A Company Must Not Be Bought Without a Pre-transaction IT Audit

Obviously, no one buys a pig in a poke, so every merger or acquisition transaction (M&A transaction) means a thorough financial and legal analysis. On top of that, there is the pre-transaction IT audit, which plays an increasingly important role these days, and takes apart the IT solutions of the acquired or sold company and their management issues.

The functioning of information systems is vital in business, even if it is an "old school" type of manufacturing or service company where information technology has more of a support function. However, even a data leak or a failure of the customer service system can seriously paralyse the company's operations, and no one wants to face such situations. 

Based on international studies done by KPMG, 90 percent of companies have faced at least one cyber attack, and 26 percent of those incidents forced companies to suspend their operations temporarily. The impact of the incident on the company's operations can be very severe. 

Therefore, in the case of M&A transactions, it is necessary to make sure what the IT posture of the company to be purchased or merged is like behind the scenes. An IT audit is absolutely crucial in transactions where a company offering a technological product or service is purchased. For example, a software product requires extensive testing to ensure that it actually works. It includes the analysis of the software product's source code, so that it would not come as a bad surprise that the code has more holes than Swiss cheese.

Start-ups focusing on IT solutions are constantly testing their products because the sale of the company is written into their business plans. Product development that follows specific processes creates a strong foundation for a later exit and allows the owners to ask for a higher price for their company. Despite this, the acquisition of a start-up must also include a thorough pre-transaction analysis.

Checking cyber security posture is of critical importance

The IT solutions of the transaction parties must fit together well and, in addition to ensuring business continuity and security, create synergy, which is one of the goals of M&A transactions. For example, if companies that are parties to an M&A transaction use network solutions from different manufacturers and from different times, the integration of their systems will mean financial and other resource costs that must be taken into account. The same applies in the field of information security. For example, if they use cyber protection solutions that were last updated 4-5 years ago, the solutions may be hopelessly out of date.

During the audit, the cyber security policy and other information security documentation as well as their implementation should be examined. In addition, a vulnerability assessment and a security risk assessment should be conducted to identify possible weaknesses.

What to check in terms of information security?

• A closer look at the information security system shows how the system is structured and whether the existing system provides adequate protection.
• You need to establish how third parties handle the company's data and information.
• Is access control clearly in place in a cloud-based file sharing system to prevent ransomware or uninvited guests from entering the company's network?
• Competence of employees must ensure adequate behaviour during cyber incidents.
• It is necessary to get an overview of the processes and guidelines on how a possible incident is managed within the organization and, if necessary, together with external partners.

The pre-transaction IT audit must be documented.

An IT audit helps transaction parties understand the company's technological environment, assess risks and ensure the company's smooth transition to new owners. Before the audit, the transaction parties must agree on the objectives of the procedure and their expectations. It is a data-intensive undertaking because the audit may include an inventory of IT systems and equipment, an overview of software, licenses and certificates, business continuity principles, etc.

The information and results gathered during the audit process must be thoroughly documented. It must include the progress of the audit process, the deficiencies found and recommendations for their correction. After all, the purpose of the audit is to get an honest and comprehensive overview of the IT posture of the company involved in the M&A transaction and to avoid disputes in the final phase of the M&A transaction or later.

An audit ensures that both transaction parties fully understand the company's technological environment and identify risks to be addressed. The red flags in IT provide grounds for the buyer to demand that the deficiencies be corrected or to negotiate a lower price. With a properly performed IT audit, the seller receives confirmation that the offered deal is fair and there will be no surprises for either party.