Technology | IT due diligence when buying or selling law firms

Most businesses today rely heavily on technology for one purpose or another and few companies would survive without its influence.

When it comes to buying or selling a company, or a merger of companies, the technology in use needs to be assessed to ensure its suitability going forward, or to assess whether it can be ingested into the new regime. Many companies have experienced difficulties where technology failings after an acquisition or merger have blighted operations for years after the event. Oversights in this area are both costly and time consuming to put right, and proper due diligence should be part and parcel of the process by which firms are bought, sold or merged.

This approach is not limited to client dealings. There have been a number of law firm mergers over the last couple of years, and law as a profession sees a lot of firms being absorbed, or joining forces to provide growth. IT due diligence in these areas is important to ensure effective ongoing technology delivery to the emerging company.

IT due diligence is not limited to the purchaser. If you are selling a company, undertaking an exercise of this nature may highlight deficiencies that could be potential stumbling blocks to a deal, and thus present an opportunity to correct them

IT due diligence is a fairly sizeable topic in itself, so I will highlight some of the key areas that need to be considered. All companies are different, and thus the technology they employ will differ. There is no one-stop methodology that applies to all, but adherence to some simple principles is key.

Strategy: a well-developed IT strategy, in tandem with a company strategy, should ideally be available. It needs to be demonstrated that the strategy makes sense in the context of the business itself.

Staff: IT staff can be critical to an operation so an understanding of the team, the structure and skillsets, and matching this to the business requirements, is likely to be important, as are retention policies and notice periods for key staff.

Infrastructure: the hardware platform that systems run on is a vital component for any business. Despite the proliferation of cloud-based systems, there will still be some on-premise infrastructure in most companies. It is important to understand that the right hardware is employed. It is also ?necessary to know that it is maintained to reasonable standards and that there are adequate provisions for failure and capacity. It is also pertinent to assess the scalability in tandem with the documented strategy.

Software: software is the business end of the IT infrastructure. It provides user interfaces, operating systems, data storage and much more. Assessing whether the software is fit for purpose, how is it licensed and the number of licences is critical. Analysing maintenance contracts and determining whether the software is supportable in the future both from a supplier and a technology point of view is highly recommended.

Security: most if not all systems feature both information and processes that need to be carefully secured. How the system is secured both virtually and physically, access rights and security management need to be carefully assessed.

Business continuity: business continuity planning is far too often overlooked. It will incorporate some of the areas discussed here, but should be treated as a discipline in its own right. Questions to answer include, does a business continuity plan exist, and how does IT continuity fit in.

Service reliability: it is unlikely that you will be presented with a log of outages and problems with information systems by any company, but it is important to understand what the issues are and where ?weaknesses exist. This may be garnered from user questionnaires and system logs, as well ?as third-party support and maintenance companies.

Intellectual property: this covers items such as domain registrations, work undertaken by contracted employers and developments by third parties. The ownership of IP rights can be a deal breaker. This is especially true of technology companies and enterprises that have specific customised systems.

Internal systems and documentation: systems and processes within organisations are often built around the unique operating environments they develop over years of trading. Ideally these should be documented to a reasonable standard.

There are plenty of other areas that might be included in a due diligence review. Fitness for purpose, risk reporting and general operations may be included depending upon the scale and scope of the exercise.
The output from a due diligence exercise should be a report that documents the relevant areas with some form of measurement of success or viability for each. The report should be as detailed as possible without overwhelming the user with jargon, and be easily digestible as part of a wider exercise.

As with all specialist disciplines, you should hire an appropriate resource to undertake this exercise. There is no point in going to the trouble of being diligent about an aspect of a major transaction without applying the relevant expertise. Also, remember when appointing a due diligence team that they are answering to a process, i.e. a purchase or sale of a business, and this needs to be reflected in the results.