Mergers, Aquisitions &

Consolidations are a Normal

Course of Business

In today’s commercial environment, mergers, acquisitions, and consolidations are a normal course of business and represent the rule of the day. When expanding capacity or entering a new market, organizations generally select one of four traditional strategies that historically represent valid paths to market entry. These four strategies are:

A Guide to the IT Due Diligence Approach & Process

THInc Ahead

Build Buy

Rent Partner

Without providing a thorough definition of each market-entry strategy or discussing the factors that make one more attractive than the others, the truth is that the performance of the technology assets helps drive business productivity, profitability, and growth. This is especially true when an acquiring organization is evaluating the purchase of another organization to extend its operations, or a private equity firm is evaluating the assets, performance, and potential of a target entity to add to its portfolio.

IT due diligence is rising to a similar level of importance as the traditionally mandatory financial due diligence. Why? Because manual and disparate systems significantly comprimise a company’s ability to execute, and it is essential that the digital assets perform in a manner that:

` facilitate productive operations;

` provide for effective financial management and accurate reporting; and

` enable the business to effectively grow without requiring a major overhaul of the current technology platform.

Gaining the right perspective on current IT capabilities and the ability of the current technology architecture to adequately flex and expand to accommodate growth and future business needs can significantly affect transaction viability, and projected capital and operating expense estimates. To determine the performance and health of the systems in place, a comprehensive IT due diligence engagement must consider numerous factors. In addition, an effective engagement must identify potential weaknesses and exposures, especially in the area of security, including cybersecurity.

Cherry Bekaert’s IT due diligence consulting teams advise organizations on the state of their IT environment, systems, infrastructure, software, security, support services and related business processes. Our IT due diligence experts can help your organization plan for the future by identifying cost-saving opportunities, assessing potential risks, and helping you design your IT environment and systems to accommodate and facilitate expected growth.

Technology Viability, Reliability, Applicability, and Permanency

Server/Network/Cloud Infrastructure

Communications Architecture, Bandwidth, Agility, and Expandability

Software Inventory and Operability

System Warranties and Maintenance/Support Agreement Terms

IT Assets & Obligations

IT Policies, Procedures, and Processes

Computer Operations

System and Data Back-up Technology, Policies, Objectives, Processes, and Reliability

Systems Development Life Cycle (“SDLC”)

IT Talent, Roles & Responsibilities

Cherry Bekaert’s IT due diligence process incorporates assessments of “People, Processes, and Systems” (PPS) that span the following areas and disciplines:

At a macro level, The IT Due Diligence Assessment is segregated into two primary arenas: infrastructure and software. In each area, we plan and execute a process that incorporates and leverages the following:

IT Due Diligence Assessment

1 Discovery

2 Assessment

3 Analyze

4Report Provision, including all relevant findings and recommendations

2

Network/Server/Cloud/Communications Infrastructure

The network/server/cloud/communications portion of the IT Due Diligence Assessment focuses upon the following six technology areas and describes the findings in a comprehensive report, the last section of which outlines recommended actions for any deficiencies or issues discovered.

` Physical Equipment - Servers, firewalls and switches

` IT Policies - Monitoring of the network, management and support of the network, policies governing employees

` Infrastructure Applications - Network and infrastructure support services (e.g., Active Directory, DHCP, and Windows Updates)

` Infrastructure Security - Review physical security, logical security, cybersecurity and data loss prevention measures

` Disaster Recovery - Adequate backup mechanisms and appropriate Business Continuity documentation

` Communications - Voice and data delivery and distribution technology, bandwidth capabilities, remote system access mechanisms and methodology, communications infrastructure expandability and flexibility

The following sections describe some, but not necessarily all, of the network/server/cloud, communications technology assets that are reviewed and assessed during an IT due diligence engagement.

3

On-premise and/or Cloud Datacenter Infrastructure

IT Asset Management

Hardware Inventory What hardware is in place? What are the configurations, in-service dates, warranty expirations, etc.?

What is the physical location of the hardware? Who owns the hardware?

Is it purchased or leased?

Mobile Computing Devices What type? What O/S? What

organization services do the mobile devices access? What access rights

does each device/user possess?

Installed Software Inventory What licensed application software

is in use? What modules are licensed, and what are the licensing

parameters and user limits?

Switches, Routers, Firewalls, etc. Brand, model, software version, location, network role, network

connections, etc.

Server Management

Server Architecture and Design Review operating systems,

architecture (physical and virtual), roles installed, and logical

application layout.

Server Update and Patch Management

Are servers currently up-to-date with security patches and updates? Are hardware support applications updated – such as VMware tools or

the software used for Uninterruptible Power Supply (UPS) administration,

safe system shutdown and energy conservation/distribution

management? Do written policies exist?

