IT Pre-Acquisition Assessment Services

A Lazarus Alliance IT Pre-Acquisition Assessment is a structured, phased due diligence audit focused on IT, cybersecurity, data protection, and regulatory compliance risks for an acquiring firm evaluating a target firm.

It is designed specifically for smaller professional-services firms like CPA practices, prioritizing high-impact risks first while minimizing operational disruption. The assessment aligns with Lazarus Alliance’s underlying audit program and is managed entirely through the Continuum GRC portal.

Core Characteristics of the Audit

Scope: 8 sections covering the full IT and security environment, plus acquisition-specific transition risks:
- A. IT Governance and Asset Inventory (MSP ownership, hardware/software inventories, policies, BC/DR plan)
- B. Identity and Access Management (user accounts, MFA, admin privileges, password policies)
- C. Endpoint and Network Security (EDR/AV, patching, firewalls, network diagrams, vulnerability scanning)
- D. Data Protection and Confidentiality (backups, encryption, client portals, data storage/flows)
- E. Cloud and SaaS Environment (Microsoft 365 Secure Score, DLP, external sharing, AI tools, SOC 2 reports)
- F. FTC Safeguards Rule Compliance (GLBA) (Written Information Security Program / WISP, Qualified Individual designation, risk assessments, training, vendor agreements)
- G. Cyber Incident History and Threat Exposure (incident summary, cyber insurance certificate, phishing tests, external attack surface)
- H. Transition-Specific Information (system inventories, contract termination/assignment terms, data preservation, departing staff)

Phased “Wave” Structure (to respect a smaller firm’s capacity):
- Wave 1 (≈18–20 items, “Issue Immediately”): Highest-risk, quick-to-obtain items that determine whether deeper investigation is warranted. Covers MSP contract, active user accounts, MFA enforcement, EDR coverage, patch status, backups, M365 config/Secure Score, WISP/QI designation, cyber insurance, incident history summary, and basic transition inventory.
- Wave 2 (≈42–44 items, “Issue After Wave 1 Review”): More labor-intensive items (detailed policies, vulnerability scans, data-flow maps, admin rights reviews, SOC 2 reports, etc.). Issued only after Wave 1 is substantially complete and reviewed; scope may be narrowed or expanded based on findings.
Submission Rules:
- All uploads go into pre-defined section folders in the Continuum GRC portal.
- Acceptable formats are explicitly listed (Excel/CSV exports, screenshots, PDFs, Word docs, or brief written confirmations).
- If a document does not exist, upload a short written confirmation — absence is noted as a finding but not penalized.
- MSP coordination is strongly recommended (many Wave 1 exports come directly from the MSP console).

Typical Lazarus Alliance Audit Timeline

The CRL explicitly defines only the first milestone; the rest follows standard pre-acquisition due diligence logic (aligned with deal timing). Here is a realistic timeline based directly on the framework:

Phase	Timing (from Kickoff)	Key Activities	Owner
Kickoff & CRL Issuance	Day 0	Full Client Request List issued + Continuum GRC access	Lazarus Alliance and Deal Team
Wave 1 Collection	Days 1–14	18–20 highest-priority items (MSP contract, users, MFA, EDR, backups, etc.)	Target firm + MSP
Wave 1 Review & Wave 2 Issuance	Days 15–18	Rapid review of Wave 1, red-flag identification, and tailored Wave 2 issued	Lazarus Alliance
Wave 2 Collection	Days 19–35 (≈2.5 weeks)	Remaining ~42 items (detailed policies, scans, SOC 2 reports, etc.)	Target firm + MSP
Full Analysis & Gap Assessment	Days 36–45	Detailed risk mapping, FTC/GLBA review, and deal implications	Lazarus Alliance
Findings / Report Delivery	Days 46–56 (Week 7–8)	Final report delivered to the deal team	Lazarus Alliance and Deal Team

Total typical duration: 4–8 weeks

Fast-track (4–6 weeks): Possible with immediate MSP coordination and rapid Wave 2 turnaround.
Standard (6–8 weeks): Recommended for most CPA-firm acquisitions to allow thorough review.

This compressed schedule front-loads the highest-risk items (still completed in the first two weeks) and keeps the entire engagement agile for tighter deal timelines. All documentation continues to be managed in the Continuum GRC portal.

Frequently Asked Questions

What is the Lazarus Alliance IT Pre-Acquisition Assessment?

It is a structured, phased cybersecurity and IT due-diligence review specifically designed for CPA firm acquisitions. Using a detailed Client Request List (CRL), it evaluates the target firm’s IT governance, security controls, data protection, regulatory compliance, and transition readiness across 8 key sections.

Why is the assessment divided into Wave 1 and Wave 2?

The two-wave structure respects the operational capacity of a smaller CPA firm. Wave 1 (18–20 items) delivers the highest-risk information within 14 days. Wave 2 (≈42 items) is issued only after Wave 1 review, so the scope can be adjusted based on findings, reducing unnecessary effort.

How long does the full assessment take?

