ITDueDiligenceChecklist 2018 OT A4

IT Due Diligence Request List – TargetCo
Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com


IT Due Diligence Request List Template

Instructions
 This list is intended to be comprehensive. It’s unlikely that you’d want to ask every question on this list in every due diligence effort. You should edit it as
appropriate for your situation.
 There is an Item ID column to number each request, if desired. This often makes it easier to track the responses from the target company. I’d suggest
that you request that the target company include the Item ID in the file name of any response.
 If you’re using a data room for the due diligence project, the target company can identify the location of any uploaded information in the Data Room
Location column.
 While there is a Comments column for short answers, any response of more than a few sentences is better provided in a separate file.
IT Due Diligence Guide
If you've downloaded this checklist because you're involved in M&A due diligence, read on...
Regardless of whether this is your first time being included in the process or you're an M&A veteran, the IT Due Diligence Guide can help to ensure that
you're doing everything possible to identify the risks and opportunities in your transaction.
The book provides a complete explanation of each question on the checklist – why it should be asked and what the potential answers can tell you about your
acquisition target. Even more importantly, it explains the right follow-up questions to ask to get the detailed information you need. It also includes questions
not on the checklist that should be asked only in person – these can be vital.
The book comes with a detailed IT due diligence report template to help you create a report in a format that will be useful and understandable to executives
running the deal, data collection spreadsheets to help the process go as quickly and smoothly as possible and an IT implementation plan template to get you
started on the post-due diligence phase of the deal.

Visit this link to purchase the IT Due Diligence Guide and receive a 10% discount for downloading the checklist:
http://www.itduediligenceguide.com/buy-book-bo?discount=ITDDCHECKLIST
Item Provided Data Room

ID Item Description (Y / N / N/A) Location Comments
IT Staff
An organization chart for the technology staff.
An employee listing for the technology staff. Include
department, location, employee name, title,
supervisor name, key skills/responsibilities, industry
certifications, full or part-time status, start date,
annual salary, and most recent bonus. Include copies
of resumes if available.
A list of any inactive employees, including department,
location, employee name, title, supervisor name, key
skills/responsibilities, full or part-time status, start
date, last annual salary, reason for their inactive
status, and their expected return date.


A list of any individuals whose employment ended
(voluntarily or involuntarily) in the past three years,
including department, location, employee name, title,
supervisor name, key skills/responsibilities, full or part-
time status, start date, last annual salary, date of
termination, and reason for termination. Note any
confidentiality, non-compete, non-solicitation,
severance agreements, etc. that apply to them.
Copies of any confidentiality, non-compete, non-
solicitation or intellectual property assignment
agreements signed by the employees and a list of any
employees without such agreements.
A list of any open positions and planned hires in the
technology organization in the next twelve months.
Include department, location, title, supervisor name,
key skills/responsibilities, full or part-time status,
estimated annual salary, the date the position became
open, and the reason for the opening.
A description of how the technology staff collaborates.
A description of the training and education that the
technology staff receives.
A list of people with access to the company’s source
code for the past three years.
A description of any existing, pending or anticipated
lawsuits related to IT or IT employees.
A description of the communication and coordination
between company human resources staff and the IT
staff to remove access for and recover company
equipment from employees and contractors who are
no longer active.
Products and Services

A list and brief description of all IT or software
products and services sold to customers or built for
internal use. For each, include product or service
name, description, internal or external use, delivery
method, key competitors, number of active customers,
status (in production, planned, beta testing, etc.), key
employees involved, and any unique or proprietary
technology.
A list of administrative interfaces to existing products,
services, and internal systems. Include product, service
or system name, a description of the administrative
interface, a list of current employees with access, and
a list of former employees who had access in the past
three years.
Copies of any documents related to industry
certifications for any of the company’s products.
A listing of all awards or industry recognition, dates,
and selection criteria for company products.
An estimate and explanation of how the company’s
software and systems sold to customers would handle
a significant increase in volume.
The opportunity to see a demonstration of all
products, internal tools, and support software,
including administrative interfaces.
A description of any new products or services under
development, demonstrations of product prototypes,
and copies of any designs and plans related to new
product development.
A description of any products sold based on the data
the company collects from its customers, or any sales
of raw or summary customer data.


A description of any proprietary databases developed,
sold, or maintained by the company.
A list of any software developed or used by the
company for which the source code is no longer
available.
Software Development Process
A description of the version control process and
system(s) utilized.
A description of the process for approving and
developing new software products or features.
A description of any outsourced software development
arrangements and copies of the related agreements.
A description of the software development model that
is used.
A description of the process in place for identifying,
tracking, and correcting product bugs.
A description of the process for designing product user
interfaces.
A description of the database design process.
An explanation of how product security is considered
during product development.
A description of the software development coding
standards used by the company.
A summary of the company’s mobile development
strategy.
Documentation
Copies of product roadmaps or any other strategic
planning documents.
Copies of any end user software or product
documentation.