Vendor Access and Support Can authorized vendors access

servers or applications with/without assistance? Who? How? Do written

policies exist?

Server Health Review physical/virtual hardware condition, available RAM/CPU/STORAGE resources, and system

event logs for errors.

Ancillary Resource Management/Health

Server/Network Performance and Health

What is the hardware capacity/utilization? Are there cases of

extreme CPU or RAM usage? What are the metrics relative to hardware

aging and warranty expiration? What is the virtual server

inventory, and how are virtual servers configured and assigned to

workload? What is the TCP port assignment?

Storage Performance and Health Measure RAID and disk health.

What is the data storage topology, capacity, and utilization? Do data

saturation issues exist?

4

Security -Physical, Logical & Cyber

Physical Security to Facilities, Data Center, Communications,

and Voice systems Are all facilities physically secured or

locked? Do policies specify which roles are allowed access to IT assets?

Hardware and Software Inventories An inventory of hardware and software generated by the MAP toolkit. Results

could be skewed if firewall and network policies do not allow proper gathering

of data.

Logical Access to Operating Systems and Key Applications

Are all applications protected by adequate passwords or smart cards? Are administrative accounts secured? Who

has access to operating systems and key applications? Is there a process to change

administrator passwords periodically? When was the last time that the

administrator password(s) were changed?

Security Administration Procedures for Adding, Deleting, and

Changing User Access Do corporate policies exist that define the

approved procedures for adding using, deleting users,

or changing user access for application access, group membership, email, etc.?

Security Monitoring for Breaches or Unusual Activity

Do breaches or unauthorized attempts to gain access to secured data

automatically alert and notify one or more responsible parties? Are logs regularly

reviewed for unusual activity?

System Monitoring and Control

Capacity Planning Are the performance and

utilization of servers and resources monitored to accommodate future growth and planning? Do written

policies exist?

Physical and Environmental Controls

Do server rooms/closets have environmental sensors to detect

fire, smoke, temperatures, etc., for any visited locations?

Equipment Maintenance Are IT assets actively tracked to ensure that routine maintenance

is fully performed in a timely fashion? Routine maintenance includes activities such as the replacement of batteries on a

regular basis, the cleaning of CPU cooling fans, etc. The existence of written policies will be researched

and validated.

Problem identification, reporting, and escalation

Is active monitoring in place that can detect issues within

the IT infrastructure and notify appropriate personnel? If the issue

isn’t responded to or corrected in a defined period, is the issue

escalated to additional resources? Do written policies exist?

Business Continuity Planning

Business Continuity Document for Overall Planning

Are there corporate polices for business continuity? Recovery

Time Objective (RTO)? Recovery Point Objective (RPO)?

Business Systems Recovery Is there a plan for accessing key business systems, such as HR / Payroll (HR/P) or ERP outside of the recovery of physical servers?

Review for Key Elements Do the policies address all

elements required for business continuity? (Contracts,

expectations, requirements, inventories, alternative

facility, etc.)

Backup and Recovery Processes for Key Files and Data

Secure and audit corporate backup and recovery procedures. Is there in place a “Live backup to the cloud” or similar service for the entire system image and/or

critical data?

Testing Frequency and Status How often are test restores

completed and how often are backup selections verified to ensure that all relevant

organizational data is being captured?

5

Communications Infrastructure

Network Management (WAN/LAN)

Network Architecture and Design Document network architecture and design (10/100, 1000BASE-T, Fiber, Wi-Fi, VLAN, multi-site configuration, etc.).

Backup/Recovery/Redundancy Capabilities Are firewall/switch/router configurations backed up after changes are applied? Are redundant capabilities

in place for network services? Has network redundancy or auto-failover technology been deployed? Do written recovery procedures exist?

Firewall Use and Configuration Are firewalls properly placed and configured for adequate protection against external and internal threats?

Are Intrusion Prevention and Detection Systems in place? Are network vulnerability scans and periodic attack and penetration tests performed?

Renewal/Warranty/Maintenance Subscription Terms What are the renewal dates, network remote monitoring services, service-level agreements, remote

monitoring/diagnostics, fees, agreement terms, and other deliverables in place for hardware/software maintenance, licensing, or support?

Assess Current Bandwidth Utilization Determine bandwidth utilization inbound/outbound to Internet and remote sites. Are there any Quality of Service (QoS)

technologies deployed as part of a larger Traffic Shaping or Traffic Management solution? (Client is responsible for obtaining reports from ISP for consideration in this assessment.)

