The Post-Acquisition Integration Audit: What to Do Before You Touch Anything

The best time to start integration planning is before the deal closes. The second best time is immediately after.

If you have the luxury of pre-close access (even limited), use it. Map systems, identify risks, start building relationships with the people you'll be working with. The more you know before Day 1, the faster you can move once you have full access.

But here's the reality: McKinsey research shows that 42% of due diligence fails to adequately identify synergies. Deal due diligence and integration planning are different exercises. Due diligence happens under time pressure, with limited access, focused on deal risk rather than operational reality.

It tells you what systems exist on paper. It doesn't tell you how people actually use those systems, or where the surprises are hiding.

This article covers the discovery and audit work that makes everything else possible.

This article is adapted from Chapter 4 of The Roll-Up Integration Playbook, our free guide to post-merger technical integration.

Why Discovery Matters

You might think you know what you acquired. You did due diligence. You saw the systems list. You talked to the management team.

But here's what due diligence typically misses:

• How people actually use those systems day-to-day
• Which spreadsheets and workarounds are secretly running critical processes
• Where the data quality problems are hiding
• Who the real power users are (and who will resist change)
• What "that one person in accounts" does that nobody else understands

Discovery fills these gaps. It gives you the ground truth you need to plan realistically.

According to Gartner, 83% of data migration projects fail or exceed budget and timelines. Much of this failure traces back to inadequate discovery. Teams assume the data was cleaner, the systems simpler, or the processes more documented than reality.

The System Inventory

Start with a complete picture of what technology exists across the acquired company.

What to Capture

• All software applications (cloud subscriptions, installed software, legacy systems)
• Hardware assets (servers, networking equipment, user devices)
• Integrations and data flows between systems
• Contracts, renewal dates, and costs
• Admin access and ownership

Where to Look

• Finance records - what are they paying for?
• IT documentation - if it exists
• Actual devices and servers - walk the office
• Browser bookmarks and installed applications on user machines
• Cloud admin consoles (Google Workspace, Microsoft 365, etc.)

What You'll Find That Wasn't in Due Diligence

The "shadow IT" that nobody mentioned:

• Critical business data living in personal Dropbox accounts
• An Access database from 2008 that runs the scheduling system
• A "closet server" in the back office running something important
• Excel spreadsheets with macros that one person maintains and everyone depends on

This isn't unusual. It's normal. But you need to know about it before you start changing things.

Warning: Small B2B services companies often have critical data in places that weren't disclosed during due diligence. Not because anyone was hiding it, but because "that's just how Dave does things" didn't seem worth mentioning. Finding these surprises during migration is much more expensive than finding them during discovery.

The Closet Server Test

Before your first planning meeting, physically walk the office. Look under desks, in back rooms, in storage cupboards.

If you find a humming box that nobody mentioned, you've found shadow infrastructure. Ask what it does. The answer is often "I think it runs the scheduling system" or "Dave set that up years ago."

That's your cue to dig deeper before you touch anything else.

Day 1 Security Baselines

Cybersecurity is often the biggest hidden risk in a £3M-£10M acquisition. Smaller companies rarely have formal security practices, and you're now connected to whatever vulnerabilities they have.

Before you do anything else, establish basic security controls.

Immediate Priorities

AreaActionPrivileged accessAudit who has admin rights. Change any shared passwords. Disable accounts of anyone who's left.Email securityEnsure MFA is enabled on all accounts. Email compromise is the most common attack vector.Endpoint protectionVerify antivirus/endpoint protection is installed and current on all devices.Backup verificationConfirm backups exist and actually work. Test a restore.Network perimeterUnderstand what's exposed to the internet. Close unnecessary ports.

What You're Looking For

• Shared admin credentials ("everyone uses the same password")
• Former employees who still have system access
• Unpatched systems or end-of-life software
• No MFA on critical systems
• Backups that haven't been tested (or don't exist)

This isn't about achieving perfect security on Day 1. It's about closing the obvious gaps that could cause immediate damage. A ransomware attack in month two of your integration will cost far more than the time spent on basic hygiene.

Warning: Don't assume the acquired company's IT person has this covered. In smaller businesses, "IT" is often someone's secondary responsibility, and security practices may be minimal or non-existent.

Department Interviews

The system inventory tells you what technology exists. The interviews tell you how work actually gets done.

Schedule time with the head of each major function: operations, sales, finance, customer service, HR. Your goal is to understand their world, not to tell them what's changing.

Questions to Ask

• Walk me through a typical day/week in your role
• What systems do you use most? What do you wish worked better?
• Where do you spend time on manual work or workarounds?
• What would break if [system X] went down tomorrow?
• Who on your team knows things that nobody else knows?
• What are you most worried about with this integration?

What You're Listening For

• Processes that depend on specific people rather than documented procedures
• Workarounds that indicate the official system doesn't meet actual needs
• Emotional attachment to current tools (this predicts resistance)
• Quick wins that would build goodwill
• Risks that weren't visible from the system inventory alone

These conversations serve a dual purpose. You're gathering intelligence, but you're also building relationships. The people you interview will be more likely to support the integration if they feel heard from the start.

For more on managing the human side, see Why Systems Don't Fail — Adoption Fails.

Data Quality Assessment

Before you plan any migration, you need to understand what you're actually inheriting. Data that looks fine in a demo environment often reveals problems when you dig in.

