Due Diligence for IT in M&A: The Technical Assessment Checklist Buyers Overlook
A 30-point IT due diligence checklist for M&A — covering infrastructure, security, licensing, team capability, and hidden technical liabilities that buyers consistently overlook.
Financial due diligence in M&A is thorough. IT due diligence is usually an afterthought — a quick review of the server inventory and a question about whether backups exist.
This is how acquirers end up discovering, three months post-close, that the target company runs on unlicensed Oracle databases (EUR 500K true-up risk), has no disaster recovery plan, and depends entirely on one engineer who is about to leave.
This checklist covers the 30 points we assess in every M&A technical due diligence engagement. It is designed for buyers, but sellers benefit from running it pre-deal to strengthen their position.
IT Due Diligence Assessment Overview
Category 1: Infrastructure and Architecture (Points 1-8)
1. Cloud vs. On-Premises Inventory
Document every environment: production, staging, development, disaster recovery. For cloud, capture subscription IDs, regions, and monthly spend. For on-premises, capture hardware age, warranty status, and capacity utilisation.
Red flag: Undocumented environments that nobody owns but still run workloads.
2. Architecture Documentation Currency
Is there current architecture documentation? Not slides from 2019 — documentation that reflects the system as it runs today. Missing documentation signals either rapid uncontrolled change or insufficient engineering maturity.
3. Technical Debt Assessment
Run static analysis (SonarQube or similar) on the primary codebase. Measure cyclomatic complexity, code duplication, test coverage. Calculate the estimated remediation effort in person-months.
What to look for: Test coverage below 30%, critical code paths without any tests, framework versions more than 2 major versions behind.
4. Scalability Headroom
Can the current architecture handle 2× and 5× the current load? This matters because post-acquisition growth is usually the thesis. If the platform falls over at 2× load, the integration budget needs a significant infrastructure line item.
5. Third-Party Dependencies
Map every external dependency: APIs, SaaS tools, data feeds, payment processors. For each, document: contract terms, renewal dates, termination clauses, and change-of-control provisions.
Critical: Some vendor contracts include change-of-control clauses that allow the vendor to renegotiate or terminate upon acquisition.
6. Data Architecture and Quality
Assess database technology, schema design, data volume, and growth rate. Run data quality checks on key business data. Poor data quality in the target company will contaminate the acquirer's analytics post-merge.
7. Integration Complexity Score
Rate the complexity of integrating the target's systems with the acquirer's on a 1-5 scale across: identity, networking, data, applications, and operations. A score of 4-5 in any area signals months of integration work.
8. Disaster Recovery and Business Continuity
Does a DR plan exist? Has it been tested in the last 12 months? What is the actual RTO and RPO? Many companies have DR plans that have never been tested — these are not plans, they are hopes.
Category 2: Security Posture (Points 9-16)
9. Identity and Access Management
MFA coverage (should be 100% for all users), password policies, privileged access management, service account inventory, offboarding process for departing employees. Check when the last access review was conducted.
10. Vulnerability Management
Scan frequency, patch cadence, known unpatched vulnerabilities. Request the last vulnerability scan report. If they cannot produce one, that is itself a finding.
11. Endpoint Protection
EDR deployment coverage, mobile device management, BYOD policies. Check whether security tooling covers all endpoints or just corporate devices.
12. Network Security
Firewall rules (when were they last reviewed?), network segmentation, VPN architecture, DDoS protection. Flat networks with no segmentation are high-risk.
13. Incident Response
Does an IR plan exist? Has the team ever executed it? What was the last security incident and how was it handled? Companies without IR plans handle incidents through panic.
14. Compliance Certifications
Current certifications (ISO 27001, SOC 2, C5), audit findings, remediation status. Certifications in progress vs. completed. Gaps between the acquirer's compliance requirements and the target's posture.
15. Data Privacy and GDPR
Data processing records, DPO appointment, consent management, data subject request process, cross-border data transfer mechanisms. Non-compliance creates liability that transfers to the acquirer.
16. Security Tooling Investment
Annual security spend as a percentage of IT budget. Below 5% is a red flag for enterprise targets. Understand what the investment buys: tools, people, or managed services.
Category 3: Licensing and Contracts (Points 17-22)
17. Software Licence Audit
Full licence inventory: operating systems, databases, middleware, development tools, SaaS subscriptions. Compare entitlements against actual usage. Oracle and SAP true-up risks alone can be EUR 500K+.
18. Open Source Compliance
Scan codebases for open-source components. Check licence compatibility (GPL, AGPL, MIT, Apache). AGPL-licensed components in proprietary products create legal risk.
19. Key Vendor Contracts
Identify the top 10 vendors by spend. Review contract terms, especially: auto-renewal dates, termination penalties, change-of-control provisions, and volume commitments.
20. SaaS Sprawl
Audit all SaaS subscriptions using sign-in logs and expense reports. Most companies have 3-5× more SaaS tools than they realise. Calculate redundancy and consolidation savings.
21. IP Ownership
Verify that the company owns its code. Check for contractor agreements that may not have assigned IP. Code written by contractors without work-for-hire clauses may not belong to the company.
22. Data Ownership and Portability
Can the company export all its data from vendor systems? What formats? What is the migration effort? Data locked in vendor platforms without export capability is a dependency.
Category 4: Team and Operations (Points 23-30)
23. Team Structure and Capability
Org chart, skill inventory, tenure distribution, open positions, contractor dependency ratio. High contractor ratios (>40%) signal either inability to hire or intentional cost optimisation that may not be sustainable.
24. Key Person Dependencies
Identify individuals who are the sole knowledge holders for critical systems. Document the risk and mitigation plan. If one person leaving would cause a system outage, that is a material risk.
25. Operational Maturity
On-call processes, incident management, change management, monitoring coverage, runbook documentation. Assess against a maturity model (ITIL or similar).
26. Development Velocity
Deployment frequency, lead time for changes, change failure rate, mean time to recovery. These DORA metrics indicate engineering health better than any other measure.
27. Technical Roadmap
What is planned for the next 12 months? Does the roadmap address known debt and risks, or is it purely feature-driven? Feature-only roadmaps accumulate debt.
28. Retention Risk
Engineer turnover rate, Glassdoor ratings, compensation benchmarking. Post-acquisition attrition typically spikes — understand the risk and plan retention packages.
29. Documentation Quality
Onboarding documentation, runbooks, architecture decision records, API documentation. Poor documentation multiplies integration time and creates key-person dependencies.
30. Shadow IT
Undocumented systems, personal cloud accounts with company data, departmental SaaS purchases outside IT governance. This is consistently the largest surprise in M&A due diligence.
Scoring and Risk Assessment
Score each point 1-5:
| Score | Meaning |
|---|---|
| 5 | Excellent — exceeds expectations |
| 4 | Good — meets expectations |
| 3 | Adequate — acceptable with minor remediation |
| 2 | Concerning — requires significant remediation |
| 1 | Critical — material risk to deal value |
Total score interpretation:
- 120-150: Low integration risk
- 90-119: Moderate risk — budget for remediation
- 60-89: High risk — factor into deal pricing
- Below 60: Consider deal structure adjustments or walk away
Planning an acquisition and need independent IT due diligence? Contact us — we provide the technical assessment that protects your investment.
Topics