Remote Access Is remote access delivered via network equipment (Cisco ASA/VPN Concentrator/RRAS)? Is Remote Desktop Protocol

(RDP) used for remote system access? Which users and contractors are authorized for remote access?

6

Network Services and Support (if applicable)

Review Microsoft Active Directory Domain Services Review Active Directory Domain Services (ADDS) implementation, which includes Organizational Unit (OU) usage, security group usage, delegated

permissions, group policy usage, replication health, sites and services, organizational design, and public Lightweight Directory Access

Protocol (‘ldap’) exposure.

Review Microsoft Fail-over Clustering/Network Load Balance (‘NLB’) Clustering Review clustering configurations.

Review Microsoft Certificate Services/ Public Key Infrastructure (‘PKI’)

Review Certificate Authority and/or PKI implementations along with IPsec security policies.

Review Microsoft Windows Software Update Services (WSUS) Is WSUS implemented and configured properly? Is the network configured to service clients properly? What measures have been deployed to ensure that

Windows Client devices are effectively applying critical updates?

Review Remote Desktop and Licensing/Branch Cache/DirectAccess

Describe Remote Desktop Protocol (RDP), Branch Cache, and DirectAccess implantation and usage.

Review Remote Installation Services/Windows Deployment Services Review procedures and services for deploying servers and workstations.

Review Dynamic Host Control Protocol (‘DHCP’) Review DHCP scopes for availability, consumption, and configuration.

Review Dynamic Naming System (DNS) Review DNS for proper delegation and configuration (specifically, conditional forwarding and zone usage).

Review Public Domain Information What information is publicly available for your public domain name(s)? Who is notified of when they will expire and responsible for ensuring they are renewed?

Security and Protective Services

Anti-virus/Anti-spyware Deployed/SPAM filtering

What applications are deployed? What are some of their capabilities

and strengths? What are the exposures?

Yearly or Monthly Licensing Fees What are renewal fees on

subscriptions, maintenance, or licensing?

Centrally Managed Are security and protective

services centrally managed and deployed? Are there mechanisms deployed to alert administration

when an update to security or protective services fails?

Current Program and Definition Patterns

Is the solution up-to-date with current antivirus definitions and

program versions?

Infrastructure Applications

7

Application SoftwareToday’s Enterprise Resource Planning (‘ERP’) systems enable businesses to manage and leverage massive amounts of data by integrating all departments and processes into a single, unified information system. This system provides the institutional intelligence that each department and the company needs to operate in a productive, profitable manner. In short, the ERP system is the central nervous system of the organization.

Acting as the primary information hub, the ERP system must deliver accurate, real-time information so that each department and process can efficiently communicate and share information across the entire organization. For example, when a customer places an order for a particular item or items, a modern ERP system enables the sales department to view in real-time the quantity of that item that is Available-To-Promise (ATP) or Available-To-Ship (ATS) based upon unallocated inventory quantities, open orders, and pending inbound shipments that will replenish the item in question. The customer’s creditworthiness and credit limits are also available to automatically or semi-automatically approve or hold the order.

ERP systems typically encompass a suite of modular applications that work in a highly-coordinated fashion to support all aspects of business operations, including customer relationship management (CRM); engineering/estimating; project budgeting and costing; sales order

processing/management; material control/inventory; supply chain management; bills-of-material and routings; production planning and scheduling; manufacturing; labor collection, distribution; shipping; and financials.

If the ERP system in place is dated, it may not provide adequate or accurate book, tax and business management reports. If the system has been highly customized, or is an older version no longer supported by the manufacturer, the performance and utility of the system many times is compromised. This results in marginal utility, minimal productivity leverage, missing or only partial support for critical business processes, and poor user adoption and utilization. In addition, the ERP system may have been constructed using a “Best-in-Class” approach for selecting and deploying specific applications, sometimes resulting in a hodge-podge of software applications that do not share data and do not communicate with each other.

Lack of integration between the various software applications an organization uses to plan and execute its operations results in the proliferation of stand-alone, ad hoc systems and manual work-around activities. These systems are usually developed in a desktop spreadsheet application which makes it impossible to maintain a central data repository that includes all institutional data, provides one version of the truth, and is the system of record for all operational and financial transactions and the resulting data

8

generated. Disparate systems that do not communicate or work with each other is especially prevalent when multiple facilities or operations exist and different software is designated in each location.

The following list describes some, but not necessarily all, of the application software assets that are reviewed and assessed during an IT due diligence engagement:

ERP Software and Complementary Software ApplicationsUnderstand the components of the current ERP software suite in place.

Software Inventory What is the Commercial-Off-The-Shelf (COTS) software inventory? What software brands and products are installed and in use? What versions of each software package are being utilized? Are all versions in use under a current software support/maintenance/enhancement agreement? Are some of the versions in use older, unsupported versions?

