Why Oil & Gas Companies Should Invest in IT Due Diligence

Many different factors can cause your company problems during a merger or acquisition (M&A), including incompatible technology between companies. Since so much of our day-to-day operations rely on information technology (IT), it’s essential that companies clearly outline the current state of their respective infrastructures during negotiations. Quality IT due diligence ensures that the combination of technology stacks between acquiring and divesting firms can and will work.

In this article, we will discuss:

• The importance of effective IT due diligence for mergers and acquisitions
• Why you need a thorough process
• How to prepare for an IT due diligence review

Once you recognize the importance of IT due diligence, your company will be well-positioned to take on new changes and scale to adapt to future needs.

The Importance of IT Due Diligence

At EAG, we define IT due diligence as the comprehensive evaluation of the Selling Company’s Information Technology (IT) and Operational Technology (OT) environments. Think of IT as the software-related products and services people use to do their jobs, while OT is the physical hardware (including servers and devices) that makes IT possible.

To truly grasp why you should invest in high-quality IT due diligence, three scenarios come to mind:

1. Depending on the type of transaction – whether it’s a sole asset or the entire company – the Acquiring Company will either have to re-purchase Software licenses or pay hefty transfer fees.
2. You must also account for any costs associated with integrating both company’s IT/OT footprints.
3. Differences in technology strategy can also introduce significant risks for the day-to-day operations of the technology stack.

Thus, the goal of due diligence is to provide a holistic view of how much any future maintenance of IT and OT will cost your company. It then helps the Acquiring Company identify any potential integration risks within those IT/OT functions.

Why Should I Invest in IT Due Diligence?

During any merger or acquisition, proper IT due diligence requires a significant time commitment, effort, and capital. When leadership doesn’t anticipate or account for these requirements, the cost of the cleanup efforts will override the benefits of a new acquisition.

In our collective experience, we’ve learned that most companies do not spend enough time on this step during the initial phase of an acquisition or merger.

Adequate IT due diligence requires the following:

1. Evaluating all aspects of the cost and risk of the Selling Company’s IT/OT functions; and
2. Analyzing what it will take to integrate them into the Acquiring Company’s technology stack.

Differences between the two companies’ strategies, data structure, application landscape, and more can introduce more complexity than initially anticipated, driving up costs.

IT Due Diligence Starting Points

Any successful due diligence project should feature these two core objectives:

1. Determine an estimated IT budget for integrating and operating the new asset
2. Create a defect and risk matrix that outlines the key findings of the Selling Company

Together, they will provide the Acquiring Company an accurate view of the asset’s total value and help them detect any significant IT concerns.

The Key: Our IT Due Diligence Checklist

Not all due diligence methodologies are the same – the scenarios will always matter. Thus, we recommend using this best practices checklist as a helpful guide. You can then adjust it based on your company’s needs:

• Evaluate the IT data provided by the Selling Companies. At a minimum, their “Virtual Data Room (VDR)” should include the following:
  • A list of all software being used by the Selling Company for both IT and OT
  • A list of all equipment included with the Selling Company including:
    • Computers
    • Network
    • Security
    • End-user devices (iPhone/iPad/wifi hotspots)
    • Servers
    • Phone systems
    • Printers
  • A list of all IT/OT contracts in place for software/hardware maintenance and 3rd party support
  • Results from the last IT vulnerability and penetration testing conducted by a 3rd party
  • Key IT policies and testing results of controls tied to the policies
  • Architecture diagrams of applications, integrations, network, and security environment
  • Data integration and data warehouse inventory
• Compile a list of questions or additional data requests that need to be answered by the Selling Company
• Compile a software application architecture diagram arranged by key functional area to compare with Acquiring Company’s footprint
• Compile an estimated IT budget for the purchase and integration of software, hardware, data, and the ongoing support and maintenance costs of the IT/OT assets
• Compile a weighted defect and risk matrix of key IT/Cybersecurity issues

Before You Begin Your Review

Many companies vastly underestimate or do not have experience with conducting these evaluations. The Acquiring Company should gain access to the Selling Company’s VDR, which outlines all the essential IT/OT details. The Acquiring Company should also use a documented process with templates to help understand the IT/OT portion of the asset’s costs and risks.

You Need a Trusted IT Due Diligence Expert

Evidence shows that inferior or absent due diligence can disrupt any M&A process, both before the documents are signed and after the two companies have joined forces. Successful IT due diligence will show you how much time, energy, and capital it will take to combine your IT and OT capabilities.

Does your company want to save money and make more informed decisions about how you approach the technical aspects of your next merger or acquisition? You should engage with EAG. Our years of successfully conducting these reviews for our clients have reshaped the way they do business and positioned them for continual success.