playbook

IT Due Diligence at the LOI Stage: The 2-Week Sprint That Changes Deal Terms

LOI-stage IT DD is fast and cheap. It catches the issues that would kill a deal or change the price. Here's the framework that works.

Luna ·
loi-stage due-diligence early-dd m-and-a private-equity

Most PE firms do IT due diligence after signing the purchase agreement. This is backwards.

The right time for IT DD is at the LOI stage — when you still have negotiating leverage, the seller is motivated, and a negative finding can still change the deal terms.

A 2-week IT DD sprint at LOI stage catches:

  • Identity environments that are a mess (and will cost $500K+ to fix)
  • Cloud waste that’s $200K/year and growing
  • SaaS shadow IT that creates GDPR Article 28 liability
  • Security posture that would require $1M+ in remediation

All of which change the deal price, the reps and warranties, or the escrow holdback — if you find them before the purchase agreement is signed.

The LOI-Stage IT DD Sprint: 2 Weeks

Week 1: Discovery and Risk Assessment

Day 1-2: Access and Setup

  • Execute NDA and get read-only access to the target’s IT environment (Azure AD, AWS if applicable, M365)
  • Deploy ACQI’s discovery modules (condensed set: identity, SaaS, cloud waste, security posture — 20 modules instead of 89)
  • Run discovery in parallel with the business DD team

Day 3-5: Discovery Pass

  • Identity findings: total accounts, privileged accounts, service accounts, MFA coverage, Azure AD P2 status
  • SaaS findings: total applications, duplicate applications, shadow IT percentage, license waste
  • Cloud waste: total monthly cloud spend, orphaned resources, over-sized instances
  • Security posture: vulnerability count (critical/high), EDR coverage, MFA coverage

Day 6-7: Risk Scoring

  • Score each finding by business impact and remediation cost
  • Identify the 3-5 findings that are deal-killers or deal-changers

Week 2: Deal Impact Analysis

Day 8-9: Cost Quantification

  • For each high-impact finding, estimate the remediation cost (low/mid/high range)
  • Convert costs to deal model impact: adjustment to purchase price, escrow amount, specific indemnity
  • Calculate integration cost premium: if the target’s IT environment requires more remediation than average, what’s the integration cost premium vs. the deal model assumption?

Day 10-12: Deal Structure Recommendations

  • Prepare IT DD memo for the deal team
  • Identify specific representations and warranties that should be added to the purchase agreement
  • Recommend IT-specific escrow holdback (typically 1-2% of deal value for significant findings)
  • Recommend specific indemnities for known IT risks

Day 13-14: Deal Team Presentation

  • Present findings to the deal team
  • Recommend deal structure changes (if any)
  • Confirm whether to proceed to signing, proceed with conditions, or decline

The LOI-Stage IT DD Findings That Change Deals

Finding 1: No Azure AD P2 = No Conditional Access

If the target has no Azure AD P2 licenses, they have no conditional access policies. This means they have no real access governance for M365.

Remediation cost: Azure AD P2 licensing for all users, plus implementation of conditional access policies. For a 1,000-user company: $60K-$120K in licensing plus $30K-$60K in implementation.

Deal impact: Add to integration cost estimate.

Finding 2: SaaS Shadow IT > 30% of Application Count

If ACQI’s SaaS scan finds that more than 30% of the applications in use are shadow IT (not known to IT), the IT governance maturity is low. Integration risk is high.

Remediation cost: IT governance program implementation, plus GDPR Article 28 DPA remediation for shadow IT apps processing personal data. For a 1,000-user company in an EU-regulated industry: $150K-$400K.

Deal impact: Add to integration cost estimate plus specific reps and warranties for GDPR compliance of shadow IT applications.

Finding 3: Cloud Waste > 25% of Monthly Cloud Spend

If 25%+ of the target’s cloud bill is waste (orphaned resources, over-sized instances, unused storage), the IT team is not actively managing the cloud environment. This is a management quality signal.

Deal impact: Not a direct cost, but a negotiation signal. Cloud waste is a recurring cost that should be reflected in the target’s operating expense projections.

Finding 4: Critical Vulnerability Count > 20

If the target has more than 20 critical/high vulnerabilities across their external-facing and internal systems, the security posture is below acceptable threshold. This is a risk transfer problem.

Remediation cost: 90-day remediation sprint to close critical vulnerabilities. For a mid-size company: $100K-$300K in external security consulting.

Deal impact: Remediation reserve plus specific reps and warranties that critical vulnerabilities are remediated within 90 days post-close.

The Deliverable: IT DD Memo for Deal Team

The LOI-stage IT DD memo should be 5-7 pages. Structure:

Section 1: Executive Summary (1 page)

  • Overall IT risk rating: Green / Amber / Red
  • Top 3 findings and deal impact
  • Recommended deal structure changes

Section 2: IT Estate Overview (1 page)

  • User count, application count, cloud spend summary
  • Key infrastructure decisions (AD environment, M365 tenant status, primary cloud provider)

Section 3: High-Impact Findings (2-3 pages)

  • Finding description
  • Business impact
  • Remediation cost estimate (low/mid/high)
  • Integration plan implication

Section 4: Integration Cost Estimate (1 page)

  • Total integration cost estimate (based on IT DD findings)
  • IT synergy estimate (cloud optimization, SaaS deduplication)
  • Net integration cost / (savings) to add to deal model

Section 5: Recommendations (1 page)

  • Deal structure recommendations
  • Specific reps and warranties to add
  • Escrow / holdback recommendation
  • Conditions to signing (if any)

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team