Bostjan Delak, Ph.D., CISA, CIS, and Marko Bajec, Ph.D.
Several managers, owners and shareholders are asking the same questions daily:
- “Acquire and merge or do not acquire and merge?”
- “To outsource or not to outsource?”
- “To implement new technology or not to implement it?”
Performing qualitative and effective due diligence helps to reduce the associated risk and makes decision making easier, and there are several possible ways to do this.
From 1998 to 2008, we conducted more than 40 general IS due diligences and more than 25 initial IS due diligence engagements in Central and Eastern Europe. At that time there was a lack of the due diligence frameworks. We have studied different methodologies, approaches and standards (e.g., COBIT, ITIL, ISO/IEC 9000, ISO/IEC 27000, ISO/IEC 20000, BCM, ITADD, KnowledgeLeader) and through the years we have assembled a new framework for rapid due diligence (FISDD). With this framework, IS due diligence may be delivered in a reasonably short period of time. FISDD was successfully tested on several real merger and acquisition case studies in the financial industry. It can be used for different types of IS due diligence, including:
- Initial—should be conducted prior to the merger or acquisition of any organization
- General—used upon the request of shareholders or an organization’s top management to determine the status of an important part of IS or to complete status of IS within the organization
- Vendor—should be done before any outsourcing contract and should be repeated annually
- Technology—is performed on prospective technology investments.
IS due diligence is very similar to the general IS audit process. However, due to its inherent complexity it requires a framework for delivery. Our recent Journal article introduces the FISDD framework and delivers a timeline for using it.
Read Bostjan Delak and Marko Bajec’s recent ISACA Journal article:
“Conducting IS Due Diligence in a Structured Model Within a Short Period of Time,” ISACA Journal, volume 4, 2014.