Technical due diligence sounds intimidating. It conjures images of legal liability, endless code analysis, and so much detail that the report becomes useless and unreadable.
The truth is, technical due diligence is the only way that you’re going to get investors on board.
From assuring potential investors of the value of your company to highlighting code weaknesses and employee dependencies, technical due diligence is all about proving what your company is worth. That’s why it’s vital to stay ahead of the game and address all of the areas it assesses ahead of time.
Hence why we’re here. In this post you’ll learn:
- What is technical due diligence?
- Why is technical due diligence important?
- Technical due diligence elements
- How to prepare ahead of your assessment
Let’s get started.
What is technical due diligence?
Due diligence is the process of assessing a company to help investors work out whether they want to choose you. As a whole this covers every element of your business, from your finances to your market, but in this post we’re looking specifically at technical due diligence.
Technical due diligence is the practice of examining, assessing, and recording a company’s technical elements, usually with the goal to portray its true value, growth potential, and risks to potential buyers or investors.
The elements assessed include the company’s technology, products, software, systems, practices, and so on. However, technical due diligence isn’t just about recording what the company owns and uses - it’s also an assessment of performance and risks versus close competitors.
For example, let’s say that you’re a SaaS startup looking for a buyer. Any buyer worth their salt won’t touch your company unless they know what it’s currently worth (assets, customer base, market share, etc), how it can grow, and what risks it’s exposed to. That’s where technical due diligence comes in.
Your technical due diligence report will show them succinctly what technology you’re using, what your product is, how it stands apart from competitors, and so on. This will let buyers see why your startup is worth buying via the opportunity to grow their investment.
However, the report will also highlight any risks such as third-party software vulnerabilities and flaws in your technical processes. Your buyers need an accurate picture of what they’re getting, and you need to disclose anything that might affect the sale price before putting it on the market.
Technical due diligence is usually requested by potential investors and will be carried out by either an expert from the investment fund with a tech background or a third party that you and the investor agree upon.
Why is technical due diligence important?
We’ve already touched on how important technical due diligence is for potential investors and buyers. Without a solid report to show off, no one will want to risk their money on a company that they don’t have enough information to see the value in.
That’s not even mentioning the hot water you’ll be in for failing to disclose any key risks before getting their buy-in.
A technical due diligence report is one of the key documents for demonstrating to investors and buyers alike that your company is worth their money. As a whole, due diligence shows that there’s room to grow, increase in value, and that any risks posed to your company are under control or minimized as much as possible.
In other words, it sells your company to investors and buyers in the same way your marketing sells it to customers.
Technical due diligence also demonstrates how secure your company is in terms of its value and even its reputation. This makes it useful even if you’re not looking for investors or buyers, as you can learn from what it highlights to further boost your security and overall value.
For example, a technical due diligence report could highlight elements of your product that differentiate it from your competitors, thus highlighting what your marketing material (aimed towards customers and investors alike) should focus on to set yourself apart.
Technical due diligence reports are also invaluable for CEOs because they highlight key areas which need to be worked on, but are still fairly high level. This makes it easy to jump in and glean the important takeaways without having to spend a lot of time parsing key details.
In other words, they let your CEO quickly see where your technical value is, where you’re likely to have issues and/or security breaches, and thus plan corrective action accordingly.
Technical due diligence elements
Every technical due diligence report will be unique to the company that it focuses on, but that doesn’t mean that you can’t examine the common elements of all of them. These are the building blocks to your assessment, whether it’s carried out externally or internally.
There may be a few extra bells and whistles that need to be added to your report, but technical due diligence can be generally split into 7 sections:
- Apps and software
- Roadmap and tech strategy
- Intellectual property protections
- Architecture and code
- Systems and processes
You can’t perform technical due diligence without laying out exactly what your product(s) is(/are). You need to detail the value proposition, what it’s designed to do, the potential market size, the current market size, and the current revenue attributed to each product individually.
This is the section of the report which lays the baseline for potential investors and buyers to take interest. Here they will learn what your company offers, what it’s worth in ongoing revenue, and roughly what room there is to expand.
It’s also a great place to lay out what differentiates your product(s) from your competitors, as this will help to show your growth potential and relative market stability.
You can state here how your IT architecture is structured and how everything is maintained, but for the sake of simplicity we’d recommend putting that in a dedicated section. That way whoever needs to read your report can flip straight to the segment they want to read (CEO and investor alike).
Apps and software
Technical due diligence isn’t just about detailing what products you offer - you have to show how you offer them and what you’re using to make it happen. To that end, your report needs to cover any and all third-party applications and software your company uses, especially if it’s a core part of keeping your products online and available.
