Cyber security
15.11 2023

A Company Must Not Be Bought Without a Pre-transaction IT Audit

It is a volatile time for economy, which always leads to businesses being purchased and sold. For some, it provides a good opportunity to improve their market position, and for others, an opportunity to sell their life's work.

Obviously, no one buys a pig in a poke, so every merger or acquisition transaction (M&A transaction) means a thorough financial and legal analysis. On top of that, there is the pre-transaction IT audit, which plays an increasingly important role these days, and takes apart the IT solutions of the acquired or sold company and their management issues.

The functioning of information systems is vital in business, even if it is an "old school" type of manufacturing or service company where information technology has more of a support function. However, even a data leak or a failure of the customer service system can seriously paralyse the company's operations, and no one wants to face such situations. 

Based on international studies done by KPMG, 90 percent of companies have faced at least one cyber attack, and 26 percent of those incidents forced companies to suspend their operations temporarily. The impact of the incident on the company's operations can be very severe. 

Therefore, in the case of M&A transactions, it is necessary to make sure what the IT posture of the company to be purchased or merged is like behind the scenes. An IT audit is absolutely crucial in transactions where a company offering a technological product or service is purchased. For example, a software product requires extensive testing to ensure that it actually works. It includes the analysis of the software product's source code, so that it would not come as a bad surprise that the code has more holes than Swiss cheese.

Start-ups focusing on IT solutions are constantly testing their products because the sale of the company is written into their business plans. Product development that follows specific processes creates a strong foundation for a later exit and allows the owners to ask for a higher price for their company. Despite this, the acquisition of a start-up must also include a thorough pre-transaction analysis.

Checking cyber security posture is of critical importance

The IT solutions of the transaction parties must fit together well and, in addition to ensuring business continuity and security, create synergy, which is one of the goals of M&A transactions. For example, if companies that are parties to an M&A transaction use network solutions from different manufacturers and from different times, the integration of their systems will mean financial and other resource costs that must be taken into account. The same applies in the field of information security. For example, if they use cyber protection solutions that were last updated 4-5 years ago, the solutions may be hopelessly out of date.

During the audit, the cyber security policy and other information security documentation as well as their implementation should be examined. In addition, a vulnerability assessment and a security risk assessment should be conducted to identify possible weaknesses.

What to check in terms of information security?

  • A closer look at the information security system shows how the system is structured and whether the existing system provides adequate protection.
  • You need to establish how third parties handle the company's data and information.
  • Is access control clearly in place in a cloud-based file sharing system to prevent ransomware or uninvited guests from entering the company's network?
  • Competence of employees must ensure adequate behaviour during cyber incidents.
  • It is necessary to get an overview of the processes and guidelines on how a possible incident is managed within the organization and, if necessary, together with external partners.

The pre-transaction IT audit must be documented.

An IT audit helps transaction parties understand the company's technological environment, assess risks and ensure the company's smooth transition to new owners. Before the audit, the transaction parties must agree on the objectives of the procedure and their expectations. It is a data-intensive undertaking because the audit may include an inventory of IT systems and equipment, an overview of software, licenses and certificates, business continuity principles, etc.

The information and results gathered during the audit process must be thoroughly documented. It must include the progress of the audit process, the deficiencies found and recommendations for their correction. After all, the purpose of the audit is to get an honest and comprehensive overview of the IT posture of the company involved in the M&A transaction and to avoid disputes in the final phase of the M&A transaction or later.

An audit ensures that both transaction parties fully understand the company's technological environment and identify risks to be addressed. The red flags in IT provide grounds for the buyer to demand that the deficiencies be corrected or to negotiate a lower price. With a properly performed IT audit, the seller receives confirmation that the offered deal is fair and there will be no surprises for either party.

Mihkel Kukk

Head of Cyber Security
+372 521 4332

Bolstering Cyber Resilience with High-Quality Red Teaming

The escalating complexity and frequency of cyberattacks pose a critical risk to the stability of f..

Cyber security

KPMG recognized as a Leader in Cybersecurity Consulting Services in Europe

According to The Forrester Wave: Cybersecurity Consulting Services in Europe, Q1 2024.

We are excit..

Cyber security

Cyber Security Expert: IT Hygiene Should Not Be Neglected During Holidays and Vacations

The line blurring between work and spare time, and the widespread use of remote work mean that peo..

Cyber security

How To Prepare for Overcoming a Cyber Incident

It is no longer a question of if cyber incidents take place, but when they will take place. Based ..

Cyber security

Too Many Companies Underestimate IT Risks

Mihkel Kukk, Head of Cyber Security Services at KPMG, notes that, although great importance is att..

Cyber security

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
Ahtri 4, 10151 Tallinn, Estonia
KPMG Baltics KPMG Global Privaatsuspoliitika
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: