Selling Your Business: IT Audit Will be Part of Buyer’s Due Diligence

By Generational Equity

08/23/2016

A complete review of a company's IT processes and systems is a growing trend in the due diligence process required prior to the sale of a company. Business owners who do not take IT security into account may wind up receiving less money for their enterprise or face a reduced list of prospective buyers willing to review their opportunity due to the IT-related risk.

"Keep in mind that more and more professional buyers are adding IT policies and security procedures to their standard due diligence protocol," said Terry Mackin, Managing Director of Mergers & Acquisitions with Generational Equity.

"This means that if you are considering exiting your business in the next few years, getting your IT policies, systems and procedures, especially as they relate to security, fully up to industry standards will be critical."

"In past years, buyer due diligence focused largely on the financials, operations, marketing, sales and HR of the target company," said Carl Doerksen, Director of Corporate Development for Generational Equity.

"Today there is a growing trend to have due diligence encompass IT because buyers are realizing that the company they are acquiring is only as strong as the weakest link in its IT system."

"For this reason, as we are working with our clients to prepare to take their company to market, we are encouraging them to re-double their cyber security efforts to ensure their computer systems are protected with solid firewall, malware and virus software policies in place," added Doerksen.

According to a recent study conducted by the Ponemon Institute sponsored by IBM, the cost of a data breach is currently estimated to run as high as $4 million on average, an increase of 29% since 2013.  While large data breaches receive the most publicity, the reality is no business is safe from unwanted attacks, no matter how small the company or what industry it is in.

"If you are lax and lazy with your computer controls, at a minimum you are open to an attack. Even worse, when you sit down with a buyer, their concerns in this area could kill the deal or be taken into account when determining what they are willing to pay for the business," said Mackin. "The last thing a buyer wants to acquire is a company with an antiquated IT system that is full of holes that hackers can enter. The liability is just too great."

Even if you are never attacked, having a policy in place that clearly outlines how you are protecting your company and key data will give buyers more confidence that not only are they buying a solid, well run business, they also are not going to wake up one day and find that all of the data they have acquired has been compromised.