JOnline: A Framework for Conducting IT Due Diligence in Mergers and Acquisitions 

Download Article

When one business acquires another, the prudent executive needs to consider the overall strategic fit, but the integration of the information technology (IT) function across the two disparate entities can also have a significant effect on the value and effectiveness of the acquisition. Acquiring a company with a dysfunctional IT function could mean significant extra costs involved in fixing the IT issues that have not been taken into consideration in the acquisition costs. The acquiring company must also decide how to integrate the acquired company’s IT after the acquisition. If the two companies have incompatible systems, additional costs may be incurred in merging them.

Research by Yaakov Weber and Nava Pliskin suggests that, after controlling for the influence of corporate culture, integration of IT in mergers and acquisitions contributes to the effectiveness of mergers among companies that make substantial use of IT.1 This is significant, because mergers and acquisitions in general frequently fail to produce the gains in profitability and market share that investors expect.2

Unfortunately, the assessment of IT fitness of an acquisition target continues to be neglected in evaluating the acquisition target. However strategically sound the acquisition may seem in financial terms, having to deal with IT problems after the fact may bring to the surface many additional costs not accounted for initially. Failure to integrate the IT systems of the two companies can cause critical operational problems in the combined entity. Unanticipated IT difficulties can produce significant deviations from expected acquisition results, sometimes determining the ultimate success or failure of the acquisition. An Accenture Consulting study of IT integration in 57 mergers and acquisitions conducted from 1997 to 1999, showed that 42 percent of respondents conducted no IT due diligence before the acquisition—but the respondents who performed due diligence produced higher return on sales, assets and net worth.3

Therefore, the chief financial officer (CFO) and the IT manager of the acquiring organization have good reason to complete a due diligence assessment of the acquisition target’s IT function. Research also suggests that most firms that conduct repeated acquisitions incur further opportunity costs by not retaining information from the acquisition process.4 Organizational learning can provide significant value if companies that grow by acquisition perform IT due diligence in-house. However, there is no well-established method of doing such an assessment.

This article proposes the Information Technology Assessment Due Diligence (ITADD) framework to guide managers of acquiring firms in evaluating the IT function of potential acquisition targets. The development of ITADD is supported by assessment frameworks used in IT auditing, published articles in practitioner resources, and advice from professionals with merger experience and academic expertise. To develop ITADD, Control Objectives for Information and related Technology (COBIT), the IT Infrastructure Library (ITIL) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) frameworks were examined for pertinent material, drawing particularly from COBIT and COSO. Next, practitioner sites, such as ISACA and Protiviti’s KnowledgeLeader, were searched for relevant articles. Individuals and companies who requested confidentiality contributed examples and sample documents from actual acquisition projects. The resulting framework is described below.

ITADD Framework

ITADD examines IT acquisition due diligence tasks in terms of what needs to be done in the premerger and postmerger phases.

The purpose of the premerger phase is to determine what aspects of the acquisition target’s IT function have implications that should be understood before the acquisition. Premerger assessment tools of ITADD enable the acquiring company to get a practical feel for the target organization’s IT function and evaluate how much value it adds to or takes away from the acquisition. For example, if the acquisition target has significant software licensing issues, this can increase the total cost of the acquisition.

During the postmerger phase, the IT manager should systematically evaluate the acquired company’s IT function in detail. He/she should identify all significant risks that need to be mitigated, including compliance, operational and strategic risks, so the IT function of the acquired company can be relied on to meet the acquiring company’s business objectives. ITADD includes a standardized format for taking stock of the IT assets, and a detailed program for audit of the IT function designed to bring to light significant issues that need to be addressed to align the IT strategy with the company’s strategic objectives.

ImageITADD consists of a conceptual framework that is applied throughout the acquisition process, and a rich set of tools—the ITADD Toolkit—that can be used to apply the framework during the pre- and postacquisition phases.

ITADD Conceptual Framework

The conceptual framework identifies critical areas of the acquired company’s IT function that the acquiring company needs to evaluate. It contains five domains, as shown in Figure 1.