The compressed timeline is 4–8 weeks from kickoff. Wave 1 is due in 14 days, Wave 2 collection takes ≈2.5 weeks, and the remaining time is used for analysis and final report delivery. Fast-track engagements can be completed in 4–6 weeks with strong MSP support.

What if a requested document or policy does not exist?

Simply upload a brief written confirmation (Word doc or email converted to PDF is fine). The absence of key documents is noted as an audit finding but is expected for many small firms and will not be penalized.

Do we need to involve our Managed Service Provider (MSP)?

Yes — we strongly recommend looping in your MSP at kickoff. Many Wave 1 exports (user accounts, MFA status, EDR coverage, patch reports) are most efficiently pulled directly from the MSP console.

How are documents submitted and tracked?

All documents are uploaded directly into the secure Continuum GRC portal using the provided section folders and the naming convention [Section]-[Item Number]_[Brief Description]. Progress is tracked with status codes (NR, OS, PR, RC, NA, EX).

What are the main benefits of this assessment?

It provides immediate visibility into hidden risks, protects deal value through early identification of liabilities, ensures FTC Safeguards Rule / GLBA compliance, smooths post-acquisition transition, and gives the acquiring firm concrete data for valuation adjustments and remediation planning.

Does the assessment cover regulatory compliance?

Yes. Section F is dedicated to FTC Safeguards Rule (Gramm-Leach-Bliley Act) compliance, including the Written Information Security Program (WISP), Qualified Individual designation, risk assessment, training, and vendor oversight.

What deliverables will the acquiring firm receive?

A comprehensive final report with findings, risk ratings, gap analysis, prioritized recommendations, and transition considerations. The report is delivered to the deal team and can be used for negotiation, indemnification, or post-close remediation planning.

Credentials You Can Count On

American Association for Laboratory Accreditation (A2LA) ISO/IEC 17020 accredited certification number 3822.01.

Talk with one of our experts

Our Lazarus Alliance Cybervisor™ teams have experience performing thousands of assessments for organizations providing services to clients around the world.

Benefits of a Lazarus Alliance IT Pre-Acquisition Assessment

The Lazarus Alliance IT Pre-Acquisition Assessment is purpose-built for CPA firm acquisitions. It delivers a fast, phased, low-disruption cybersecurity and IT due-diligence process that gives the acquiring firm clear visibility into the target’s risk posture while respecting the operational realities of a smaller professional-services firm.

Here are the key benefits, drawn directly from the Client Request List framework:

1. Front-Loaded Risk Visibility (Wave 1 in 14 Days)

Delivers the 18–20 highest-risk items immediately: MSP contract, active user accounts, MFA enforcement, EDR coverage, patch status, backups, Microsoft 365 Secure Score, WISP/Qualified Individual designation, cyber insurance, and incident history.
Allows the deal team to quickly determine whether a deeper investigation is warranted — often the difference between proceeding confidently or walking away / renegotiating.

2. Respects the Target Firm’s Capacity

Two-wave structure prevents overwhelming a smaller CPA firm.
Wave 2 (detailed policies, scans, SOC 2 reports, data-flow maps, etc.) is only issued after Wave 1 review, and the scope can be adjusted based on findings.
Clear submission instructions, acceptable formats, and “if it doesn’t exist, just confirm in writing” policy reduce friction and encourage transparency.

3. Comprehensive Coverage Across 8 Critical Sections

A–H span IT governance, identity & access, endpoint/network security, data protection, cloud/SaaS posture, FTC Safeguards Rule (GLBA) compliance, cyber incident history, and transition-specific risks.
Explicit focus on the issues that most frequently create material findings or derail CPA-firm deals: insecure backups, weak MFA, poor MSP oversight, missing WISP, and transition contract gaps.

4. Deal Protection & Value Preservation

Surfaces hidden liabilities (e.g., end-of-life systems, shared credentials, untested backups, regulatory exposure) before closing.
Provides concrete data for valuation adjustments, indemnification negotiations, or post-close remediation planning.
Cyber insurance certificate and incident summary give immediate insight into financial and reputational exposure.

5. Smooth Post-Acquisition Transition

Early visibility into system inventories, MSP contract termination/assignment terms, credential hand-off, and data-preservation obligations reduces migration surprises and downtime.

6. Professional, Auditable Process

All documentation is managed in the secure Continuum GRC portal with standardized naming, status tracking (NR/OS/PR/RC/NA/EX), and audit-step cross-references.
Produces a clear, defensible final report that aligns with Lazarus Alliance’s formal audit program.

7. Regulatory & Compliance Assurance

Dedicated focus on FTC Safeguards Rule / Gramm-Leach-Bliley Act requirements (WISP, Qualified Individual, risk assessment, training, vendor oversight) — critical for CPA firms handling client financial and tax data.

Bottom line: This assessment compresses months of potential post-close surprises into a structured 4–8 week engagement (with critical insights in the first two weeks). It protects the acquirer’s investment, gives the target firm a clear roadmap, and dramatically de-risks the transaction.

IT Pre-Acquisition Assessment Services | Risk Management Experts - Lazarus Alliance. Call +1 (888) 896-7580 today!