Monthly website traffic reports including page views,
unique visitors, and top referrers for the past three
years along with estimates for the next twelve months.
Copies of any data dictionaries for both products and
internal systems.
Copies of any public or internal white papers or case
studies describing the company’s technology.
Copies of any product brochures or other marketing
material.
Software and Services Utilized
A list of commercial product development tools,
databases, and third-party content utilized, including
name, version, description, publisher or developer,
company products or services associated with license,
type of license (by user, site, hosted, enterprise, etc.),
number of licenses, license end date, annual expense,
key license terms, and whether the license is
transferable in the event of an acquisition.
A list of any open source projects utilized by the
company, including the name and URL of the project,
version, company products or services associated with
license, reason used, and the open source license
under which the project is distributed.
An explanation of the company’s process for deciding
whether to use a specific open source component.
An explanation of the company’s process for
monitoring updates and security issues for the open
source components it uses.
Copies of any open source audits than have been
performed for the company in the past three years.


A description of the way the company tracks the
software it licenses for its own use.
A list of the internal technology systems: email, office
software, payroll, accounting, customer relationship
management (CRM), etc. Include function, software
name, publisher or vendor, version, type of license (by
user, site, hosted, enterprise, etc.), number of licenses,
license end date, and annual license cost.
A list of any outsourced or hosted services used for
functions such as the company website, blog,
office/business/collaboration software, website
monitoring, webinars, video conferencing, surveys,
conference calls, etc. Include the function, name of the
service, name and URL of the service provider, reason
used, and annual expense.
A description of any online advertising services (such
as Google AdWords or AdSense) utilized by the
company.
A list of any freeware or shareware tools used by the
company for either internal or external purposes,
including product name, URL, version, company
products or services associated with license, and the
reason for its use.
Hardware
A list of all owned or leased computer servers,
including server name, manufacturer, model number,
operating system(s), configuration (disk space, RAM,
etc.), purpose, location, whether owned or leased,
current value, and approximate age.


An inventory of all laptops, desktops, tablet
computers, and mobile phones issued to employees or
otherwise used by the company, including name, type,
manufacturer, model, operating system(s),
configuration, person assigned to, location, whether
owned or leased, current value, and approximate age.
A description of other types of computer hardware
devices issued to employees or customers and owned
or leased by the company.
A description of any server virtualization software used
by the company, including vendor and version, and an
explanation of the business purpose.
A description of how computer systems are
maintained.
Network and Infrastructure
A network diagram showing network entry points,
firewalls, servers, etc.
A list of any monitoring tools in place for the
company’s IT infrastructure.
A description of the current server/hosting
environment. Is it hosted in-house, via a third-party, et
cetera? Describe the use of any cloud-based resources
such as Amazon Web Services or Microsoft Azure.
A description of the process by which the sales and
operations staff communicate sales and marketing
information to the IT staff so proper capacity planning
can take place.
A description of any redundancies built into the
hosting platform and hardware.
An explanation of any unscheduled network or system
downtime in the past twelve months.


A description of the company’s phone system. Include
architecture, vendor, version, whether hosted or
managed internally, etc.
A description of the email environment. Is it hosted or
managed internally? Include vendor, version,
hardware required, any related security or antivirus
add-on services and all associated licensing or
subscription costs.
An overview of any battery or generator backup in
place for key systems. How are servers protected
against power surges or outages?
Backup and Recovery
Copies of any existing disaster recovery and/or
business continuity plans.
Copies of any data backup policies, and details
regarding how long they have been in place.
Network Security
A description of the way customer data is stored in
company databases. Is each customer’s data stored
separately?
A description of how the company stays up to date on
all vendor software and security updates and patches.
Describe the process for servers, workstations,
laptops, mobile devices, network infrastructure such
as firewalls and routers, and any other network-
connected device.
A list and description of any firewalls maintained by
the company, including their purpose and any
monitoring that is performed on a regular basis.


A description of any wireless networks maintained by
the company, including password protection and data
encryption settings, and any monitoring that is
performed on a regular basis.
A description of any VPNs or other remote access
systems that allow access to the company’s networks,
including password protection and data encryption
settings, and any monitoring that is performed on a
regular basis.
A description of how access to the company’s source
code and other critical resources (documents,
contracts, etc.) is monitored and tracked.
Copies of any acceptable use policies regarding
company computing resources and systems that
employees or third parties are required to sign.
A description of any situations in which users or
network administrators share the same logins and
passwords to access systems.
A description of any encryption utilized on the
company’s servers, laptops, desktop computers, and
mobile devices. Indicate whether the encryption is
used in the storage or transmission of data.
A description of how any data or device that is no
longer needed is purged or destroyed. Include copies
of any hdata retention policies.
A description of password and account name policies
for company networks and systems, including length
and complexity, two-factor authentication features,
and any expiration policies. Indicate whether web
browser password caching is or is not enabled on
workstation and servers.


