Most PE deal principals are managing 4-6 active investments simultaneously, plus sourcing, plus LP relations. IT due diligence is not their primary job. This guide is for them.
The 90-minute framework: 30 minutes on Monday morning, 60 minutes on Thursday afternoon.
Monday Morning: Portfolio IT Risk Pulse (30 minutes)
Every Monday morning, run this review:
Portfolio IT Risk Scores: Pull ACQI’s portfolio dashboard. Look at the IT risk scores for each portfolio company. Any red flags? Any company that has deteriorated since last week?
Active IT Integration Projects: If any portfolio company is in active integration, check the integration status report. Are the Day 1 IT checklist items complete? Are the IT synergy trackers on plan?
New Vulnerabilities: Any critical new vulnerabilities disclosed that affect portfolio companies’ tech stacks? (Zero-day vulnerabilities, major cloud provider outages, new CVEs with CVSS > 9.0)
The Monday review is a pulse check — not a deep dive. It’s asking: is anything on fire this week?
Thursday Afternoon: Active Deal Review (60 minutes)
Thursday afternoon is when you do the substantive IT DD work for deals in your pipeline.
For each active deal:
Pre-LOI: Review any available ACQI pre-DD data (if the target has been scanned). No access required — the seller may have provided a report, or you may have done a passive scan.
Post-LOI, pre-signing: If IT DD was commissioned, review the IT DD memo. Focus on the 3-5 high-impact findings and the deal model impact. Make sure the deal team is incorporating IT findings into the deal terms.
Post-signing, pre-close: Monitor the integration preparation status. The Day 1 IT checklist should be complete at Day 1 minus 14 days. Any incomplete items should be escalated.
Post-close: Confirm ACQI discovery scan was commissioned for Day 30. Review the initial findings. Make sure the integration is on plan for IT synergy capture.
The IT DD Reading List for PE Professionals
You don’t need to be an IT expert. You need to be able to:
Read an IT risk score: ACQI’s security score (0-100) means: above 70 is acceptable, above 80 is good, below 50 is high risk. A score below 50 means the company has significant unaddressed vulnerabilities.
Understand the integration timeline: IT integration takes 18-36 months for a full platform integration. If a deal model shows IT synergies being captured in year 1, the integration timeline is probably compressed.
Recognize the warning signs: Service accounts with no owner, cloud waste > 20% of monthly cloud spend, MFA coverage < 80%, SaaS shadow IT > 30% — these are the warning signs that should trigger a deeper IT DD.
The 5 IT Questions Every PE Deal Principal Should Ask
- What is the company’s IT risk score? (If you don’t know, ask for an ACQI scan)
- What percentage of the IT team will be retained post-close? (Losing the IT team post-close is an integration risk)
- What are the top 3 IT findings in the DD report? (You should be able to summarize them in 2 minutes)
- What integration timeline is the deal model based on? (Verify vs. industry average of 18-36 months for full IT integration)
- What are the IT synergy projections and are they credible? (Real IT synergies need a to-do list behind them — if the synergy has no plan, it won’t be captured)