LicensingHow is the deployed ERP software licensed? Would the software vendor concur that the solution is correctly and fully licensed? When is the software enhancement/maintenance subscription renewal date, and what is the annual cost of this renewal? Do “casual” or “limited” user licenses exist within the ERP system? Are the names of casual/limited access users known, and are these users appropriately licensed? Has the organization simply allowed some software support subscriptions to lapse, even though the software version in use is a currently-supported version?

CustomizationsHave any components been customized? Has the organization developed or had a third party develop customized programs and applications to fill gaps in functionality in the COTS software suite? Are these customized programs integrated to the existing COTS software inventory, or are they standalone and populating a separate database or databases with data that is not available to other applications and other users?

Has an inventory been taken of customized elements in the software solution set? Is the source code available? Has there been a “Customization Rationalization” exercise performed to determine if specific customizations are still needed?

3rd Party & Add-On ProductsAre there any ISV (Independent Software Vendors) products in use? If so, what ISV products are in use, and what business function or process does each software application support or enable?

Solution Fit Are the ERP and ancillary software components appropriate and well-matched to the business operations and providing the desired and necessary functionality?

Solution Design & Integration Are the primary ERP and supporting/complementary software applications working in an integrated fashion so that data can be shared among the various applications in use and the system of record is identifiable and designated for each data set?

ERP Software and Complementary Software

Applications

9

Database Platform & Technology What database system is in use and which version is deployed? What standard databases are in use, and do all software applications utilize the same database structure and format?

Solution Configuration Are the primary ERP software applications and modules configured correctly and working properly? Does your staff know the full capabilities of the licensed solution?

Business Intelligence & Reporting What Business Intelligence platform is in place, and what standard reports and dashboards are available to the users that utilize data from the primary ERP system? Do the users have available to them the reports that they need to make accurate, timely business decisions relevant to their particular area of expertise, process, or department? Can users generate ad hoc queries and reports without the assistance of IT professionals?

` Engineering/Computer-Aided Design

` Engineering Change Management/Orders

` Estimating & Quoting

` Sales Forecasting

` Sales Order Processing/Management

` Project Management

` Bills-of-Material

` Standard Operations/Routings

` Supply Chain Planning/Management/Execution

` Capacity Requirements Planning

` Scheduling

` Demand Planning

` Materials Management/Inventory Control

` MRP

` Procurement

` Receiving

` Manufacturing/Work Orders

` Time & Attendance/Labor Collection

` Quality Assurance

` Automatic Data Collection

` Distribution/Warehouse Management

` Shipping/Logistics/Transportation

` Reverse Logistics/Returns Management

` Service Management

` Financial Budgeting

` Project Budgeting

` Project Accounting/Job Costing

` General Ledger

` Invoicing/Accounts Receivable

` Accounts Payable

` Fixed Assets

` Expense Reporting

` General/Financial Reporting

` Business Intelligence/Dashboards/Advance Warning Systems (AWS)

As appropriate, review and assess the availability and operability of the software applications that support the following business processes and functions.

10

Findings and Recommendations ` Assess how well the incumbent software inventory and configuration incorporates and leverages role-centric functionality, information delivery, and automation to facilitate increased personnel and process productivity and improved operational and financial performance.

` Assess how well all software applications in use share information through a unified database and data model, and leverage an “Enter once, use everywhere” data management approach.

` Assess how well the various deployed software packages, modules, and applications (i.e., software inventory) are able to operate as a single, integrated system that presents a generally-consistent interface and intuitive navigation routines.

` Assess to what degree the existing software inventory enables the users to transact business with less manual effort and improved levels of accuracy and productivity.

` Assess the business intelligence/reporting environment and tools, and determine how easily the system(s) can proactively provide timely and accurate reporting of process, product, and financial performance data so swift and informed decisions can be taken to rectify any substantive performance degradation.

` Assess the organization’s dependence upon pop-up, standalone, non-integrated software applications (i.e., Excel spreadsheets) that are used to calculate and house important institutional intelligence, and that are highly prone to user error and data corruption.

` Assess the degree of custom software programs in use and the dependence upon a single individual that understands the customization(s) to support the custom software and its users.

` Assess the incumbent software inventory against the organization’s business objectives, projected growth trajectory, line-of-business strategies, and underlying business processes to ensure with a reasonable degree of confidence that the primary ERP system is capable of “flexing” and accommodating the breadth of operations and growth in business volumes over the foreseeable future (3-5 years).

11

cbh.com/THInc

Let us be your guide forward

Toby Stansell Managing Director, Technology Solutions

tstansell@cbh.com

®

01.0

3.19