Particularly you should be focusing on any tech dependencies that your company has, along with how often this software is updated, how it’s updated (automatically or manually), and any integrations you or your product make use of. This includes highlighting any weaknesses in the software you use (eg, a recent security breach of your password manager) and any points of weakness in your setup.
For example, if you know that your product is being maintained using outdated software or you simply aren’t sure whether there is an available update due to having to manually maintain them, that needs to go into your report.
Roadmap and tech strategy
You can’t record what state your product is in and call it a day - technical due diligence needs to account for how things are planned to go too!
So, first you should pull out your tech and product strategy (roadmap) for the future. This should be recorded and assessed against your company’s overall business strategy to make sure that everything aligns and works towards the same goal.
Remember; it’s as much about stating and verifying your company’s technical value as it is potential security breaches. This is one area where you can really show off what you have planned for the future, how you’re going to grow the company, and where you’re aiming for.
Intellectual property protections
While “company secrets” is a bit derivative, it’s accurate to say that your technical due diligence needs to account for your intellectual property, what protections you have in place on it, and any threats posed to or by your company.
Let’s break that down a little.
First, you need to lay out what intellectual property your company owns. This can include copyrights (registered and unregistered), patents, trademarks, domain names, logos, designs, databases, and so on. These elements are all fairly straightforward, and are considered to be owned by the company.
Then there are the more unclear sections such as company “know-how” and “trade secrets”. These are the things that aren’t necessarily owned by your company but are key to its running, such as your systems and processes.
Note that this section shouldn’t include an assessment of how effective your systems and processes are, only how well protected they are.
To this end, you should include the contracts you’ve made with any contractors and employees which discuss your intellectual property. That way anyone reading the technical due diligence report will know how at-risk your practices and secrets are in terms of those with access to them sharing them.
This section should cover everything to do with the people in your company. To do this it can be helpful to ask yourself questions such as:
- Which employees are vital to operations?
- Who has key knowledge that isn’t backed up or otherwise documented?
- How are these employees core to operations?
- How are you incentivizing these employees to stay?
- What is your organizational structure?
- Is your org structure scalable?
If something could affect your company’s security or value and it has anything to do with your employees (current or future), it needs to be recorded here. This is also a great opportunity to prepare for other due diligence checks by asking questions such as:
- Is there room for internal promotion?
- Do you have a functional HR team?
- Is your HR team able to handle the disputes and issues brought to them?
- What is your recruitment strategy?
- Are there any conflicts of interest in current roles and recruitment practices?
- Do you have a discrimination policy?
Architecture and code
In this section you need to show your company’s IT architecture and perform an analysis of your code. This is to, once again, demonstrate to investors how scalable your operation is, how secure it is to attack, and the stability of your product(s).
For example, what type of architecture do you use? Are your apps native? How is everything structured? Who is your cloud provider? Does your code contain modules where useful, such as around external integrations? How clean is your code?
Let’s take just one of the questions you need to ask and break it down further. Is everything structured on commonly used technology and patterns? This is vital for investors to know, as it will dictate how quickly new engineers and designers will be able to get up to speed on their projects, how damaging old employees leaving could be, and even how much it will cost to migrate to more commonly used tech.
Systems and processes
The final element to cover is that of your systems and processes. These are the lifeblood of your company - they’re how everything gets done and the standard to which duties are performed.
You don’t need to lay out the fine details of every process. That would take too long to pull together (unless you have a well-maintained, cloud-hosted process library) and far too long to read. Instead, you just need to record what kinds of systems and processes are in place, their availability, and how effective/up-to-date they are.
Let’s say that you have all of your systems and processes recorded. Everyone knows how GDPR guidelines are followed, the process for answering support tickets, and so on. However, all of these are printed documents which are stored in a single onsite filing cabinet.
Aside from security and backup concerns, this would be a huge red flag to investors, as that system isn’t practically scalable or easily available for those who need it. Instead, having several cloud-hosted versions of your systems and processes with appropriate access levels and automatic version syncing would make it so that your company verifiably runs like clockwork.
Better still, that kind of documentation and record keeping means that it would be a cinch to demonstrate your reliability in your technical due diligence report.
How to prepare ahead of your assessment
Let’s not mince words - by the time you have an investor who wants a technical due diligence report, you should have already looked at everything that entails and tried to improve it as much as possible. Doing anything less is a great way to lose a potential investor.
That doesn’t have to mean that you need to hire a dedicated company to carry out the due diligence report in advance to see what needs doing.
Instead, take what you’ve learned from this post and apply it to your own company. Take account of your products, roadmap, organizational structure, third-party software and so on. Assess for weaknesses in your code. Make sure that everything is scalable.
Even if you aren’t close to needing investors, technical due diligence highlights many principles which are vital to ongoing success and growth. After all, if you’re not paving the way for the future, how will you be able to drive to greater success?