You have just acquired a company, or are about to do so. The financials add up, the clients are happy, the staff are motivated – but the IT is a disaster. Outdated servers, no backups, passwords on sticky notes, software licences nobody recognises. This is not an exceptional situation. It is the rule. An IT Discovery & Cleanup audit maps out what exists, what is missing, what poses a security risk and what needs to be addressed urgently. An IT Discovery & Cleanup audit is a technical evaluation used to inventory assets and remediate security risks after a business merger or acquisition. It is used when a new owner needs to transform a fragmented, legacy IT setup into a secure, managed infrastructure.
This article explains how such an audit works, what you will know afterwards, and how ITAF handles this for SMBs in Flanders.
Why is IT always a surprise in a business acquisition?
Definition: IT Due Diligence is the process of investigating a target company’s IT assets, policies, and digital risks before or during an acquisition.
Due diligence typically covers financials, personnel and legal obligations thoroughly. IT is often assessed superficially or skipped entirely. Yet the IT risks in an acquisition can be significant:
- End-of-life servers that are no longer supported and contain active security vulnerabilities
- Microsoft 365 or software licences registered under a previous owner or employee
- No functioning backups, or backups that have not been tested for months
- Client personal data without GDPR-compliant security or data processing agreements
- Unknown cloud subscriptions generating monthly costs that nobody uses any more
- Critical business data stored only locally on a single old PC
Each of these situations can lead to data loss, security incidents, fines or operational downtime. A Discovery & Cleanup audit makes them visible before they become problems.
What does an IT Discovery & Cleanup audit cover?
A professional IT audit in an acquisition context consists of three components: inventory, risk assessment and a priority plan.
How is the IT Inventory conducted?
We map everything that exists: every PC, laptop, server, network component, cloud subscription and software licence. This produces a complete IT asset register that you, as the new owner, can use as the starting point for management and planning.
How is the Risk Assessment performed?
Each element in the inventory is assessed for risk. We look at security vulnerabilities (unpatched systems, weak passwords, missing MFA), GDPR compliance (processing register, backups, encryption), operational vulnerability (single points of failure, no redundancy) and cost management (duplicate subscriptions, redundant licences).
What is included in the Priority Plan?
Based on the risk assessment we produce a priority matrix: what you address this week (critical), what in the coming month (important) and what over the longer term (optimisation). You receive a clear report with concrete recommendations and cost estimates.
What is the ITAF Discovery & Cleanup approach in 30 days?
| Phase | What happens |
| Week 1 – Baseline assessment | On-site visit, interviews with key users and the previous IT manager if available. Automated scan of network and devices. Initial overview of critical risks. |
| Week 2 – Deep analysis | Detailed assessment of servers, cloud environments, backups and licences. GDPR quick scan: processing register, DPAs, encryption. |
| Week 3 – Reporting | Delivery of the audit report: inventory, risk matrix and priority plan. Presentation to the new owner(s). |
| Week 4 – Remediation starts | Addressing critical items: password hygiene, backup configuration, patching of urgent security vulnerabilities. Start of managed support. |
What are the most common IT problems in acquisitions?
Based on our experience with IT audits in acquisitions across Flanders, we repeatedly encounter the same issues:
- Servers running Windows Server 2012 or older, out of Microsoft support for years and without security updates
- No or inadequate backups: a backup schedule exists, but backups have not been tested for months and turn out to be corrupt
- Microsoft 365 tenants owned by the previous IT provider, meaning the new owner has no control over their own data
- Passwords shared between multiple employees or unchanged for years
- Cloud subscriptions for tools nobody uses any more, together costing hundreds of euros per month
- No processing register and no GDPR documentation, despite the business processing client personal data
What happens after the audit? (Priority plan and cost estimates)
The final report of a Discovery & Cleanup audit always consists of three parts:
- Critical remediations (to be addressed within 30 days): security vulnerabilities, backup failures, access management. These are items where every day of delay increases the risk.
- Medium-term improvements (1 to 6 months): migrations, hardware upgrades, licence optimisation, GDPR compliance. Important, but not acute.
- Strategic roadmap (6 to 24 months): infrastructure modernisation, cloud migration, IT cost optimisation. These are the investments that prepare your IT for the growth of the business.
Every recommendation is accompanied by a cost estimate, so that you as the new owner can make informed decisions about what to address and when.
Frequently asked questions (FAQ)
How much does an IT Discovery & Cleanup audit cost for a company of 30 employees?
For an SMB of 20 to 40 employees, ITAF charges on average between €1,800 and €3,500 for a full audit including report and presentation. The price depends on the complexity of the infrastructure and the availability of existing documentation.
Can I have the audit carried out before the formal acquisition?
Yes, and we strongly recommend it. An IT audit before the acquisition gives you negotiating leverage and prevents unpleasant surprises. We can also work under NDA if required.
How quickly can ITAF start an audit?
In most cases we can be on-site within a week of the intake meeting for the first phase. In urgent situations (company already acquired, critical issues present) we can sometimes start within 48 hours.
What if the previous IT manager is no longer available to answer questions?
This is a scenario we regularly encounter. Through automated scans and forensic analysis we can recover most information even without the cooperation of the previous manager. It takes slightly longer, but it is feasible.
Will ITAF also take on the ongoing management afterwards?
That is possible, but not required. Some clients complete the audit and carry out the remediations themselves. Others opt for a fully managed service contract. We work with you in whatever way best fits your situation.
What if the IT infrastructure is so outdated that a full replacement is necessary?
We see this too. In that case we present a phased replacement plan with clear priorities and cost estimates. We can also assist with financing through Hardware as a Service or leasing arrangements.
Request an IT audit for your acquired company
Don’t let legacy IT debt compromise your new investment. At ITAF, we specialize in helping businesses in Flanders and Brussels periphery transition to secure, modern infrastructure.
Request a free intake meeting. We will discuss your specific situation and provide an immediate first estimate of the complexity and timeline for your IT audit.
