M&A Due Diligence
How to Assess Technology Risk in Staffing Acquisitions
Lauren B. Jones
CEO & Founder, Leap Advisory Partners
Lauren B. Jones
A PE operating partner called me after a staffing acquisition closed. His exact words: "We just found out the ATS runs on a version that was end-of-lifed two years ago, the only person who manages the VMS integrations just gave notice, and there is a $1.8 million platform rewrite hiding in the five-year plan that nobody mentioned during diligence."
He was not happy. The deal model had allocated $200,000 for "technology improvements" post-close. The actual number was closer to $2.5 million when you factored in the platform migration, the integration rebuilds, the data remediation, and the temporary staff needed to cover the departing IT manager's knowledge.
This was not a bad deal. The company had strong fundamentals. But the technology risk was not identified, not quantified, and not priced into the acquisition. That is a pattern I see repeatedly in PE transactions involving staffing companies.
Every staffing company runs on technology, and when any technology component is degraded, outdated, or fragile, the business underperforms in ways that directly reduce returns. The ATS is the engine of operations. The integrations between ATS, VMS, payroll, and billing are the transmission. The data inside those systems is the fuel. When any of these components are degraded, outdated, or fragile, the business underperforms.
Let me make this concrete with a scenario I reconstructed from an actual engagement. The details are generalized to protect confidentiality, but the numbers are representative.
A PE firm acquired a 300-person staffing company for 8x EBITDA. EBITDA was $12 million, so the purchase price was $96 million. During diligence, the technology review was limited to confirming that the company had a "modern ATS" and "adequate cybersecurity."
Post-close, the operating team discovered: the ATS was running a version three releases behind current, with custom modifications that prevented upgrading. The VMS integration to the company's largest MSP client was built by a contractor who no longer had a relationship with the company, and the integration code had no documentation. The payroll system was a legacy on-premise solution that required a full-time administrator. And data quality in the ATS was poor enough that the AI initiative in the value creation plan could not launch as scheduled.
Total unplanned technology expenditure over 24 months: $3.2 million. EBITDA impact in year one from operational disruption: approximately $900,000. Combined, these factors reduced the deal's realized return by about 1.5 turns of EBITDA.
On a $96 million investment, that matters.
I use a five-dimension risk assessment framework specifically designed for staffing acquisitions. Each dimension captures a different vector of technology risk, and each can be scored and quantified.
Dimension 1: Architecture Risk
What is the foundational technology architecture? Cloud-native, hybrid, or legacy on-premise? How old is the core platform? Is it actively supported by the vendor? Are there architectural constraints that limit scalability?
Scoring: Low risk means modern, cloud-native architecture with active vendor support and no scaling constraints. High risk means legacy on-premise systems, end-of-life platforms, or architectures that cannot support the operating team's growth plans.
Quantification: Estimate the cost of migrating from the current architecture to the target state. For staffing companies, ATS migrations typically cost $400,000-$2,000,000 depending on complexity, plus 6-15 months of operational disruption.
Dimension 2: Vendor Dependency
How dependent is the company on specific technology vendors? Are there concentration risks (one vendor providing multiple critical systems)? What do the contract terms look like? Are there auto-renewal traps, price escalation clauses, or restrictive exit provisions?
Scoring: Low risk means diversified vendor relationships with favorable contract terms and alternatives available. High risk means single-vendor dependency for critical operations, unfavorable contract terms, and limited alternatives.
Quantification: Calculate the cost of vendor concentration. If the primary ATS vendor raises prices 20% at renewal (which happens), what is the financial impact? If the vendor discontinues a critical feature, what is the migration cost?
Dimension 3: Data Quality
How clean, complete, and accessible is the company's data? Specifically: what percentage of candidate records are usable for automated matching or analytics? What is the duplicate rate? Is data structured consistently across offices and teams?
Scoring: Low risk means clean, standardized data with less than 5% duplicate rate and 80%+ field completion. High risk means inconsistent data, 20%+ duplicate rate, critical data trapped in unstructured fields, and no data governance practices.
Quantification: Estimate the cost and timeline of data remediation. For a staffing company with 200,000+ candidate records, a data quality project typically costs $50,000-$150,000 in external support plus 3-6 months of internal effort.
Dimension 4: Security Posture
Does the company have appropriate security controls for the data it handles? Is there a formal information security policy? Has it been tested? Are there known vulnerabilities?
Scoring: Low risk means SOC 2 compliant (or equivalent), regular penetration testing, encrypted data, role-based access controls, and an incident response plan. High risk means no formal security policy, no recent testing, unencrypted sensitive data, and broadly shared access credentials.
Quantification: Estimate the cost of achieving the target security posture. SOC 2 compliance for a staffing company that has never been audited typically costs $100,000-$250,000 for the initial certification, plus ongoing annual costs. The alternative cost, a data breach, averages $4.5 million across industries, with regulated data (healthcare staffing, government staffing) carrying higher exposure.
Dimension 5: Scalability Ceiling
Can the current technology stack support the growth implied by the operating plan? If the plan calls for 40% revenue growth over three years, can the technology scale to match? Are there hard limits (maximum users, maximum concurrent jobs, API rate limits) that will require investment to overcome?
Scoring: Low risk means the stack can scale 2-3x without major investment. High risk means the stack is near capacity, requires platform changes to scale, or has contractual limits that trigger cost jumps at certain thresholds.
Quantification: Map the technology scaling costs to the operating plan. If the company needs to add 100 ATS users in year two, what is the cost? If transaction volumes double, do any systems require upgrades?
Beyond the general framework, staffing companies present four industry-specific technology risks that PE firms must assess.
