The IT Due Diligence Checklist for Mergers and Acquisitions

When two businesses come together through a merger or acquisition, the technology estate of the target company is often one of the least examined yet most consequential aspects of the deal. Inadequate IT due diligence has derailed integrations, inflated costs, and — in some cases — fundamentally undermined the value of an acquisition. In the UK, where regulatory obligations around data protection, cyber security, and financial reporting are stringent, overlooking IT risks during an M&A transaction can prove extraordinarily expensive.

IT due diligence goes far beyond checking what servers a company runs. It encompasses a thorough assessment of the target's technology infrastructure, software licensing, cyber security posture, data protection compliance, intellectual property, IT contracts, technical debt, and the readiness of its systems to integrate with the acquiring organisation. The findings directly inform the deal's valuation, risk assessment, integration planning, and post-merger budget.

This guide provides a comprehensive IT due diligence checklist for UK mergers and acquisitions, covering every area that should be examined before a deal completes.

Why IT Due Diligence Is Critical

The importance of IT due diligence has grown dramatically over the past decade. Technology is no longer a support function — it is fundamental to how businesses operate, compete, and create value. A company's technology can represent both a significant asset and a significant liability, and understanding which is the case before you sign is essential.

Consider the consequences of inadequate IT due diligence. In 2017, Verizon reduced its acquisition price for Yahoo by $350 million after discovering two massive data breaches during due diligence. Closer to home, numerous UK mid-market deals have seen post-completion cost overruns of hundreds of thousands of pounds due to undiscovered licensing non-compliance, end-of-life infrastructure, or incompatible systems.

The UK's regulatory environment adds further urgency. Under UK GDPR, the acquiring company inherits the target's data protection obligations — and any historical non-compliance. If the target company has been processing personal data unlawfully, the acquirer becomes responsible for rectifying the situation and may face enforcement action from the ICO for past breaches they did not cause but now own.

The IT Due Diligence Checklist

1. Infrastructure and Hardware

Start with a complete inventory of the target's physical and virtual infrastructure. This should document every server (physical and virtual), its age, specification, and role. Map the network architecture including all switches, routers, firewalls, and wireless infrastructure. Identify all end-user devices — laptops, desktops, phones — and their age, specification, and management status. Document data centre or server room facilities, including power, cooling, and physical security. Review any infrastructure hosted with third-party providers, including cloud IaaS platforms like Microsoft Azure or Amazon Web Services.

The key questions you are trying to answer are: How old is the infrastructure? What needs replacing in the next 12 to 24 months? What will it cost to bring the infrastructure up to your standards? Are there any single points of failure that represent a risk to business continuity?

2. Software and Licensing

Software licensing is one of the most common areas where IT due diligence uncovers costly problems. Many businesses — particularly SMEs — operate with incomplete or inaccurate records of their software licences, leading to non-compliance that can result in significant financial exposure.

Your audit should identify every piece of software in use across the business, whether it is properly licensed, what the licence terms are (perpetual, subscription, per-user, per-device), whether licences are transferable in the event of a change of ownership, any open-source software in use and its licence obligations, and the total annual software spend including subscriptions, maintenance, and support renewals.

Pay particular attention to Microsoft licensing, which is often the largest and most complex licensing estate in a UK SME. An acquisition may change the target's eligibility for certain Microsoft licensing programmes, potentially increasing costs significantly.

3. Cyber Security Assessment

A thorough cyber security assessment is essential. This should evaluate the target's security policies and their implementation, vulnerability management and patch status across all systems, access control and identity management practices, incident response capabilities and history, endpoint protection and network security controls, email security including anti-phishing and anti-spoofing measures, backup and disaster recovery arrangements, and compliance with Cyber Essentials or other security frameworks.

You should also request disclosure of any historical security incidents, data breaches, or near-misses, along with any ongoing or recent penetration testing reports and vulnerability assessments. If the target cannot provide this information, that itself is a significant finding.

4. Data Protection and GDPR Compliance

Under UK GDPR, you need to understand exactly what personal data the target processes, on what legal basis, and how well protected it is. Your assessment should cover the data processing register (required under Article 30), privacy notices and consent mechanisms, data subject rights procedures, data protection impact assessments for high-risk processing, data processor agreements with third parties, cross-border data transfer mechanisms, data retention policies and their implementation, the existence and competence of a Data Protection Officer (if required), and any current or historical ICO investigations, complaints, or enforcement actions.

5. IT Contracts and Vendor Relationships

Review all IT-related contracts, paying particular attention to change of control clauses that may allow vendors to terminate or renegotiate agreements upon acquisition. Key contracts to review include managed service provider and IT support agreements, cloud hosting and SaaS contracts, telecommunications and connectivity agreements, hardware and software maintenance contracts, and data centre colocation or managed hosting agreements.

6. Technical Debt and Integration Complexity

Technical debt — the accumulated cost of shortcuts, workarounds, and deferred maintenance in technology systems — is a hidden liability in many acquisitions. Custom-built software that is poorly documented, legacy systems running on unsupported platforms, and ad hoc integrations held together with scripts and spreadsheets all represent technical debt that will need to be addressed post-acquisition.

Integration complexity is closely related. How easily can the target's systems be integrated with your own? If both organisations use Microsoft 365, tenant merging is well-understood (though not trivial). If the target runs a completely different email platform, ERP system, or line-of-business application, integration becomes significantly more complex and expensive.

Due Diligence Area	Key Risk	Typical Cost Impact	Priority
Software Licensing	Non-compliance penalties and true-up costs	£50,000 - £500,000+	Critical
Cyber Security	Inherited vulnerabilities and breach liability	£100,000 - £5M+	Critical
GDPR Compliance	ICO enforcement and remediation costs	£50,000 - £17.5M	Critical
Infrastructure Refresh	Unplanned capital expenditure	£30,000 - £300,000	High
System Integration	Project overruns and business disruption	£50,000 - £1M+	High
Contract Renegotiation	Increased vendor costs post-acquisition	£10,000 - £100,000/year	Medium

The IT Due Diligence Timeline

IT due diligence should begin as early as possible in the transaction process — ideally as soon as heads of terms are agreed and a data room is established. A typical IT due diligence exercise for a mid-market acquisition takes four to eight weeks, depending on the complexity of the target's IT estate and the quality of available documentation.

Post-Acquisition IT Integration Planning

The findings of your IT due diligence directly inform your post-acquisition integration plan. This plan should cover day-one priorities (securing access, establishing communication), the first 90 days (quick wins, critical fixes), and the longer-term integration roadmap (system consolidation, platform migration).

Key early priorities typically include securing the target's IT environment by applying your security standards, consolidating identity and access management to ensure appropriate access control, establishing secure connectivity between the two organisations, and beginning the software licence rationalisation process. Longer-term activities include migrating to common platforms where appropriate, decommissioning redundant systems, consolidating IT support arrangements, and harmonising IT policies and procedures.