Know exactly what to verify before acquiring an IT managed services business — from MRR quality to cybersecurity liability and staff retention risk.
Acquiring an IT helpdesk or managed services provider in the $1M–$5M revenue range requires disciplined due diligence across five critical domains. Unlike traditional service businesses, MSPs carry unique risks: inherited cybersecurity liability from client environments, revenue that may look recurring but isn't contractually protected, and technical staff whose departure can instantly erode service delivery. This checklist is built specifically for PE-backed MSP platforms, search fund operators, and independent technology entrepreneurs evaluating lower middle market IT support acquisitions. Use it to separate high-quality recurring revenue businesses from break-fix shops dressed up for sale.
Distinguish true monthly recurring revenue from one-time project and break-fix billing that inflates topline figures.
Break down revenue by type: MRR, project-based, and break-fix for each of the last 3 years.
MSPs with less than 60% MRR carry significant cash flow unpredictability and lower valuation multiples.
Red flag: Seller cannot separate MRR from project revenue in their accounting system without manual reconciliation.
Request monthly MRR trend reports from the PSA or billing platform for 36 months.
Flat or declining MRR signals client churn or failure to upsell, undermining the recurring revenue story.
Red flag: MRR has declined more than 10% in any rolling 12-month period without clear explanation.
Verify gross margin by service line including helpdesk, project work, and hardware resale.
Helpdesk and managed services should carry 50–65% gross margins; hardware resale often masks low overall profitability.
Red flag: Blended gross margin below 40% suggests pricing pressure or excessive subcontractor dependency.
Confirm EBITDA add-backs with documentation, including owner compensation, personal expenses, and one-time costs.
Inflated add-backs are common in owner-operated MSPs and directly impact purchase price negotiations.
Red flag: Add-backs exceed 25% of stated EBITDA without clear, documented justification for each item.
Evaluate the legal strength of managed service agreements and the distribution of revenue across the client base.
Review all managed service agreements for term length, auto-renewal clauses, and termination-for-convenience provisions.
Contracts with 30-day termination rights offer acquirers little protection against immediate post-close client departures.
Red flag: More than 30% of MRR is on month-to-month agreements with no auto-renewal or penalty clause.
Run a customer concentration analysis identifying each client's percentage of total MRR.
When the top 3 clients exceed 50% of MRR, a single departure can collapse the acquisition thesis.
Red flag: Any single client represents more than 20% of total revenue with no long-term contract in place.
Identify all SLA obligations, response time commitments, and penalty clauses embedded in client contracts.
Unmet SLA obligations post-acquisition create legal exposure and client churn risk during transition.
Red flag: SLA terms vary widely across clients with no standardized service tier structure documented.
Confirm all managed service agreements are assignable to a new entity without client consent required.
Non-assignable contracts require client re-signing at close, creating churn risk and deal execution delays.
Red flag: Key client agreements contain change-of-control clauses requiring affirmative client consent to assign.
Assess the depth, certifications, and retention risk of the technical team delivering managed services.
Document tenure, certifications, and current compensation for every technical employee.
Certified technicians with 3+ years of tenure represent stable delivery capacity and justify premium valuation.
Red flag: Fewer than half of technicians hold current vendor certifications relevant to the client technology stack.
Review all employment agreements for non-solicitation and non-compete clauses covering key technicians.
Without enforceable agreements, departing technicians can solicit clients and staff immediately post-close.
Red flag: No non-solicitation agreements exist for senior technicians or the service delivery manager.
Identify which client relationships are personally managed by the owner versus the technical team.
Owner-dependent client relationships are the most common post-acquisition churn trigger in MSP deals.
Red flag: The owner is the primary contact for more than 50% of clients by revenue with no transition plan.
Assess current technician workload and tickets-per-technician ratios from the PSA system.
Overloaded technicians signal burnout risk and indicate the business cannot scale without immediate hiring.
Red flag: Average open ticket queue per technician consistently exceeds industry norms without documented escalation paths.
