Digital & Technology
How platforms, cyber risk, and enterprise software choices change P&L, covenants, and what an audit can prove.
The board questions that are not in the IT steering deck
A cut from 40 recent diligence and assurance files across SaaS, fintech, and media.
Technology is no longer a cost centre. It is the operating system of revenue.
The digital stream covers the intersection of product, finance, and risk. We write on vendor concentration, the economics of cloud, and the evidence trail your auditors and regulators will ask for when you have embedded AI in a customer workflow. The tone is for executives who are tired of two-speed conversations between engineering and the board pack.
Before work begins, we clarify the operating context, governance expectations, and commercial pressures behind the brief. That gives the engagement a clear purpose before technical analysis starts.
The result is a more complete advisory view: what matters now, where risk may surface next, and how recommendations can be implemented without creating unnecessary hand-offs or ambiguity.
Scope
Clarify the decision, deadline, stakeholders, and evidence standard before work begins.
Delivery
Combine partner judgement, technical review, and practical implementation planning in one workstream.
Follow-through
Convert findings into owners, actions, and next steps that leadership can track after the session.
Every serious digital transformation programme eventually hits the same wall: the data model, the org chart, and the control framework disagree. Our posts focus on the reconciliation work: how to map entitlements, revenue recognition, and incident response so that a breach or a service credit does not also become a restatement story.
We also run pieces on the buyer side: how to run an ERP or billing replacement without setting your close process on fire, and what to look for in an SI contract beyond day rates. If a paragraph reads like a checklist, that is because we use it in real steering committees.
On cyber, the shift is from policy design to provable run-state: backups that restore, not backups that exist, and playbooks with named alternates, not a PDF from three years ago. The regulatory perimeter is only getting wider, so the articles that age best are the ones with explicit test cadence in them.
Three things we will not do on a software diligence
Pretend user stories are controls
We map controls to systems and people, with evidence frequency.
Rely on a single vendor’s SOC 2 as your whole answer
We look at the sub-service organisations that actually touch money or data.
Accept unbounded AI scope
We need an inventory of models, flows, and human review points, in writing.
Series to follow
SaaS metrics that survive diligence
NRR, cohorts, and the bridge to cash for investors.
GRC in product engineering
Where security reviews belong in a CI/CD world.
Digital: practical FAQs
No, but the sequencing matters. Stabilise record-to-report, then harden access and logging. We publish a no-drama order of operations in the migration series.
A beautiful architecture diagram is not a control. A tested recovery is.
Commission a short briefing for your board
We can stand up a 30-minute read or a 10-slide pack on a cross-cutting topic, with named authors and a clear scope, usually inside two weeks for existing clients and select new relationships.