fast and complete, independent IT DD survey, we use a small team of 2 or 3 experts. The goal of the team is to assess IT-related risks including a quantitative view and possible mitigation of these risks. We only provide the facts, the investor makes the decision. Examples of possible issues that are considered are unknown or hard-to-use technology, poorly readable code, scalability, or lack of skills in the current team.
In an IT Due Diligence, we look at risks associated with software development and IT organization. Any market risks will have to be investigated in a commercial due diligence or assessed by the investor.
Speed and transparency
In order to be able to conduct an IT DD research quickly, it is important to do it first time right. The ICT Institute therefore works with a standardised process. The process includes validations and options to provide clarification and corrections to any technical finding.
Transparency is one of the cornerstones of the process. All stakeholders get prior insight into the process. There is a kick-off in which the target company can indicate what the conditions and points of attention are. During the process, they get insight into measurement results and the ability to explain. The client will also be informed of progress in the meantime, for example after each meeting.
To ensure the right knowledge is obtained there is a team of 2 to 3 experts involved in the entire research. The team consists of an experienced reviewer and 1-2 persons with relevant technological knowledge. This prevents the preferences of 1 reviewer from affecting the outcomes.
Concrete results with source code research
ICT Institute always asks for review of the source code. We treat this code as confidential and have procedures for secure transfer of source code. We use code review because it helps us in several ways:
- First of all, we can check what the technology is all about. Many modern systems have multiple programming languages and frameworks.
- Secondly, we ensure that we speak to the right people. By using the true source code as examples in the validation, we ensure that the real developers also come to the table and share their experienc
- Thirdly, we get a better picture of the development of IT over time. An IT DD is a snapshot, and it is not possible to check with interviews that software development is always done according to a good process. By looking at the source code, you will see how the past time has been developed.
- Finally, there are a few specific risks that can be excluded with code review. One can see how much open source is used, whether there is a high dependence on third party code and whether the code is transferable if necessary.
We use standard metrics such as code volume, complexity, duplication and error handling, in order to assess maintainability. We measure the code using a combination of tools, depending on technology. For instance for Microsoft Technology one can do code measurements using Visual Studio.We also use different tools for security code scanning.
IT Due Diligence outcomes
The detailed results are always translated back to decision level conclusions. We translate the outcomes into business impact (resources, time or resources required). This does not mean that every small finding leads to a risk: we only report a management-level issue if there is a significant problem that cannot be resolved immediately.
The conclusions of the IT Due Diligence are shared in a management presentation. The management summary in this presentation translates this into time and costs. For instance, we estimate how many developers are needed to maintain the system. With this information, the investor can customize the business case and engage with the target company to find a solution.
All conclusions are based on the information used by the target company, measurements, screen samples or code examples. These underlying facts are shared with the target company in advance so that they can check the outcomes.
Cost and lead time
We typically need 1.5-3 weeks and an effort of 8-12 consulting days for a full IT Due Diligence on a small to medium size target company. Usually a total price is agreed in advance, including all costs within the Netherlands. The IT Due Diligence project is executed for this fixed price without unexpected additional costs.
If you would like to know more about us as a company, check our team, our list of previous projects and perhaps also our blog and list of talks and lectures. If you have further questions about IT Due Diligence or would like to sign an NDA (non-disclosure agreement) in order to receive a quote, please contact us via the form below.
Appendix: Process in detail
- Client and ICT Institute discuss what the size, technology and number of teams are from the target company and whether there are special issues or research questions. On this basis, the ICT Institute makes a proposal for a fixed price and compiles a team .
- The team plans a kickoff with the target company to discuss the time table and the delivery of documentation and source code.
- The target company supplies the requested documents and the requested source code. ICT Institute analyzes and reviews the documents and the code.
- We visit the target company and interviews the CTO and lead developers / architects. The target company may provide additional pieces to answer questions
- The team makes a document with initial results and discusses this with the target company (final presentation v0.9). This often is a valuable discussion of underlying causes and required process improvements.
- We adjust the initial results presentation in response to the corrections and additions. ICT Institute also adds conclusions and recommendations.
- ICT Institute presents the final presentation to the investor (v1.0). If there are any additional questions or comments, they will be discussed immediately and, if desired, added in the days after the presentation.
- The investor takes an investment decision.
Image: Joao Silas via unsplash
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.