9 key areas of technical due diligence for a small business purchase

If you are considering the purchase of a small business, a key to evaluating the business, and its potential risk, is to understand the condition of its IT related systems and equipment.

As small businesses use more IT software, equipment and services it is more crucial than ever to thoroughly investigate the IT environment to help make a prudent decision and to help ensure a successful outcome.

The IT environment for a small business can be a competitive advantage or a complete disaster. The buyer needs to do appropriate discovery and due diligence to understand just what type of IT setup they are getting with a potential purchase.

Here are 9 areas of a small business IT setup that should be well understood as part of valuation and due diligence.

1. IT Vendors and 3rd Party suppliers

You need to know what vendors are providing what services in the IT arena. This could include things like cloud services such as salesforce.com, Hubspot, Mailchimp, Atlassian, Office360 or even Google apps or similar. Some software providers have yearly license fees that would also be included in this list. A well documented list of service providers, what service or package they provide, the department using the service  and the current rate/package and term of agreement will help you see what things are pending and what your expected spend will be each year.

2. Employee Computer Environment Inventory

Most employees of a business have some type of computer for their work. A good due diligence practice is to get an inventory of what types computers are used, what operating systems are used (like MAC or Windows) and what other programs are installed in this environment. Are the computers leased our purchased? When does the lease expire? How old are the employee office computers? Will they have to be replaced soon? Are they reliable and have been maintained? Are they sized appropriate to the work being done? Are basic safeguards such as virus scanning and operating system updates in place? These are all questions that need to be answered to get a better idea regarding what you may have to invest  (or discount on sale price).

3. Internal Computer Servers and network setup

What internal computer servers does the company use, if any? Who maintains them? How old are they and what applications and operating systems do they use? Where are they located and what type of environment are they in? Does the company run windows servers or MACs? Are there other servers running internal software like accounting programs, databases, legacy applications or other types of software?

You will need to have a network diagram and understand how the office computers network together. Are there network switches or routers used? Are there multiple locations that share network capability? What about internet firewalls and wireless access? What are the security procedures regarding access to these machines and resources? All of these are required discussion points in order to make an informed purchase decision.

4. Office Equipment

Things like printers, copiers/scanners and phone systems, though seemingly old school, are still used in most offices. Your due diligence needs to investigate these items as well. Many times copiers/printers are leased from a third party and lease transfer or termination may need to be arranged depending on what you do with them after the purchase. Additionally many copiers also have document scanning capability which could be integrated with the server computers. This dependency would need to be understood and planned for if change is warranted.  Similarly regarding phones. Is the a local PBX or is the system hosted? What type of plan does the phone provider agreement specify? Is the phone system  integrated with a Customer Relationship Management systems to track calls? What about off-premises call answer and follow-me forwarding?  If the acquirer wants to terminate these and roll the use to their existing systems there may be early termination fees that need to be accounted for.

5. Employee BYOD Policies

BYOD is an acronym that stands for Bring Your Own Device. It is a practice where employees can use their personal electronic devices like mobile phones or tablets to access company resources like wireless networks, email, shared databases and other company services and software applications. You will need to understand current company practice regarding BYOD and what risks this brings to the transaction. A liberal BYOD policy could allow employees to have copies of databases and other proprietary information on their devices. The extent of this, and potential impact to the acquirers polices needs to be clearly understood.

6. System Administration Practices

Every IT system has a special administrative account and password. And usually each cloud software service you subscribe to has special account owners and passwords. You need to understand who manages these, how they are secured and how they are changed and monitored. In transition planning, this account information would need to be documented, validated and all transferred to the new new owner. Password updates would then need to be made in accordance with new guidelines. Also, you need to understand how company data is backed up. Where is it stored? Is it off-site? How are restore requests handled? How and who sets up new user accounts? There are many areas of investigation that need to be reviewed in this area to insure a smooth transition.

7. Email and Web Site

In some cases small businesses host their email and web services together. Companies such as 1&1, GoDaddy and others provide packages bundling these services together. You will need to investigate where email (and spam filtering and virus scanning) are done as well as web hosting. Other companies use email hosting providers like outlook.com or google gmail. The setup and documentation of where these critical services are hosted, how they are maintained and who handles the work is critical. Email and website are key links in the chain of customer interaction and must be thoroughly reviewed and the migration to the acquirer accounted for.

8. Point of Sale, Payment Processing and eCommerce

If the business is retail or has online shopping capability  you will also need to understand what systems are in place for these capabilities. Are they on-premise, hosted or leased? What systems and communications capabilities are needed? What providers are used for payment processing and how are they integrated into the customer sales cycle? Does the system use tables driven sales tax, or an online tax nexus service like Avalara? Are credit card numbers or other personally identifiable information stored anywhere and if so what are the security procedures and practices regarding that data? How are the services configured to operate, including API keys, passwords and other key operational parameters? These are absolutely crucial to the new owner to understand and have accurately and thoroughly documented.

9. Custom or Proprietary Software

If the business uses custom programming or has proprietary software applications you need to know more about it. What does it do? Who maintains it, where it is located, how is it managed and updated? What languages, tools or environments are required to use it? Are there large updates planned or needed? Are there security risks? These are just a few of a number of questions that need to be answered regarding customer software. If the business has employees that develop and maintain the software then additional questions regarding the development environment, source code control, testing and release management need to be investigated and understood as well. The answers to these questions will help you understand pending needed investment, risk and potential additional opportunities for synergy and integration gains.

 

These are some of the standard areas of technical due diligence when investigating a potential small business purchase. An appropriate technical due diligence checklist and process can reveal technical debt which will impact the decision making and negotiation process.

Depending on the type of business there may be many other areas to consider. High tech businesses, manufacturing and other types of businesses requiring specialty equipment or software applications will also need additional due diligence in other areas besides those mentioned. Further, mid market businesses due to their size and additional complexity will also require much more effort to fully investigate and understand all aspect of the IT related impact to the transaction.

If you are unsure of these areas it is best to enlist the services of an IT professional to help with a technical assessment. In this way you can get a 3rd party opinion on these areas.

Improving your knowledge in this key area can give you leverage in price and terms negotiation as well as making you better informed of areas that may need to be addressed post sale. And the knowledge can save you lots of headaches later after the purchase.

Leave a Reply

Your email address will not be published. Required fields are marked *