In an acquisition, not only do employees and products change hands, but also complex IT landscapes with all their strengths and weaknesses. IT due diligence, i.e., the IT risk assessment prior to a company acquisition, is often underestimated. However, those who make mistakes in this process later bear the costs, sometimes with far-reaching consequences.
In the case of a company acquisition, things like revenue, churn rates, synergies, assets, and personnel take center stage. These are all undoubtedly crucial factors – but one area often gets overlooked: IT. It's so ingrained in day-to-day operations that it's easily missed. Yet, it's precisely IT that determines whether processes run smoothly, data is protected, and the company remains resilient. A closer look reveals that many companies have server rooms that haven't been updated in years, outdated databases, or firewalls that no longer meet current security standards. IT is the silent backbone of many deals before they go awry.
Therefore, in the case of a company acquisition, a thorough IT due diligence, i.e., an IT risk assessment before the takeover, is essentially mandatory. This also applies to the Federal Association of German Management Consultants They see this as a key to greater insight and better decisions in company acquisitions. In their article on IT due diligence, they clearly state that "when acquiring a company, it is no longer sufficient to subject the IT of the target company to only a superficial risk analysis (red flag due diligence)."
IT Due Diligence – Basic Principles
To be honest: many people use the term, but few can actually define it. Essentially, IT due diligence simply means subjecting a target company's IT infrastructure to a comprehensive review – not just to identify risks, but also to understand the true value of the underlying IT infrastructure. It's not a checklist or a standard audit.
It's about identifying pitfalls, contractual entanglements, weaknesses, obsolete technologies, and sometimes even hidden potential. Who knows what in-house developments the company has undergone over the years? Or which third-party solutions have become indispensable for day-to-day operations? The ultimate goal is always the same: to avoid unpleasant IT-related discoveries after signing the contract.
IT due diligence is therefore an essential component of mergers and acquisitions (M&A), the English technical term for company mergers and acquisitions, because it reveals whether the information systems, data and protection mechanisms of the acquired company are robust, compliant and future-proof, and in which areas there are weaknesses or even an urgent need for action.
The most common weaknesses in IT
The list of risks associated with a company acquisition is extensive, and often even the company's own IT team can't identify them all. It starts with overlooked software licenses, extends to undocumented interfaces, and includes systems whose programmers have long since left the organization. Things usually become particularly dangerous when the IT department has become a playground for various administrators and IT providers over the years; then, legacy systems suddenly surface, the purpose of which no one can understand anymore.
Furthermore, data protection is sometimes not perfectly adhered to, cloud agreements gather dust in the archives, and things often become opaque, especially with in-house developments. Anyone who doesn't carefully examine these aspects risks that an acquisition will not only change ownership of systems and data, but also outdated components and past oversights. Particularly in regulated industries, this can quickly become costly, resulting in both monetary and reputational damage.
Contract management is often a minefield: subscriptions whose cancellation periods are unclear, software that runs in the cloud but uses data that shouldn't be transferred to other countries. These aren't minor issues; they can derail a deal or force further negotiations. Anyone who only superficially analyzes these aspects will quickly find themselves in a difficult position.
Therefore, it is advisable for both sides to involve a competent specialist who will conduct a professional IT due diligence review.
The process behind IT due diligence
There is no one-size-fits-all approach to comprehensive IT due diligence, even if some consultants claim otherwise. However, several key areas of focus can be identified, including:
- IT strategy: Evaluation of the alignment with the business, existing roadmaps and future plans.
- Staff & Organization: Analysis of the organizational structure, management structures, networks of key persons and use of external partner companies.
- Application landscape: Evaluation of the central applications with regard to their suitability to efficiently support core and support processes.
- Technical infrastructure: Analysis of data centers, server structures, networks and IT protection mechanisms.
- IT processes: Evaluation of the relevant processes in software development, operations, and support.
- Finance in the IT sector: Comparison of costs and revenues, market comparisons, and identification of potential optimization opportunities.
A structured IT due diligence process takes place in several phases: First, all existing documents relating to the IT system landscape and the most important systems are collected and analyzed. In most cases, this reveals that not all information is complete or up-to-date, which is why follow-up questions to the IT management are necessary.
The next step involves discussions to address any ambiguities and gain a comprehensive understanding of the IT environment. This is followed by an analysis of the key areas: Which systems are in use, how is the security architecture organized, are all licenses and contracts legally valid, and are there up-to-date disaster recovery plans? Additional specific questions often arise regarding in-house developments or outdated integrations.
The investigation concludes with a report summarizing the key findings, risks, and recommendations for improvement. This final report serves as the basis for decisions regarding the acquisition and identifies areas where adjustments may still be necessary.
Tips from IT due diligence practice
Paper is patient, and so are checklists. In our experience, those who truly conduct IT due diligence rely on authentic dialogue, transparent exchange processes, and a healthy dose of skepticism toward overly perfect feedback. Good results rarely emerge in isolation, but rather where various disciplines collaborate: IT, legal, compliance, and sometimes even HR. An experienced eye for detail helps identify vulnerabilities that aren't on any list. Sometimes, even a seemingly innocuous question like "When was the last disaster recovery test conducted?" can provide crucial insights into the maturity level of the IT infrastructure.
It's also crucial not to let the results gather dust: The most thorough risk assessment is useless if no one cares about it the day after the deal is finalized. Successful integrations benefit from the fact that the findings of the IT due diligence are actually implemented and followed up on. Those who heed this advice not only reduce costs but also gain fundamental and process-related improvements.
Conclusion: What decision-makers can learn from successful IT due diligence processes
Ultimately, the realization remains: no two acquisitions are alike, and no two IT systems are identical. Anyone who thinks a few documents and a collection of access data are enough is misjudging the reality behind the scenes.
IT due diligence is uncomfortable, sometimes disappointing, and never entirely without surprises. But that's precisely what makes it so valuable. Honestly examining the existing infrastructure allows you not only to minimize risks but also to transform IT into a genuine value driver. It takes courage to address the critical questions – but even more courage to face the answers head-on.
If you want to play it safe when acquiring a company, don't compromise! We are here to support you as experts in IT audits. Feel free to contact us.
