IT Due Diligence for Mergers & Acquisitions: A Checklist for Australian Businesses
When your business is acquiring another company, the financial numbers get most of the attention. But behind every successful acquisition lies hidden technology infrastructure, security vulnerabilities, licensing obligations, and technical debt that can blindside you post-deal. That’s where IT due diligence comes in.
IT due diligence is the process of systematically assessing the technology assets, systems, and risks of a target company before you complete the acquisition.
Why IT Due Diligence Matters in M&A
IT failures during mergers are expensive. A poorly executed assessment can cost you unplanned remediation costs, integration delays, security incidents, licensing disputes, talent retention issues, and customer trust erosion.
Proper IT due diligence identifies these issues before you sign. It also gives you realistic integration costs and timelines, and helps you negotiate the purchase price based on true risk.
What to Assess: The Core Areas
1. Infrastructure and Architecture
- On-premises vs cloud vs hybrid — Where do systems actually run?
- Server hardware age and support — Servers that are out of warranty need replacement costs factored in
- Data centre arrangements — Where are backups stored? Data sovereignty implications?
- Network topology and capacity — Can the target’s network support integration with your systems?
- Disaster recovery and business continuity plans — Do they have tested backup and recovery procedures?
Request documentation of the infrastructure. Better yet, have your own IT consultant audit it.
2. Security Posture and Compliance
- Essential Eight maturity assessment — Check actual maturity level with supporting evidence
- Recent security audits or penetration tests — Get the reports
- Vulnerability management program — Is it systematic or ad-hoc?
- Incident history — Ask directly about breaches or security incidents in the last 3 years
- Endpoint protection and monitoring — What antivirus, EDR tools are deployed? Are logs monitored?
- Access controls and privilege management — Who has admin access? Is it properly segregated?
3. Licensing and Software Contracts
- Software asset inventory — What’s actually installed? Commercial licenses, open source, trials?
- License agreements and terms — Perpetual or subscription? What’s the renewal cost? Do they transfer on acquisition?
- Compliance with license terms — Are they using software legally?
- Custom development contracts — Who owns the code? Ongoing support or royalty obligations?
- SaaS subscriptions and cloud services — What providers? Monthly burn? Long-term contracts or cancellable?
4. Technical Debt and System Health
- Operating system and application versions — Current, supported versions or aged systems?
- System performance and stability — Frequent crashes, slow performance, workarounds?
- Code quality and maintainability — For custom applications, is code documented? Test coverage? Does only one person understand it?
- Uptime and reliability metrics — Historical uptime data or no records?
5. Data and Backups
- Data volumes and locations — How much data? Where is it stored? Fragmented across systems?
- Backup strategy and testing — Regular backups? Tested recovery procedures?
- Data quality and governance — Clean and well-organised or riddled with duplicates?
- Data sovereignty and privacy — Australian Privacy Act compliance? Local data storage?
6. IT Staffing and Knowledge Transfer
- IT team size and skills — How many IT staff? Specialties? Key person dependencies?
- Retention risk — Will IT staff stay post-acquisition?
- Documentation and knowledge transfer — Is critical knowledge documented or only in someone’s head?
Red Flags During Due Diligence
- Vague answers about infrastructure, security, or compliance
- Inability to produce licensing documentation
- History of security incidents never disclosed or properly fixed
- Systems that are clearly end-of-life
- Backups never tested or restored
- Critical systems dependent on one person’s knowledge
- No monitoring or logging of system access
- Reluctance to let you assess infrastructure or security
Hidden Costs to Budget For
- Infrastructure upgrades — End-of-life hardware replacement, network upgrades
- Security remediation — Closing Essential Eight gaps, deploying additional tools
- Integration and migration — Migrating data, training users
- Licensing true-up — Legalising unlicensed software, consolidating duplicates
- Redundant costs — Running parallel systems, overlapping subscriptions
- Staff training and onboarding — Teaching acquired staff your systems and standards
IT Due Diligence Checklist for Australian Acquisitions
- Request complete infrastructure documentation: servers, data centres, network topology, disaster recovery plans
- Get a software and hardware inventory with versions and support dates
- Obtain all license agreements for commercial software and SaaS subscriptions
- Request security audit reports, penetration test results, and incident history (last 3 years)
- Verify Essential Eight maturity assessment with supporting documentation
- Review backup and disaster recovery testing logs
- Check data sovereignty compliance (Australian Privacy Act, local data storage)
- Assess IT staffing: roles, tenure, knowledge concentration risks
- Get confirmation of system uptime metrics and performance data
- Review any custom development contracts and ownership terms
- Identify technical debt: aged operating systems, unsupported software, maintenance backlogs
- Interview IT leadership about integration challenges and anticipated risks
After the Deal Closes: Integration Planning
Due diligence doesn’t end when you sign. Use your findings to build a detailed integration plan that prioritises critical system integrations, schedules hardware/software upgrades, plans security remediation, identifies quick wins, and establishes clear governance for IT decision-making.
Good IT due diligence makes post-acquisition integration smoother, faster, and more predictable. It protects your investment and reduces the risk of costly surprises.