Common Issues to Look For

IssueWhat It Looks LikeDuplicatesSame customer entered multiple times with slight variationsIncomplete recordsRequired fields empty or filled with placeholder dataOutdated informationContact details and relationships not updated in yearsInconsistent formattingPhone numbers, dates, codes entered differently by different peopleCustom field abuseFields used for purposes they weren't designed for

How to Assess

1. Export sample data from key systems (CRM, ERP, operational databases)
2. Run basic quality checks: completeness, uniqueness, validity
3. Ask users about known data problems ("yeah, we know the customer list is a mess")
4. Check when records were last updated (stale data is often bad data)

The goal isn't to fix everything now. It's to understand the scope of cleanup required so you can plan realistically.

A CRM migration takes twice as long when 30% of records need manual review.

For detailed guidance on executing migrations, see System Migration After Acquisition: CRM, ERP, Email, HR, and Operational Tools.

Stakeholder Mapping

Integration success depends on people, not just technology. Before you start, map out who will help you and who might slow things down.

Champions

Who sees integration as an opportunity? Who's frustrated with current systems and excited about change?

These people become your allies. Involve them early, get their input, give them visibility into the process.

Skeptics and Resisters

Who has concerns about change? Who built the current systems and takes pride in them? Who's been promised "nothing will change" and is now nervous?

Here's the thing about resistance: it's rarely just stubbornness. As one experienced integration leader put it:

"People who push back often have good reasons based on their knowledge and experience. They understand things about how the business works that you don't yet. The problem is they don't always see the bigger picture or the organisation's goals. Your job is to bridge that gap, not bulldoze through it."

Understand their concerns. Address them where you can. At minimum, don't be surprised when they push back.

Research shows that 47% of acquired employees leave within the first year, rising to 75% by year three. How you handle integration, especially the human side, directly affects whether you retain the people you need.

Key Knowledge Holders

Who understands things that aren't documented? The person who's been there 15 years and knows why the process works the way it does. The admin who maintains the spreadsheet everyone depends on.

These people are critical during transition. Losing them before knowledge transfer is a major risk.

Decision Makers

Who has authority to approve changes in each area? Who needs to be consulted versus informed?

Getting this wrong means delays and rework.

Building the Integration Roadmap

With discovery complete, you can build a realistic plan. Not a fantasy timeline based on what you hoped would be true, but a grounded roadmap based on what you've actually found.

Key Inputs

• Integration level decision (see How to Decide the Right Integration Level)
• System inventory and complexity assessment
• Data quality findings and cleanup requirements
• Stakeholder dynamics and change management needs
• Business constraints (busy seasons, contract renewals, reporting deadlines)
• Resource availability (internal and external)

Sequencing Decisions

QuestionTypical AnswerWhat must happen first?Usually security and financial reportingWhat has dependencies?Can't migrate CRM until data is cleanedWhat can run in parallel?Email migration and ERP migration might be independentWhat should wait?Complex operational systems after simpler wins

Realistic Timelines

A medium-complexity integration (CRM, ERP, email, HR) typically takes 60-90 days of active work, assuming no major surprises.

Add time for:

• Data cleanup if quality is poor
• High-Touch integration with rebranding
• Significant change management concerns

For the detailed execution playbook, see The First 100 Days After an Acquisition.

Governance and Success Criteria

Before you start executing, clarify two things: who owns what, and what "done" looks like.

Governance Basics

• Integration lead: One person accountable for overall success (internal or external)
• Decision rights: Who approves changes to scope, timeline, or budget?
• Escalation path: How do issues get resolved when they arise?
• Communication cadence: How often will you update stakeholders?

Success Criteria

Agree on specific, measurable outcomes before you start.

GoodBad"All customer records migrated with less than 2% exceptions requiring manual review""CRM migration complete""Finance team produces consolidated monthly report within 5 business days of month-end""Financial reporting working"

Document your success criteria. Share them with stakeholders. Refer back to them when someone wants to add scope or declare victory early.

Key Takeaways

• Start as early as possible. Pre-close discovery is ideal, but don't delay if the deal is already done. The time you invest now saves multiples later.
• Due diligence is not integration planning. What you learned before close is a starting point, not a complete picture.
• Secure the basics on Day 1. Privileged access, MFA, endpoint protection, and backup verification are non-negotiable.
• Shadow IT is normal. Expect to find critical processes running on spreadsheets, personal accounts, and undocumented workarounds. Use the Closet Server Test.
• Resistance usually has reasons. People pushing back often understand things you don't. Bridge the gap rather than bulldozing through it.
• Assess data quality before you plan timelines. Dirty data doubles migration time.
• Define success criteria upfront. Specific and measurable, not vague and arguable.

Get the Full Playbook

This article covered the discovery and audit process. For the complete guide, including the 100-day execution timeline, system migration guidance, and ready-to-use checklists and templates, download The Roll-Up Integration Playbook.

Download the Playbook

About PMI Stack

PMI Stack helps small-to-mid cap roll-ups unify systems, data, and workflows across their acquired companies. We specialise in the technical side of post-merger integration: discovery audits, data migration, system consolidation, and the change management that makes new tools stick.

If you're planning an integration and want to talk through your specific situation, book a free discovery call.

Statistics cited from McKinsey, Gartner, and EY. For the full research compilation, see 50+ Post-Merger Integration Statistics (2026).