Key takeaways
- An IT system inventory is a living document that captures every technology system the business relies on: what it does, who owns it, what it costs, what it connects to, and what breaks if it goes down.
- The most common technology diligence finding in middle market M&A is undocumented integrations: data flows between systems that exist but are unknown to anyone except the person who built them.
- Shadow IT, systems and applications purchased by individual departments without IT or management awareness, represents on average 30–40% of total software spend in mid-size companies. It also represents unmanaged data risk.
- License compliance is a hidden cost in most IT environments. Software deployed beyond its licensed scope creates liability that surfaces in due diligence and can require retroactive licensing fees.
- The IT documentation that takes three months to build from scratch during a sale process can be built in two weeks if it is maintained as a living document throughout the year.
30–40%
Average share of software spend that is shadow IT in mid-size companies
$50K–$200K
Typical retroactive software license cost discovered in technology diligence
6–10 weeks
Time to build an IT inventory from scratch during a sale process
3–5 business days
Time to produce the same inventory when it has been maintained throughout the year
When a buyer's technology diligence team arrives, they are looking for three things: what systems does the business run on, what does it cost, and what are the risks. Systems that are undocumented, licenses that are non-compliant, and integrations that have no owner are all findings that affect deal certainty and valuation.
The founder who waits until a sale process to build the technology inventory is doing the most expensive version of this work. The same documentation built and maintained throughout the year costs a fraction of the effort and produces operating benefits long before any sale.
What belongs in an IT system inventory
An IT system inventory is not an IT support ticket. It is a management document that captures every system the business depends on and the key attributes of each.
The seven fields every system record should include
System name and category
The name of the system, the vendor, and the function it serves: ERP, CRM, payroll, accounting, project management, communication, security.
Owner
The internal person responsible for the system: who manages the vendor relationship, who approves user changes, and who is called first when something breaks.
User count and access scope
How many people have access, what roles they have, and which departments use the system. This determines the license compliance position.
Annual cost
License fees, support fees, and implementation or customization costs paid in the current year. Include all contracts, not just the primary license.
Data stored and sensitivity classification
What data lives in this system: customer records, employee records, financial data, intellectual property. Classify by sensitivity: public, internal, confidential, regulated.
Integrations and dependencies
What other systems does this system connect to? Are those integrations documented, or are they undocumented scripts that someone built? What breaks if this system goes down?
Contract terms and renewal date
When does the license expire or auto-renew? What are the termination provisions? Is there a change of control clause that requires consent from the vendor in a sale?
The integrations field is the most important and most commonly missing. A business running on an ERP, a CRM, a payroll system, and a project management tool likely has four to eight integrations between those systems. If those integrations are not documented, no one knows what data flows where or what breaks if one system is changed.
Shadow IT: the systems management does not know about
Shadow IT refers to technology systems purchased and operated by individual departments or employees outside of any central IT awareness or approval process. It is not a sign of malicious intent; it is the natural result of departments solving their own problems when central IT is slow or unresponsive.
The problem with shadow IT is not that the tools are bad. It is that the data in those tools is unmanaged: customer data stored in a departmental tool with no security controls, financial data processed in a system not covered by the company's data backup, or vendor contracts signed for systems that no one else knows the company has.
How to identify shadow IT in your organization
Credit card and expense report audit
Search expense reports and company credit card statements for software subscriptions. Every recurring charge to an online software vendor that is not in the IT inventory is shadow IT.
Department manager survey
Ask each department head to list every tool their team uses. Ask specifically about tools purchased on personal cards and reimbursed, tools used under a free or freemium plan, and tools used by one or two people that no one else knows about.
Email domain search
Search the email archive for subscription confirmation emails from software vendors. Every "Your subscription to [Vendor]" email that is not in the IT inventory represents a system to add.
Network scan (if applicable)
For companies with on-premise networks or managed WiFi, a network scan can identify devices and applications connecting to the network that are not in the inventory.
Once shadow IT is identified, the decision for each system is: formalize and manage it, migrate its data to an approved system, or terminate it. The decision should be made based on the data risk and operational dependency, not on whether the tool is liked by the team that uses it.
Working through this yourself?
Kolton works directly with founders on M&A readiness, deal structure, and AI implementation — one advisor, not a team of generalists.
Schedule a conversation →License compliance and change of control provisions
Software license compliance is a specific IT documentation requirement that has direct financial consequences in a sale process. Most software licenses specify how many users can access the system, how the system can be deployed, and what happens if the company is acquired.
License non-compliance discovered during diligence creates liability for retroactive licensing fees. A vendor who discovers their software has been deployed for 80 users against a 40-user license can demand a true-up payment before the sale closes. These amounts are typically non-negotiable.
Change of control provisions in software licenses are a frequently overlooked closing risk. A CRM or ERP vendor whose contract includes a change of control clause may require consent to transfer the license, may impose a transfer fee, or may use the change of control as an opportunity to renegotiate pricing. Reviewing all major software contracts for change of control provisions is a pre-sale task, not a diligence-response task.
Maintaining the inventory as a living document
An IT inventory built once and never updated becomes stale within six months as new systems are added, old systems are retired, and integrations change. The maintenance discipline is what makes the inventory valuable.
Minimum IT inventory maintenance cadence
When a new system is purchased or subscribed to
Add a record to the inventory within five business days of going live; do not allow systems to operate without a record
When a user changes (new hire, termination, role change)
Update user counts in the inventory; remove access for terminated employees on the day of termination
Quarterly
Review all systems for usage; retire unused licenses; confirm user counts are accurate; check for upcoming renewals
Annual
Conduct a full license compliance review for the top 10 systems by cost; review all vendor contracts for change of control and auto-renewal provisions; confirm integrations are still operating as documented
The quarterly review is the highest-leverage maintenance activity. It catches unused licenses before they auto-renew, identifies user count drift before it becomes a compliance issue, and surfaces new shadow IT before it accumulates into a documentation problem.
Work with Glacier Lake Partners
Build Your IT Documentation Before You Need It
We help middle market companies build the technology documentation that supports operations and survives diligence.
Start a Conversation →Research sources
Disclaimer: Financial figures and case studies in this article are illustrative, based on representative middle market assumptions, and are not guarantees of outcome. Statistical references are drawn from cited third-party research; individual transaction and operational results vary based on business characteristics, market conditions, and deal structure. This content is for informational purposes only and does not constitute legal, financial, or investment advice. Consult qualified advisors for guidance specific to your situation.
Explore adjacent topics