ATS lock-in. The ATS is the most important application in a staffing company, and switching costs are extraordinary. Data migration, integration rebuilds, workflow reconfiguration, and team retraining make ATS changes 12-18 month projects. If the current ATS is inadequate, the migration cost and timeline need to be in the model.
Assess: Is the ATS meeting current needs? Is it on the vendor's current supported version? Does the vendor have a credible roadmap? Are there customizations that prevent upgrading?
Compliance system gaps. Staffing companies in healthcare, government, and finance have regulatory compliance requirements that must be met by technology. Credential tracking, background check management, I-9 processing, and client-specific compliance requirements all need to be systematically managed. If compliance is handled manually or through spreadsheets, the risk of a compliance failure scales with the company's size.
Assess: Is compliance tracking automated? Are expiration alerts triggered automatically? Is there an audit trail? Has the company passed any client or regulatory compliance audits recently?
VMS integration fragility. Many staffing companies derive 30-60% of their revenue through managed service provider (MSP) relationships that require VMS integration. If the integration between the ATS and the VMS platform is custom-built, poorly documented, or maintained by a single person, it represents a revenue risk.
Assess: How many VMS integrations exist? Are they native (vendor-supported) or custom? Who maintains them? Is there documentation? What happens if the integration breaks at midnight on a Friday?
Payroll system age. Payroll is non-negotiable. Workers must be paid accurately and on time. Legacy payroll systems (especially on-premise) create risk through limited scalability, maintenance burden, compliance gaps (tax table updates, state-specific requirements), and key-person dependency.
Assess: What payroll system is in use? Is it cloud-based or on-premise? When was it last upgraded? Who administers it? Is there a backup administrator?
Create a risk scoring matrix that assigns each dimension a score from 1 (minimal risk) to 5 (critical risk), and pair each score with a financial impact estimate.
For each dimension, define what each score means specifically:
Sum the scores across dimensions. A total score of 5-10 indicates a technology stack that supports the operating plan. A score of 11-18 indicates manageable risk with investment required. A score of 19-25 indicates technology risk that should materially affect the deal model.
The financial impact estimates from each dimension sum to a total technology investment requirement. Compare this total to what is in the operating plan. If the delta is significant, the plan needs to be revised or the deal price needs to reflect the additional investment.
Technology risk should affect the deal in three ways:
Adjusting EBITDA for tech debt. If the company has been underinvesting in technology (deferred maintenance, skipped upgrades, unfilled IT positions), the reported EBITDA is overstated because it does not reflect the true cost of running the business at a sustainable level. Normalize EBITDA by adding back the technology investment that should have been made. This is conceptually identical to normalizing for deferred capital expenditures.
Negotiating technology escrow or price adjustment. If diligence reveals technology risks that require investment post-close, negotiate a portion of the purchase price into escrow tied to specific technology milestones. Or negotiate a price reduction that reflects the required investment. This protects the fund from overpaying for a business that needs immediate technology investment.
Post-close investment budgeting. Build a detailed technology investment budget that covers the first 24 months post-close. Include specific line items for each identified risk: ATS migration, data remediation, security hardening, integration rebuilds, IT staffing. Present this budget to the investment committee alongside the operating plan so expectations are aligned.
If your fund invests in staffing companies regularly, standardize your technology risk assessment process. Each deal teaches you something about staffing technology risk, and those lessons should accumulate into a playbook that makes every subsequent assessment faster and more accurate.
The playbook should include: the five-dimension assessment framework with scoring criteria, a standardized data request list for target companies, interview guides for CTO/IT leader conversations, financial impact benchmarks from previous deals, a library of common findings and their typical remediation costs, and integration with your overall diligence process so technology assessment happens in parallel with financial and commercial diligence, not as an afterthought.
The fund that treats technology risk as a repeatable assessment capability will consistently make better-informed investment decisions than the fund that reinvents the process on every deal.
Use a 1-5 scoring matrix across five dimensions (architecture, vendor dependency, data quality, security, scalability). Each score maps to a specific investment range: Score 1 ($0-$50K), Score 2 ($50K-$200K), Score 3 ($200K-$500K), Score 4 ($500K-$1.5M), Score 5 ($1.5M+). Sum the scores. A total of 5-10 means the stack supports the operating plan. A total of 19-25 means technology risk should materially affect the deal model.
The five dimensions are architecture risk (infrastructure age, cloud vs. on-premise, scalability), vendor dependency (concentration risk, contract terms, exit provisions), data quality (completeness, duplicates, consistency, governance), security posture (SOC 2 compliance, encryption, access controls, incident response), and scalability ceiling (capacity for growth under the operating plan).
Four risks are specific to staffing: ATS lock-in (switching costs make migrations 12-18 month projects costing $500K-$2M), compliance system gaps (manual tracking at scale creates regulatory liability), VMS integration fragility (30-60% of revenue often depends on custom integrations maintained by a single person), and payroll system age (legacy on-premise payroll with key-person dependency).
Technology risk should affect deals in three ways: normalize EBITDA by adding back deferred technology maintenance costs, negotiate price adjustments or escrow tied to specific technology remediation milestones, and build a detailed 24-month technology investment budget presented alongside the operating plan. In one representative deal, unidentified technology risk reduced realized returns by approximately 1.5 turns of EBITDA.
Starting a staffing acquisition diligence process? Download the Technology Due Diligence Checklist. It covers all five dimensions, provides scoring guidance, and includes the data request list for target companies.
Download the Technology Due Diligence Checklist
Lauren B. Jones is the CEO and founder of Leap Advisory Partners, with 28 years of experience in staffing technology. She helps staffing agencies, PE firms, and software companies build technology that actually works.