Evaluate the completeness, hygiene, and scalability of the platforms that run managed service delivery.
Audit the PSA platform for ticket history completeness, client documentation, and billing accuracy over 24 months.
Clean PSA data enables accurate revenue reporting, SLA tracking, and seamless post-acquisition operations.
Red flag: PSA data is incomplete, inconsistently used, or billing records do not reconcile to accounting system invoices.
Review the RMM platform for monitored endpoint count, alert response workflows, and patch compliance rates.
A well-configured RMM with high patch compliance rates signals proactive service delivery and lower client risk.
Red flag: Patch compliance rates below 80% or alert-to-ticket workflows that are manual rather than automated.
Verify that all client environments are fully documented in a dedicated documentation platform such as IT Glue or Hudu.
Missing client environment documentation creates post-acquisition service risk and extends onboarding timelines significantly.
Red flag: Client documentation exists only in technician notes, shared drives, or the seller's personal knowledge.
Confirm vendor licensing transferability for all PSA, RMM, security, and backup tools included in the deal.
Non-transferable vendor agreements force post-close renegotiation and can disrupt service delivery continuity.
Red flag: Key platform licenses are in the seller's personal name or tied to vendor agreements with change-of-control restrictions.
Evaluate inherited cybersecurity risk from both the MSP's own environment and its managed client environments.
Request the MSP's most recent internal cybersecurity assessment and penetration test results.
MSPs are high-value supply-chain attack targets; a compromised MSP exposes all client environments simultaneously.
Red flag: No formal cybersecurity assessment has been conducted on the MSP's own infrastructure in the past 18 months.
Review current cyber liability insurance policy for coverage limits, exclusions, and claims history.
A lapse in coverage or active claims signals unresolved incidents that may transfer liability to the acquirer.
Red flag: Cyber liability coverage is below $1M per occurrence or the policy has had any claims in the past 3 years.
Assess the security stack deployed across client environments including EDR, backup, and email security tools.
Clients without standardized security stacks represent inherited breach liability and complicate post-acquisition service delivery.
Red flag: Security tooling varies widely across clients with no standard security baseline enforced across the managed base.
Inquire about any past client data breaches, ransomware incidents, or regulatory notifications in the last 5 years.
Undisclosed prior incidents can create post-close legal liability and damage client trust during transition.
Red flag: Seller is vague or inconsistent when describing past security incidents or cannot produce incident response documentation.
Find IT Helpdesk & Support Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
Most acquirers and SBA lenders require a minimum of 60% recurring MRR to underwrite a deal at standard MSP valuation multiples of 3.5–6x EBITDA. Below 60%, you are buying a break-fix or project services business that commands lower multiples and carries significantly higher cash flow risk post-acquisition. Verify MRR directly from PSA billing reports, not from seller-prepared summaries.
Request the seller's most recent internal security assessment, penetration test results, and full cyber liability insurance policy including claims history. Review the security stack deployed across all managed client environments and ask directly about any ransomware incidents, data breaches, or regulatory notifications in the past five years. Engage a third-party IT security firm to conduct independent assessments of both the MSP's own infrastructure and a representative sample of client environments before closing.
Technician departure post-close is the most common value destruction event in MSP acquisitions. Mitigate this risk by confirming non-solicitation agreements are in place for all senior staff, offering retention bonuses tied to 12–18 month post-close employment, and structuring the seller's transition consulting agreement to include explicit client relationship handoffs. Review PSA ticket history to identify which technicians are embedded in key client relationships before finalizing deal terms.
Yes, IT helpdesk and MSP acquisitions are SBA 7(a) eligible and commonly financed with SBA loans given the recurring revenue profile and established cash flows. Lenders will typically require a minimum $800K EBITDA, at least 60% recurring revenue, and clean financial statements separated by revenue type. A 10–15% seller equity rollover or seller note is frequently required by SBA lenders to align incentives and bridge any appraisal gap in the purchase price.
More IT Helpdesk & Support Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored IT Helpdesk & Support targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers