Three months before signing a Letter of Intent to sell his industrial SME, a CEO discovers that the acquirer — a private equity fund — has commissioned a firm to audit the company’s information systems. Two weeks later, the report lands: an ERP unmaintained since 2019, customer data locked in a proprietary format with no standard export, undocumented business customisations, and a critical dependency on a single legacy integrator at risk of going out of business. The initial valuation, built on a 9× EBITDA multiple, is renegotiated downward. The buyer maintains interest, but insists on an escrow clause and a remediation plan funded by the seller.
This scenario is no longer an exception. IT due diligence has become standard practice in M&A transactions, regardless of target size.
Why IT systems are now central to business valuation
Global M&A volume reached $3.4 trillion in 2024, up 12% from 2023 (McKinsey M&A Annual Report, 2024). In this active market, acquirers — whether private equity funds, strategic buyers, or mid-market companies pursuing buy-and-build strategies — have refined their valuation methods. One finding has become undeniable: 70 to 90% of mergers and acquisitions fail to create shareholder value (Harvard Business Review), and technology integration issues account for 50 to 70% of those failures, according to PwC’s analysis of external growth transactions (PwC M&A Integration Survey).
The direct consequence: acquirers have learned to scrutinise IT systems before signing. What auditors do for financial statements, technology due diligence specialists now do for ERP systems, databases, integrations, and cybersecurity.
For an SME or mid-market company whose value is expressed as an EBITDA multiple, every risk identified in the IT estate translates directly into a price adjustment or a restrictive clause in the purchase agreement. The Argos Index, which tracks European SME transactions, placed the median multiple at 8.6× EBITDA in Q1 2026 (Argos Index Q1 2026). In other words: for a company valued at €8 million, an IT risk estimated at €500,000 in remediation costs can reduce the valuation by 6%.
Two positions coexist in every transaction: the seller who wants to maximise valuation by presenting a clean, robust IT environment, and the buyer who wants to identify hidden risks and price them into the financial model. Both need to understand what a “high-risk IT estate” actually looks like in practice.
The 7 red flags your ERP raises during due diligence
1. An ERP without an active maintenance contract
An unmaintained ERP is a ticking time bomb. Without security patches or regulatory updates — VAT rules, e-invoicing mandates, payroll compliance — the business accumulates technical debt that is invisible to its own teams but immediately apparent to an external auditor.
The most common scenario in 2026: SMEs still running legacy versions of Sage 100 from 2016–2018, Microsoft Navision (NAV) products past end-of-life, or bespoke ERPs developed by integrators that no longer exist. The acquirer sees an immediate remediation cost and deducts it from the price.
2. Data locked in a proprietary format
Imagine an acquirer discovering that 15,000 customer records are stored in a proprietary database with no API, no structured CSV export, and the only way to extract the data is to go through the original vendor at €800 per hour.
This data captivity risk is a major red flag. It signals both vendor lock-in and an inability to migrate to a new system post-acquisition — extending integration timelines and increasing costs significantly.
3. Excessive, undocumented customisations
Most SMEs customise their ERP over time to fit their specific business processes. The problem arises when those customisations accumulate without documentation, creating what developers call “technical debt”: every modification risks breaking something else.
A Stripe report on developer productivity found that 33% of engineering time is spent managing technical debt rather than delivering new value (Stripe Developer Coefficient). In an acquisition context, that ratio translates directly into integration costs that the acquirer builds into its financial model.
4. Dependency on a single non-substitutable vendor
One integrator knows the ERP. One consultant understands the customisations. If that vendor raises prices, is acquired, or ceases operations, the business is stranded.
This critical dependency — sometimes called “key-man risk on the IT side” — is a strong negative signal during due diligence. The acquirer must assess whether it can take control of the system without depending on the goodwill of a third party.
5. No audit trail or data traceability
A well-configured ERP tracks all sensitive operations: who created a supplier record, who modified a selling price, who approved a payment. This traceability is mandatory in certain regulated industries (DORA for financial services, GxP for pharma) and highly valuable to any acquirer trying to understand how the business actually operates.
An ERP without a complete audit trail raises questions about the reliability of historical data — and by extension, about the accuracy of the figures presented during financial due diligence.
6. Latent regulatory non-compliance
Mandatory e-invoicing under EU directives, GDPR compliance for personal data, sector-specific obligations (HACCP for food manufacturing, GxP for pharma, batch traceability for distribution): every regulatory gap not addressed in the ERP represents a potential liability for the acquirer.
If the ERP does not support e-invoicing in Peppol or equivalent EU formats, the acquirer will need to fund compliance remediation post-closing. This cost, typically estimated at €20,000 to €150,000 depending on system size and complexity, is rarely anticipated by sellers.
7. Undocumented point-to-point integrations
A patchwork integration chain: ERP talking to CRM via a nightly CSV export, CRM syncing with the e-commerce platform via an unmonitored API, accounting updated by a Python script running on the CFO’s laptop. This type of architecture — common in SMEs that grew quickly — is a nightmare for any acquirer.
Each integration is a potential point of failure. A post-acquisition migration that breaks one of them can halt operations for days. Acquirers place a premium on documented architectures with maintained, monitored connectors.
The specific challenge of end-of-life ERP systems
The “end-of-life ERP” risk has become a major due diligence issue since 2025. The primary reason: SAP ECC 6.0, the ERP used by thousands of industrial and services companies across Europe, has entered its end-of-support phase.
