Verify MRR quality, client contracts, technical staff retention, and cybersecurity liability before acquiring an IT Managed Services Provider.
Acquiring an IT Managed Services Provider offers access to predictable, contractual recurring revenue in a growing, recession-resistant market — but MSP acquisitions carry unique risks that generic due diligence frameworks miss. Owner-operators who double as lead technician and primary client relationship holder, informal month-to-month service agreements disguised as MRR, and unquantified cybersecurity liability can each destroy post-acquisition value. This checklist is structured around the five highest-stakes diligence areas specific to lower middle market MSPs: revenue quality, customer concentration, technical operations, key employee risk, and legal and cybersecurity exposure. Work through each category systematically before LOI and accelerate verification during exclusivity.
Validate that recurring revenue is contractually obligated, accurately reported, and defensible against churn post-acquisition.
Request a full MRR schedule by client showing contract type, term, notice period, and monthly value.
Distinguishes true contracted MRR from informal month-to-month relationships that can evaporate post-close.
Red flag: More than 30% of MRR is on month-to-month agreements with no signed contract or auto-renewal clause.
Calculate trailing 12-month gross churn rate and identify any clients lost in the prior 24 months.
Sub-5% annual churn signals a sticky, well-managed client base; elevated churn compresses valuation multiples.
Red flag: Annual churn exceeds 10% or the business lost a top-5 client in the past 18 months without replacement.
Separate recurring managed service revenue from project, break-fix, and hardware resale revenue.
Buyers pay 4–7x for MRR; project revenue is one-time and should not be capitalized at the same multiple.
Red flag: Project and break-fix revenue exceeds 35% of total revenue, indicating an immature managed services model.
Review all MSA and SOW documents for change-of-control provisions and assignability clauses.
Non-assignable contracts can void agreements upon acquisition, eliminating the revenue base being purchased.
Red flag: Key client contracts contain change-of-control termination rights or require client consent to transfer.
Assess dependency on individual clients and determine whether relationships are owned by the business or the exiting owner.
Map revenue contribution of top 10 clients as a percentage of total MRR.
Single-client concentration above 20% creates existential risk if that client churns post-acquisition.
Red flag: One client represents more than 20% of MRR, or the top three clients together exceed 50% of total revenue.
Identify which staff member owns the primary relationship for each top-10 client.
Client relationships held by the exiting owner — not staff — are high-churn risk the moment the owner departs.
Red flag: The seller is the primary contact for 4 or more of the top 10 clients with no staff-level relationship backup.
Review contract renewal dates and notice periods across the entire client portfolio.
A cluster of contracts renewing within 6 months of close creates a concentrated churn window post-acquisition.
Red flag: More than 25% of MRR is on contracts expiring within 90 days of the anticipated close date.
Conduct blind reference calls with 3–5 clients to assess satisfaction and awareness of the pending sale.
Unsolicited client feedback reveals relationship health and early warning signs of departure intent.
Red flag: Multiple clients express primary loyalty to the owner personally or signal openness to re-evaluating vendors.
Evaluate the PSA, RMM, and security tooling for integration readiness, margin quality, and operational maturity.
Document all PSA and RMM platforms in use, including ConnectWise, Autotask, NinjaRMM, or Datto.
Non-standard or fragmented tooling increases integration costs and complicates roll-up platform compatibility.
Red flag: The MSP uses home-built ticketing systems or multiple disconnected tools with no standardized PSA deployment.
Review vendor agreements, Microsoft partner status, and distributor relationships for transferability.
Microsoft CSP margins, Datto partner rebates, and vendor NFR licenses may not survive a change of ownership.
Red flag: Key vendor partner agreements contain non-transferable clauses or require requalification post-acquisition.
Request NOC/helpdesk SLA performance data — average response time, ticket volume, and resolution rates.
Documented SLA compliance demonstrates operational maturity and reduces post-close service delivery risk.
Red flag: No formal SLA tracking exists, or SLA breach rates exceed 15% of tickets in the trailing 6 months.
Assess whether SOPs, runbooks, and onboarding/offboarding documentation exist for all core service lines.
Undocumented processes create operational dependency on specific staff and inflate post-close transition risk.
Red flag: Critical processes exist only in the owner's or a single technician's head with no written documentation.
Identify technical staff retention risk, compensation gaps, and certification ownership before finalizing deal terms.
Obtain org chart, tenure, compensation, and role descriptions for all full-time technical staff.
Losing 1–2 senior technicians post-close can collapse service delivery and accelerate client churn.
Red flag: The business has fewer than three technical staff, or the lead technician is the owner with no backup.
Verify which technical certifications — CompTIA, Microsoft, Cisco — are held by employees vs. the owner.
Certifications held only by the exiting owner may void vendor partner status and client contract requirements.
Red flag: Microsoft Gold/Solutions Partner status or security certifications depend solely on the departing seller.
Review existing non-compete and non-solicitation agreements for all technical and client-facing staff.
Unprotected staff can depart post-close, solicit clients, and launch competing MSPs within the same market.
Red flag: No non-compete or non-solicitation agreements exist for the service manager or senior technical staff.
Benchmark total compensation for key staff against current IT labor market rates in the target geography.
Below-market compensation creates post-close attrition risk as staff pursue higher wages after the sale.
Red flag: Lead technicians are compensated 20%+ below market rates with no retention bonus or equity plan in place.
Uncover contractual indemnification exposure, insurance gaps, and prior breach incidents before assuming liability.
Review all MSAs for indemnification clauses, liability caps, and data breach responsibility language.
Unlimited indemnification clauses expose the buyer to catastrophic liability from future client breach claims.
Red flag: Client MSAs contain uncapped indemnification obligations or hold the MSP liable for client data breaches.
Confirm current E&O, cyber liability, and general liability insurance coverage limits and claims history.
MSPs are prime ransomware targets; inadequate coverage or prior claims signal unquantified financial exposure.
Red flag: Cyber liability coverage is below $1M per occurrence, lapsed, or the business has had a prior breach claim.
Investigate any prior security incidents, client data breaches, or regulatory complaints in the past 3 years.
Undisclosed breaches create post-close indemnification claims and reputational damage with inherited clients.
Red flag: The seller discloses or evidence surfaces of an unreported client data breach or active regulatory inquiry.
Confirm HIPAA, CMMC, or other compliance program status if the MSP serves regulated verticals.
Serving healthcare or government clients without compliant frameworks creates buyer liability at close.
Red flag: The MSP manages PHI or CUI without a signed BAA, documented HIPAA policy, or CMMC certification path.
Find IT Managed Services Provider Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
Best-in-class MSPs report annual gross churn below 5%. Anything above 8–10% signals client satisfaction issues, weak contracts, or heavy owner-dependency in client relationships. Request monthly churn data for the trailing 24 months — not just an annualized summary — to identify whether churn is accelerating or tied to specific client segments.
Map every top-10 client relationship and every critical technical function to a specific individual. If the owner is the primary contact for more than 3 top clients or holds certifications required for vendor partner status, key-man risk is severe. Mitigate through structured earnouts, extended transition agreements of 12–24 months, and retention bonuses for the service manager and lead technicians.
Focus first on client MSA indemnification language — uncapped liability clauses are deal-killers. Then verify cyber and E&O insurance coverage is active and sufficient (minimum $1M per occurrence for an MSP under $5M revenue). Finally, request a written disclosure of any security incidents, client breaches, or regulatory complaints in the past 36 months and verify independently through reference calls.
Buyers typically apply a valuation discount when a single client exceeds 15–20% of MRR. A client at 25–30% of revenue may compress the EBITDA multiple by 0.5–1.5 turns or trigger a holdback or earnout tied to that client's retention. Buyers should model a base case assuming the concentrated client churns within 12 months of close and stress-test whether the remaining business justifies the acquisition price.
More IT Managed Services Provider Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored IT Managed Services Provider targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers