Executive summary
-
This due diligence analysis covers of 49 assessments for the period August 2020 to July 2024.
-
Due diligence reports were mainly requested by Private Equity for Software.
-
Cyber Security. assessments were requested most frequently.
-
The most common combination of assessments [Cyber security, Product management, Product development] has been used 15 times.
-
Cyber security is a work-in-progress for many companies. Most don’t have defined processes and lack effective management.
-
Assessment scores are highest for product development and management, and lowest for data & analytics
-
Differences are detected only in the scores of components of the cyber security assessment. Scores are lowest for Threat Intelligence Monitoring & Response, Vulnerability Scans & Penetration Testing, and Security Awareness. The highest score is for Identity & Access Management.
-
Over the period, there are no trends in average assessment scores.
Due diligence
Due diligence is a comprehensive and systematic investigation undertaken by individuals or organizations before entering into significant agreements or transactions. Due diligence has traditionally been based on a financial analysis of the balance sheet, profit and loss statement, and cash flows. However, a balance sheet is insufficient because it is a snapshot of the current collection of capital and usually solely reports economic capital, which is about 30% of the value of a public company. Intangibles constitute about 60% of the market value of the S&P 500, such as organizational capital (systems and patents), customers (social capital), and brands (symbolic capital).1 Intangibles are often a larger percentage of value for a high-tech business.
Viewing a firm as a collection of systems that create capital is more useful in a digital world (Watson 2020). For instance, a system of engagement creates customers (social capital), and a system of production produces goods and services (economic capital). Systems are the engines for creating value. Consequently, we focus on critically assessing current business systems and their capacity to meet future needs. Currently, due diligence is primarily a methodology for reducing risk when trading firms. The primary goal is to analyze an organization’s commercial, technical, financial, and operational exposures. By gathering pertinent information and assessing potential threats, due diligence is pivotal in minimizing uncertainties and mitigating risks associated with a critical business transaction. Clients expect to receive concise and actionable recommendations to inform managerial decisions. IS due diligence is concerned with assessing the quality of a firm’s digital assets, their management, and the delivery of information services internally and externally.
This semi-annual report is based on 49 due diligence studies, with most of the firms in the Software business. It covers the period August 2020 to July 2024.
The due diligence assessments were for clients fairly evenly spread in size from small to large.
The requesting clients were mainly Private Equity.
There was a total of 99 assessments. Most were for Cyber Security.
Use of the different types of assessments
To understand the usage of the 5 assessment methods, we used the UpSet methodology (Lex et al. 2014), which is designed to visualize the relationship between two sets of data, such an assessment method and its usage. it can generate an information rich diagram that conventionally would require multiple tables.
The UpSet plot illustrates the relationship between a type of assessment and its frequency of occurence singly or in combination in a due diligence assessment. The horizonal tan bars report the number and type of assessments, with Cyber security, the topmost bar, the most common with 42 applications across the organizations assessed. The most common combination of assessments (leftmost most maroon vertical bar) is [Cyber security, Product management, Product development], as distinguished by the maroon dots showing the intersection of an assessment combination and the times they are jointly applied. Light gray dots show no usage. In the case of the combination [Cyber security, Product management, Product development], it has been used 15 times.
Cyber assessment
A Cyber security asssessments iis based a five-point scale to assess eight items. We’ve recoded the average score across the five items to create an assessment of the state of cyber security.
Assessment score
The average scores for the assessments vary from Product development (2.36) to Data & analytics (1.5), as shown in the following table.
Analysis of the elements of each type of assessment
Each of the assessment types was examined for differences in the mean scores for each of their elements. The only case were there is a difference in with the scores for cyber security assessment
Note: In the following graphs, elements that are not statistcally different have the same letter(s). For example, for the cyber security assessment, Threat Intelligence Monitoring & Response (b) is smaller than Identity & Access Management (a). Secure Application Architecture (ab) is not different from any other element.
Cyber security assessment
Data & analytics assessment
Information technology assessment
Product development assessment
Product management assessment
Time series analysis
No statistically significant trends were detected. In some cases, such as Data & analytics, we had too few observations to detect a difference, if it exists.