The order in which these domains are shown reflects the relationships among them. The bottom layer, IT assets, represents the physical means of implementing the operations. Operations, a more comprehensive category, includes all processes by which the IT function provides normal daily services to the organization. Human capital is placed above operations, because personnel conduct the operations and have responsibility for operations’ design and control. Business continuity is next, because a good business continuity plan allows the business to continue even if a catastrophe occurs that eliminates the IT assets, operations and human capital in a particular location. Strategy support is on top because of COBIT’s guidance, which states that IT strategies must support the business’s objectives; the other domains are means of supporting the IT strategy.

Implementation: The ITADD Toolkit

ITADD presumes that an IT assessor (a manager or IT auditor in the acquiring company) will take responsibility for assessing the acquired company. ITADD provides a set of documents called the ITADD Toolkit to be used step-by-step in conducting the assessment and reporting the results to upper management. The complete ITADD Toolkit is available for use at

The individual documents used during the premerger phase are briefly described in the next section, followed by a description of the documents used in the postmerger assessment.

ITADD Toolkit: Premerger Phase

Documents used during the premerger phase include:

  • Preacquisition template—This functions as the assessor’s guide to the premerger phase, describing all areas in which information must be sought. This Microsoft Word document lists key questions for examining each of the framework’s domains. The assessor should obtain answers to as many of the questions as possible, and can record the information directly in the template.
  • Questionnaires—The objective of the questionnaires is to facilitate rapid gathering of information. Each assessment category in the premerger phase has a corresponding questionnaire that can be individually distributed to informative personnel at the acquisition target as an e-mail, download, fax or printed hard copy. The questionnaires supplement the other methods the assessor may use to obtain information, such as walk-throughs, telephone interviews, review of documents from the target and e-mails that include specific questions. Due to the time pressures of a typical acquisition, facts are often accidentally omitted, so it is good to use as wide a range of methods as possible.
  • ITADD dashboard—The dashboard is an Excel spreadsheet providing a numeric summary of the assessor’s judgments about the fitness of the acquisition target’s IT. It consists of 13 questions, each representing a significant aspect of the assessment categories in the premerger (and, therefore, of the domains in the pyramid). Having completed this phase, the assessor rates the target’s IT on a scale of one to five for each question, where five represents excellence. The dashboard weighs and sums the ratings to produce a scale of 20 to 100, where 100 represents a well-run IT function positioned for high reliability and smooth integration, and 20 represents a risky IT function likely to cause many problems in the integration process (see Figure 2).
  • Preacquisition report template—The IT assessor should provide management a short report summarizing the IT risks and fitness of the acquisition target. The report template provides a source document and illustrative examples.


ITADD Toolkit: Postmerger Phase

Documents in the postmerger phase include:

  • Postacquisition template—This template is the IT assessor’s guide to evaluating the IT function of the acquired company after the acquisition is complete. Its purpose is to acquire all information needed to complete a detailed evaluation of the acquired company’s IT function. The goal of this postmerger analysis is to determine what steps should be taken to reduce IT-related risks and promote successful integration of the acquired company.

    The template contains separate tabs for each area that the assessor should investigate after the new company is acquired. The current iteration of ITADD assumes that the parent company will conduct a fuller integration of systems in the end, but that the acquired company will need to able to function on its own most of the time during the first year, because full integration of IT between companies may not happen immediately.

    Five tabs in the “post” list operational issues that should be assessed to determine what improvements, if any, are necessary to ensure the acquisition’s short-term reliability:
    • IT control environment
    • Program development
    • Program changes
    • Access to programs and data
    • Computer operations

    Each of these operational tabs includes several sets of questions. Each set of questions addresses an issue that should be examined, and each issue has several specific questions investigating particular points. Each tab is formatted so the user can easily input responses, reference documents and conclusions about actions that need to be taken.

The template also includes seven inventory tabs. Each tab is a tool for recording different information about a type of asset that should be evaluated in the acquired company:

  • End-user software
  • Hardware
  • Server software
  • Systems
  • Facilities locations (FAC)
  • Facilities inventory template (tab can be duplicated for evaluation of physical infrastructure in each location)
  • FAC Inventory Location 1 (tab prepared for first location)

The assessor should use the operational tabs as a guide for covering all issues pertinent to short-term operational reliability of the acquired company. The inventory tabs should make recording all needed inventory data as easy as possible.

