Deal-killing Diligence Findings
At THRDparty Advisors we use a mental model to categorize negative findings from IT Due Diligence as deal killers, red flags, or value creation opportunities. In this article, I’ll give examples of each and explain why IT Due Diligence is NOT an audit, but a key piece of the value creation process in private equity.
Let’s get the clickbait headline out of the way up front. The only type of negative finding we would ever categorize as a Deal Killer is blatant deception or dishonesty by the target’s representatives, backed by evidence. For example, if a client provided documentation certifying compliance with ISO/IEC 27001, a common IT security framework, but we discovered that the certificate was forged after speaking with the listed auditor, we would recommend that our client not continue with their investment. How many times have we had to report a finding as a deal killer? Zero.
Red Flags are those findings that likely point to deeper systemic issues within an organization. For example, while we expect to hear about past security incidents and breaches, we also expect to see detailed incident reports with the results of a thorough investigation, root cause analysis, and list of controls added to prevent recurrence. If a target neglected these crucial post-incident steps or is otherwise cagey when questioned on the matter, this is a red flag that would cause us to investigate further. We rarely ever have to report red flags to our clients and when we do it usually results in devaluation of the selling company rather than deal termination, especially if our client will have a controlling stake post-acquisition and can rely on us to quickly mitigate issues.
The most common type of negative findings we report to our clients are Value Creation Opportunities. You might wonder how a negative finding could be considered an opportunity. Start with the following basic statement: The way we return value to investors in private equity is to purchase high value companies at fair prices, grow the companies during their hold period, and sell the companies at a higher price than was paid.
There are two types of value creation opportunities we find during IT Due Diligence that link to the above statement: 1.) We identify technology risks and technology debt that reduces the target’s valuation down to a fair price. 2.) We identify opportunities for post-acquisition EBITDA growth that will increase the target’s valuation during the hold period resulting in exit at a higher price than was paid.
Identify Technology Risks and Technology Debt
As an example of the first type, let’s say the target company has mission critical software that is no longer supported by the developer, cannot be upgraded due to customization over many years, and isn’t capable of supporting our client’s growth plan without a full replacement. In this case, we would provide our client with an estimate of the expense and time needed to replace the software. Even if the expense is in the multiple millions, what can be even more costly is the delay in executing our client’s growth plan after acquisition. These negative findings together can be used during negotiation to keep the purchase price fair. A negative finding becomes a value creation opportunity.
Identify Opportunities for EBITDA Growth
An example of type two would be a target that has a large agreement with a cloud or managed service provider that is well above benchmark annual cost for their size and type of organization. Although locked in to this agreement for another six months, this represents a future opportunity for our client to increase EBITDA after acquisition through opex savings. Again, a negative finding becomes a value creation opportunity.
Conclusion
Red flags are rare and deal killers rarer still. All other negative findings should be thought of as value creation opportunities because the way we return value to shareholders in private equity is by keeping the purchase price fair and then enabling EBITDA growth post-acquisition. IT Due Diligence is NOT an audit, but a key piece of the value creation process in private equity. If you are ready to create value through IT Due Diligence, setup a free consultation with me today.
Daniel Lucas is the founder of THRDparty Advisors which is on a mission to protect private capital from cyber risk, digitally transform portfolio companies, and maximize exit returns. They are IT executives advising PE firms and PE-backed companies through every investment stage. Visit https://thrdparty.com for service details, case studies, and example pricing.