IT Due Diligence in M&A: A Practical Guide for Acquirers

When you buy a company, its IT is one of the largest sources of hidden risk and cost in the deal — and one of the least scrutinised. Financial and legal due diligence are a given; technology too often gets a cursory look, or none at all. Then the surprises arrive after completion: unsupported systems, a breach nobody disclosed, software that isn’t properly licensed, or a single contractor who is the only person who understands how anything works.

Done properly, IT due diligence turns those unknowns into a number — one that informs your valuation, strengthens your negotiation, and shapes the 100-day plan. This guide is for acquirers and their advisers: private equity deal teams, corporate development, and the operating partners who inherit the result.

This is general guidance, not legal or financial advice — every deal is different.

What IT due diligence actually covers

A proper IT assessment of a target looks at five things:

• Infrastructure and technical debt. What they actually run, how old it is, how well it’s maintained, and what it will cost to bring up to your group’s standard. Aging servers, an unsupported ERP, or a network held together with workarounds are all future capital you’re buying.
• Cybersecurity posture. Their real exposure, the controls in place, and — crucially — any past incidents. A breach that hasn’t surfaced yet is a liability that transfers to you on completion.
• Software licensing and data compliance. Whether software is properly licensed (under-licensing is a common, quantifiable liability), and whether data-protection obligations are met — Hong Kong’s PDPO and the China data laws for regional targets — along with any sector regulation.
• Key-person and vendor risk. Single points of failure, undocumented systems, founder- or contractor-dependent knowledge, and vendor lock-in that limits your options after the deal.
• Integration cost and complexity. A realistic estimate of what it takes to integrate the target into your estate — or carve it out of a seller’s — on a defined timeline.

Red flags that should change your number

Some findings are routine. Others should feed straight back into price or deal structure:

• End-of-life or unsupported systems — operating systems, databases or line-of-business apps past vendor support, which are both a security risk and a forced future cost.
• No multi-factor authentication, shared admin accounts, or weak identity controls — cheap to exploit, expensive to clean up after.
• A history of security incidents that wasn’t disclosed, or no ability to say whether one has occurred.
• Under-licensed or unlicensed software — a true liability you may inherit, and one a vendor audit can crystallise.
• Undocumented, founder-dependent IT — if the knowledge lives in one person’s head, retention (or its absence) becomes a deal risk.
• Unmanaged cloud and SaaS sprawl — shadow subscriptions, no central control, and data spread across tools nobody is tracking.
• Data stored in non-compliant locations — especially relevant where a target has Mainland China operations (more below).
• No tested backups or disaster-recovery plan — a single ransomware event could take the business you just bought offline.

Each of these is something you can put a cost against — which is the entire point of doing the work before you sign.

China and cross-border targets: the part most advisers can’t reach

If the target has operations in Mainland China, the diligence gets materially harder — and more important. You need to understand whether the business is meeting China’s data-localisation and cross-border transfer rules, whether it runs the right cloud (a global Microsoft 365 tenant versus the local 21Vianet instance), how it connects across the Great Firewall, and what it will take to bring its IT onto your group’s standards. Most Western advisers simply cannot assess what they cannot reach.

This is where on-the-ground capability matters. With a locally registered Chinese entity and engineers in the region, PTS can assess and integrate the China IT of a target that an offshore team would have to take on trust — the same strength we bring to foreign companies operating across China and Hong Kong.

What you get: a red-flag report and an integration cost estimate

The deliverable is not a 90-page technical dump. It is a red-flag report written for an investment committee: the material risks, ranked; the costs to remediate; and a realistic integration or carve-out estimate. It tells the deal team three things they can act on — what to adjust in the valuation, what to put into the warranties and the negotiation, and what the first 100 days of ownership need to fund and fix.

For financial-sector acquisitions there’s an extra dimension: if the target is itself SFC-licensed, its regulatory IT obligations come with it — see our guide to SFC cybersecurity requirements for Hong Kong fund managers.

From diligence to integration

Diligence is only half the job. Once you close, the work of integrating, securing or carving out the target’s IT begins — and the same team that flagged the risks is best placed to fix them. We deliver that as structured IT projects and ongoing managed IT services, including the cross-border integration in China that most providers can’t. It means nothing is lost in the handover between the people who found the problems and the people who resolve them.

How PTS helps

PTS provides independent, vendor-neutral IT due diligence for private equity firms and corporate acquirers across Hong Kong, Mainland China and Singapore. Because we are ISO/IEC 27001 certified and sell no hardware lines, our findings reflect the target’s real risk and cost — not a sales agenda — which is exactly why they hold up in an investment committee. And because we assess targets and integrate them, the diligence translates directly into delivery: cybersecurity remediation, infrastructure work, and a clean managed service on the other side. See how we brought an acquired manufacturer’s China operations up to global standards.

Related reading: Private equity IT & M&A due diligence · IT integration in China · SFC cybersecurity requirements for HK fund managers · data laws in China & Hong Kong