  • Post acquisition report template—Once the assessor has gathered the necessary information, he/she should again provide a report to management summarizing the IT status of the acquisition. This postacquisition report should address all steps that should be taken to resolve compliance issues and ensure stable operation during the first year. It should also mention any specific points that are likely to be of interest to management.


The ITADD framework provides IT managers and staff with a focused method of conducting due diligence assessment of the IT function in companies that are the targets of corporate mergers and acquisitions. No previous framework has been established in the IT community that evaluates the IT aspect of mergers and acquisitions, even though research suggests that significant business value can be harvested by firms that successfully perform such due diligence. Effective IT integration can increase profitability of mergers,5 and IT assessment due diligence has been directly related to higher return on sales, assets and net worth. Yet, many companies still do not perform it.6

ITADD allows managers to provide several value propositions for their companies. Better valuation of the target’s IT assets can provide information that is useful as bargaining leverage, and contribute to negotiation strategy. Early detection of potential IT integration problems can contribute to negotiation strategy as well as operational strategy. Reducing risk of regulatory compliance issues provides additional value after the acquisition is complete. Most important, effective assessment enables a successful integration of the two companies’ IT functions, providing an enduring basis for the profitability gains expected by investors and upper management. ITADD’s conceptual framework and rich toolkit of documents allow managers to perform timely, effective due diligence assessments of acquisition targets’ IT environments. In short, managers who apply ITADD can harvest significant business value for their firms.

Authors’ Note

The ITADD framework was developed by Barrett Sundberg, Zheng-Da Tan, Trey Baublits, Hae-Joon Lee and Grant Stanis as part of a student project in the IT Audit and Security Course at the Red McCombs Business School of the University of Texas at Austin (USA). The project was completed under the professional supervision of John Freeman and the academic supervision of Professor Hüseyin Tanriverdi. The project won the Best Student Project Award of the Austin (Texas, USA) Chapter of ISACA during the fall semester of 2005.


Due Diligence Checklist (XI. Information Systems Organization and Staffing), /content/ChecklistsGuidesDueDiligence Checklist!OpenDocuments#XI

Hunton, James E.; Stephanie M. Bryant; Nancy A. Bagranoff; Core Concepts of Information Technology Auditing, John Wiley & Sons, 2004.

IT Governance Institute, IT Control Objectives for Sarbanes- Oxley,, 2004

Protiviti, Work Programs on IT Application Management, IT Asset Management, IT Data Management, IT Operations Management, IT Organization and IT Strategy Management, content/WorkProgramsAllWorkPrograms-ByTitle!OpenDocument


1 Weber, Yaakov; Nava Pliskin; “The Effects of Information Systems Integration and Organizational Culture on a Firm’s Effectiveness,” Information and Management, vol. 30, 1996, p. 81-90

2 Merali, Yasmin; Peter McKiernan; “The Strategic Positioning of Information Systems in Post-acquisition Management,” Journal of Strategic Information Systems, vol. 2, no. 2, 1993

3 Chang, Richard A.; Gary A. Curtis; Justin Jenk; “The Keys to the Kingdom: How an Integrated IT Capability Can Increase Your Odds of M&A Success,”, 2002

4 Op. cit., Merali

5 Power, Richard; Dario Forte; “Sarbanes-Oxley: Maybe a Blessing, Maybe a Curse,” Computer Fraud and Security, September 2005

6 Op. cit., Weber

7 Op. cit., Chang

Barrett Sundberg
set up the preventive maintenance assignment and tracking software for Austin (Texas, USA) Bergstrom International Airport during his five years of service with the City of Austin.

Zheng-Da Tan
has five years’ experience in UNIX system administration and managing data center operations. He is a Red Hat Certified Engineer and Sun Certified System Administrator.

Trey Baublits
is an associate with the Business Risk Services group of Ernst & Young. He has two years of experience as an associate for Accountware LLC, an accounting consultancy in Austin.

Hae-Joon Lee
is an associate auditor at PricewaterhouseCoopers.

Grant Stanis
will start work for the Transaction Services group of PricewaterhouseCoopers in the third quarter of 2007. He is a student at the University of Texas at Austin, and works for State Senator Florence Shapiro. His previous work experience includes an internship with Deloitte and Touche.

Huseyin Tanriverdi
is an assistant professor at the University of Texas at Austin. He teaches IT audit, security and business data communications courses and researches risk/return implications of IT and business strategies.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.