A description of any physical access restrictions to
critical company assets such as servers and sensitive
data.
Copies of any IT operational or security audit reports
(such as SSAE 16 SOC 2) or standards certifications
(such as ISO 27001) of the company or any of its
vendors from the past three years.
A list of any server, laptop or desktop without
antivirus/antimalware software installed.
A list of any server, laptop, desktop, or other device
running an operating system or other software that is
no longer supported by the manufacturer (such as the
Microsoft Windows XP operating system).
A copy or description of the company’s BYOD (“bring
your own device”), COPE (“company-owned,
personally-enabled”), or CYOD (“choose your own
device”) policy.
If the company allows employees to telecommute or
otherwise work remotely, provide copies of any
related policies and a description of how the company
ensures its network remains secure.
Does any computer hardware or any company
software retain default administrator settings? If so,
explain why.
A description of any physical security breaches, break-
ins, or thefts in the past five years.
A description of how critical network devices are
segmented from the rest of the network.
A description of any capabilities to remotely wipe or
reset mobile devices with access to the company’s
network in the event a mobile device is lost.


A description of any antimalware/antivirus protection
at the company’s network perimeter.
An explanation of how the company protects any FTP
servers.
If the company does business in the European Union
or stores data on EU-based individuals, describe the
company’s readiness for the EU General Data
Protection Regulation (GDPR).
Cybersecurity
A list of any users that are not subject to the standard
security policies of the company.
A list of any non-employees who have access to critical
company information (source code, documentation,
databases, network passwords, customer lists, etc.).
A description of any background checks performed on
potential new employees prior to their being hired.
A description of any security breaches in the past five
years.
A description of any user testing related to phishing,
ransomware, etc.
An explanation of any restrictions on employee access
to the Internet. If these exist, are they imposed via
policy, technology, or both?
An overview of the ability of various types of users to
install software on their own.
A description of any regular reviews (sometimes called
entitlement reviews) of network and system access for
users and system administrators.
If the company sells any products as digital downloads,
an explanation of how the products are stored and
how unauthorized downloads are prevented.

An explanation of how employee access is restricted to
sensitive data such as payment and customer
information.
If any point of sale (PoS) terminals are used in the
business, explain how security is ensured.
Describe any training employees receive related to
security, including how to prevent social engineering
exploits, phishing, and ransomware.
A list of any cybersecurity certifications held by the
company’s IT staff.
A description of the plan to be followed if a data
breach or hacking event occurs.
A description of any cybersecurity insurance
maintained by the company and a copy of the policy.
If the company accepts credit cards or other forms of
payments online, a description of how it maintains the
security of that information.
A list and description of cybersecurity spending for the
past three years.
Compliance
A list of any local, state, national, or industry
regulatory requirements relating to technology to
which the company is subject, and a description of
how the company complies.
If the company is based in the European Union, an
explanation of how the company’s websites comply
with the EU Cookie Law.
If the company engages in any email marketing, an
explanation of how the company remains compliant
with the US Federal Trade Commission’s CAN-SPAM
Act or any relevant regulations in its country.

If the company licenses images, photographs, audio, or
video for its website or other content, an overview of
how it verifies license ownership and monitors usage
limits.
Details of any export restrictions that affect the
company.
Agreements
Copies of any hosting company or cloud service
provider agreements.
Copies of any third-party software or technology
license agreements.
A list of any external contractors or consultants who
have been involved in the development of any
software or systems and copies of any agreements
with those contractors.
Details of any contractually-obligated product features
or service level agreements, including those related to
encryption and security.
Copies of customer software license or subscription
agreement templates.
Copies of any hardware maintenance or support
agreements.
A description of the company’s property and liability
insurance coverage as it relates to computer
equipment and marketed products.
Copies of any telecommunications agreements.
Copies of customer and supplier contracts with change
of control and/or assignment provisions.
Intellectual Property


A list of all domain names and Twitter, LinkedIn,
Facebook, and other social networking accounts
controlled by the company.
A list of any patents or trademarks held or applied for
by the company that are related to company
technology.
A list of any copyrights related to software developed
by the company.
A description of any software escrow deposits related
to the company’s software products, and copies of any
related agreements.
Customers
A description of the technical support process.
A log of customer technical support calls and questions
for the past six months.
A description of the implementation process for a new
customer.
Copies of any customer surveys and responses from
the past three years.
Quality
A description of the software development quality
assurance / testing process.
A list of known software bugs, limitations, and
outstanding customer feature requests.
Financial
A description of the way new software development
projects and ongoing maintenance are capitalized and
expensed.


A list of the technology capital expenditures for the
past three years and those planned for the next twelve
months.
Copies of the IT and/or software development budgets
for the past three years, along with actual expenses.

ITDueDiligenceChecklist 2018 OT A4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ITDueDiligenceChecklist 2018 OT A4

Uploaded by

Copyright:

Available Formats

IT Due Diligence Request List – TargetCo

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

IT Due Diligence Request List Template

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Item Provided Data Room

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

Item Provided Data Room

Copyright ©2018 Alzhan Development LLC. All rights reserved. www.ITDueDiligenceGuide.com

You might also like