Key dates, confirmed by RSM (SAP ECC End of Life Guide, RSM):
- 31 December 2025: end of mainstream maintenance for SAP ECC 6.0 EHP 0 to 5
- 31 December 2027: end of mainstream maintenance for SAP ECC 6.0 EHP 6 to 8
- 2028–2030: optional extended maintenance at premium cost
The challenge for a company in a sale process: according to Gartner and CIO Research data from late 2024, only 39% of SAP ECC customers had licensed S/4HANA. An acquirer taking on a business still running SAP ECC in 2026 knows it is inheriting an S/4HANA migration project within two years, with budgets ranging from several hundred thousand to several million euros depending on system size and complexity.
The same logic applies to:
- Microsoft Navision / NAV (successor: Dynamics 365 Business Central, with end of mainstream support for versions prior to BC 2019)
- Sage 100 versions prior to 2020
- Bespoke ERP systems developed more than 10 years ago with no documented modernisation roadmap
An end-of-life ERP is not a deal-killer. But it must be anticipated and correctly priced into the negotiation, with a migration cost estimate included in the data room presented to the acquirer.
Preparing your IT estate before a sale: the seller’s guide
If you are planning a sale within a 12 to 36-month horizon, preparing your IT estate is as important as preparing your financial statements. Here are the five priority levers.
Lever 1: Document the system
Map the active modules, inventory all customisations, list integrations and their data flows, and document operating procedures. This level of documentation reassures the acquirer and reduces the cost of their due diligence. A well-documented IT estate is a perceived-as-controlled IT estate — and perception directly influences buyer confidence.
Lever 2: Clean your master data
Duplicate customer and supplier records, items without valid references, analytical accounts unused for five years: cleaning master data before going to market is a high-return investment. It improves the reliability of the reports presented to the acquirer and reduces the risk of unpleasant surprises during the audit.
Lever 3: Migrate to a supported version
If your ERP is end-of-life, plan the migration before the sale rather than after. A business presenting a maintained ERP on a current version, with an active support contract, positions its IT estate as an asset rather than a liability.
This lever has a cost (see our guide on major ERP upgrade methodology), but it typically pays for itself in the sale price negotiation. The rule of thumb: a migration completed 12 months before the sale leaves enough time to stabilise the system and produce a first clean accounting period on the new version.
Lever 4: Strengthen documented cybersecurity
The average cost of a data breach stands at $4.88 million, according to the IBM Cost of a Data Breach 2024 report (IBM Security). An acquirer — especially one subject to compliance obligations such as NIS2, DORA, or ISO 27001 — will examine your security posture.
Having a recent security audit (within the last 18 months), a documented ERP access management policy, and a tested backup procedure sends a strong positive signal. These elements can typically be assembled in a few weeks with a specialist firm, for a budget generally under €20,000.
Lever 5: Build an IT data room
Mirroring the financial data room (accounts, contracts, leases), assemble an IT data room: licence and maintenance contracts, system architecture, integration documentation, security audit results, and a business continuity plan.
This preparation can shorten the technology due diligence process by several weeks and creates an impression of rigour that builds buyer confidence. Sellers who present a complete IT data room consistently face fewer warranty clauses related to IT systems in the purchase agreement.
IT due diligence for the acquirer: a 5-point checklist
If you are on the buy side, here are five points to examine systematically during technology due diligence on a target.
1. Licence and maintenance contracts
Are the ERP licences held in the name of the target company or a holding structure? Are they transferable in a change-of-control scenario without renegotiation with the vendor? Is there an active maintenance contract? These questions seem basic, but they determine operational continuity post-closing. Some vendors impose pricing renegotiations upon change of control.
2. Data portability
Can you export all data in a standard format (XML, CSV, JSON) without dependency on the original vendor? Do you have direct database access, or only through the software interface? The answer determines the cost and timeline of a potential migration to your group ERP.
3. State of technical debt
Request an inventory of customisations and an estimate of the cost to port them to the next major version. If the target cannot produce this assessment, it signals a lack of control over its own IT estate. Unevaluated technical debt is unprovisioned debt in the acquisition price.
4. Current and future regulatory compliance
Does the ERP handle mandatory e-invoicing? Payroll reporting obligations? GDPR compliance for personal data? Industry-specific regulatory requirements? Every gap is a potential liability to be factored into the price or covered by warranty clauses in the purchase agreement.
5. Business continuity plan
In the event of a major IT outage, how long does it take to restore operations? Are backups regularly tested? Is there a disaster recovery site? For businesses where IT is core to operations — distribution, manufacturing, services — this point is frequently underestimated until the first post-acquisition incident.
Key takeaways
A robust, maintained, and documented ERP is no longer just an operational tool: it is a valuation asset. Conversely, an ageing, poorly documented, undermaintained IT estate is a liability that acquirers will mechanically price into their negotiations.
The good news: most IT risks identified during due diligence are anticipatable and correctable. The key is to start 18 to 24 months before the sale — not three months before signing.
To go further, read our complete guide to ERP total cost of ownership to understand what acquirers are actually calculating, our article on post-acquisition IT consolidation if you are on the buy side in an integration phase, and our major ERP upgrade methodology guide if your ERP is end-of-life and you need to act before going to market.
