Obviously, no one buys a pig in a poke, so every merger or acquisition transaction (M&A transaction) means a thorough financial and legal analysis. On top of that, there is the pre-transaction IT audit, which plays an increasingly important role these days, and takes apart the IT solutions of the acquired or sold company and their management issues.
The functioning of information systems is vital in business, even if it is an "old school" type of manufacturing or service company where information technology has more of a support function. However, even a data leak or a failure of the customer service system can seriously paralyse the company's operations, and no one wants to face such situations.
Based on international studies done by KPMG, 90 percent of companies have faced at least one cyber attack, and 26 percent of those incidents forced companies to suspend their operations temporarily. The impact of the incident on the company's operations can be very severe.
Therefore, in the case of M&A transactions, it is necessary to make sure what the IT posture of the company to be purchased or merged is like behind the scenes. An IT audit is absolutely crucial in transactions where a company offering a technological product or service is purchased. For example, a software product requires extensive testing to ensure that it actually works. It includes the analysis of the software product's source code, so that it would not come as a bad surprise that the code has more holes than Swiss cheese.
Start-ups focusing on IT solutions are constantly testing their products because the sale of the company is written into their business plans. Product development that follows specific processes creates a strong foundation for a later exit and allows the owners to ask for a higher price for their company. Despite this, the acquisition of a start-up must also include a thorough pre-transaction analysis.
The IT solutions of the transaction parties must fit together well and, in addition to ensuring business continuity and security, create synergy, which is one of the goals of M&A transactions. For example, if companies that are parties to an M&A transaction use network solutions from different manufacturers and from different times, the integration of their systems will mean financial and other resource costs that must be taken into account. The same applies in the field of information security. For example, if they use cyber protection solutions that were last updated 4-5 years ago, the solutions may be hopelessly out of date.
During the audit, the cyber security policy and other information security documentation as well as their implementation should be examined. In addition, a vulnerability assessment and a security risk assessment should be conducted to identify possible weaknesses.
An IT audit helps transaction parties understand the company's technological environment, assess risks and ensure the company's smooth transition to new owners. Before the audit, the transaction parties must agree on the objectives of the procedure and their expectations. It is a data-intensive undertaking because the audit may include an inventory of IT systems and equipment, an overview of software, licenses and certificates, business continuity principles, etc.
The information and results gathered during the audit process must be thoroughly documented. It must include the progress of the audit process, the deficiencies found and recommendations for their correction. After all, the purpose of the audit is to get an honest and comprehensive overview of the IT posture of the company involved in the M&A transaction and to avoid disputes in the final phase of the M&A transaction or later.
An audit ensures that both transaction parties fully understand the company's technological environment and identify risks to be addressed. The red flags in IT provide grounds for the buyer to demand that the deficiencies be corrected or to negotiate a lower price. With a properly performed IT audit, the seller receives confirmation that the offered deal is fair and there will be no surprises for either party.
Head of Cyber Security
mihkelkukk@kpmg.com
+372 521 4332
IT or cyber security training is more engaging when delivered by trainers who a..
When planning your cyber defence strategy, it’s crucial to recognise that vulne..
The escalating complexity and frequency of cyberattacks pose a critical risk to the stability of f..
According to The Forrester Wave: Cybersecurity Consulting Services in Europe, Q1 2024.
We are excit..
The line blurring between work and spare time, and the widespread use of remote work mean that peo..
Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.
Analysis of employee awareness focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.
Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.
Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.