According to audit firms, up to 30% of M&A deals fail or face significant complications due to undisclosed IT risks that emerge after the transaction is complete. This includes outdated hardware, unrecorded software licenses, cybersecurity vulnerabilities, and non-compliance with regulatory requirements. A comprehensive IT audit is an integral part of Due Diligence, providing the buyer with a complete picture of the target company’s IT infrastructure.
Softline IT, as a system integrator since 1995, recommends starting by defining clear audit objectives that align with the acquisition strategy: integration, cost optimization, or scaling. This will help focus attention on the most critical aspects of the IT infrastructure.
Assessing server infrastructure and data storage systems
The primary task is to inventory and assess the state of the server infrastructure. It’s necessary to check the age and configuration of physical servers (e.g., HPE ProLiant DL380 Gen10, Dell PowerEdge R750, Lenovo ThinkSystem SR650), their performance, and the existence and status of warranty obligations. Special attention should be paid to data storage systems (DSS) – these could be NetApp FAS/AFF, HPE 3PAR/Primera, Dell PowerStore. It’s important to evaluate their capacity, RAID levels (e.g., RAID 5, RAID 6, RAID 10), performance (IOPS, throughput), and utilization. Equally important is the analysis of hyperconverged infrastructure (HCI) solutions, such as HPE SimpliVity or Nutanix, if they are in use, including software versions and scaling plans.
| Category | Key Audit Metrics | Potential Risks |
|---|---|---|
| Servers | Age, model, configuration (CPU, RAM), warranty, resource utilization | High TCO, lack of vendor support, low performance |
| DSS | Type (SAN/NAS), capacity, RAID levels, IOPS, throughput, firmware version | Insufficient capacity, low performance, risk of data loss |
| Hyperconvergence | Manufacturer (HPE SimpliVity, Nutanix), software version, node count, scaling plans | Scalability issues, licensing risks, vendor lock-in |
Corporate network and cybersecurity audit
Corporate network analysis includes inspecting active network equipment: routers, switches (e.g., Cisco Catalyst 9300, Aruba 2930F), enterprise Wi-Fi access points (Cisco Meraki, Aruba Instant On), and SD-WAN solutions. It’s necessary to assess the network architecture, its bandwidth, redundancy, segmentation level, and compliance with modern standards. From a cybersecurity perspective, the audit should cover the status of Next-Generation Firewalls (NGFW) from Fortinet, Check Point, or Palo Alto Networks, the presence and effectiveness of EDR/XDR solutions, SIEM systems, and DLP systems. It’s important to verify security policies, update regularity, implementation of multi-factor authentication (MFA), and VPN solutions. Compliance with regulatory requirements, such as GDPR or Ukrainian data protection laws, should be assessed separately.
Virtualization, backup, and cloud solutions review
A key aspect is the audit of virtualization platforms such as VMware vSphere, Microsoft Hyper-V, or Citrix Virtual Apps and Desktops for VDI. It’s necessary to check hypervisor versions, cluster configurations, and the presence and effectiveness of fault tolerance mechanisms (HA, DRS). For backup, the solutions used (Veeam Backup & Replication, Commvault) should be evaluated, including their architecture, backup regularity, RPO (Recovery Point Objective) and RTO (Recovery Time Objective) metrics, as well as the existence of Disaster Recovery plans. If cloud solutions like Microsoft 365 or Azure are in use, subscription configurations, resource utilization levels, security settings, and hybrid environment architectures, including migrations from on-prem infrastructure, need to be reviewed.
Software licensing and unified communications audit
Non-compliance with licensing agreements is a significant risk during an acquisition. Software license audits involve verifying all used software products: operating systems, office suites (Microsoft 365 Business Premium), virtualization (VMware vSphere Enterprise Plus), backup (Veeam Universal License), antivirus (ESET Endpoint Security, Bitdefender GravityZone), and specialized graphics software. It’s necessary to reconcile the number of installed copies with purchased licenses, check subscription expiry dates, and verify compliance with licensing models (e.g., CSP for Microsoft). In the realm of unified communications, platforms in use, such as Microsoft Teams or Cisco Webex, should be assessed, along with the state of IP telephony, including PBXs and subscriber lines.
IT leaders preparing for an acquisition are advised to start by requesting a complete inventory of the target company’s IT assets, including a list of hardware, licenses, and active service contracts. Based on this data, a preliminary list of questions for the target company’s technical team should be compiled, and key risk areas requiring detailed auditing should be identified. Before engaging with an integrator, prepare expected scenarios for IT system integration and potential requirements for the future infrastructure. This will enable the integrator to propose the most relevant and effective audit plan.