Before you wire funds on an MSP or IT services deal, verify these five critical areas — from MRR quality to cybersecurity exposure — to protect your investment and avoid costly post-close surprises.
Acquiring an IT services or managed service provider business offers compelling upside: sticky recurring revenue, high switching costs, and strong SMB demand. But the lower middle market IT space is full of hidden risks that don't appear on a P&L. Key man dependency, inflated revenue from one-time hardware sales, undisclosed cybersecurity incidents, and incompatible toolsets can turn a promising acquisition into an operational crisis within 90 days of close. This checklist gives buyers a structured framework to evaluate the five highest-risk areas of any IT services deal — helping you separate genuine recurring revenue businesses from owner-dependent shops masquerading as scalable platforms.
Verify that reported MRR is contractually backed, diversified, and not inflated by one-time hardware or project revenue before assigning valuation multiples.
Request a trailing 24-month MRR schedule broken out by client and service type.
Reveals true revenue stability, churn trends, and whether growth is organic or from one-time spikes.
Red flag: MRR schedule doesn't exist or is manually assembled from invoices with no PSA-generated backup.
Confirm all managed services agreements are written, signed, and include auto-renewal or multi-year terms.
Verbal or month-to-month agreements have no transferable value and create immediate churn risk post-close.
Red flag: More than 20% of MRR clients are on informal or handshake agreements with no signed contract.
Calculate the percentage of total revenue derived from true MRR versus project, hardware, or break-fix billing.
Businesses with less than 60% MRR often trade at lower multiples and carry higher revenue volatility.
Red flag: Owner conflates hardware resale margins and one-time project billings with recurring managed services revenue.
Analyze gross and net revenue retention rates over the trailing 24 months.
Net retention above 100% signals upsell momentum; churn above 5% annually is a serious red flag.
Red flag: Seller cannot produce client-level retention data or reports churn verbally without documentation.
Assess whether the client base is diversified enough to survive the loss of one or two accounts without materially impairing EBITDA or triggering loan covenants.
Build a revenue-by-client table showing each client's monthly spend, contract term, and renewal date.
Single-client concentration above 15–20% creates existential risk if that relationship doesn't transfer.
Red flag: One client represents more than 25% of MRR with a contract expiring within 12 months of close.
Review all client contracts for change-of-control clauses that could allow termination upon acquisition.
Change-of-control provisions can invalidate contracts and trigger immediate churn at the worst possible moment.
Red flag: Multiple enterprise or government clients have unassignable contracts requiring client consent to transfer.
Interview the seller about the primary relationship owner for each top-10 client by revenue.
If the seller is the sole relationship contact for most clients, revenue is personality-dependent, not business-dependent.
Red flag: Seller is the primary point of contact for clients representing more than 50% of total MRR.
Request renewal history for the past three years across all managed services agreements.
Consistent renewals signal client satisfaction; spotty renewal history may indicate underlying service delivery issues.
Red flag: Two or more top-10 clients failed to renew or significantly reduced scope in the trailing 24 months.
Determine whether the business can deliver services without the owner or one to two critical technicians, and assess what it will take to retain them post-close.
Map all technical staff by role, certifications, tenure, and which clients they primarily support.
Departure of a lead engineer who supports 40% of clients post-close is an immediate operational crisis.
Red flag: One technician holds the only certifications (e.g., Microsoft, Cisco) required to service key client environments.
Review current compensation, benefits, and any existing employment agreements or non-solicitation clauses.
Below-market compensation signals high flight risk; no non-solicitation agreements create competitive exposure.
Red flag: Key technicians are compensated significantly below market with no retention incentives or employment agreements.
Assess whether documented escalation procedures and runbooks exist for each client environment.
Undocumented tribal knowledge walks out the door with employees, disrupting service delivery immediately post-close.
Red flag: Service delivery relies entirely on institutional knowledge with no written SOPs, runbooks, or escalation paths.
Discuss seller's planned role and availability during the post-close transition period.
An abrupt seller exit without a transition plan increases client churn risk and employee uncertainty simultaneously.
Red flag: Seller expects to exit within 30 days of close with no employment agreement or consulting arrangement in place.
Evaluate the target's cybersecurity practices, incident history, and compliance obligations — MSPs are high-value ransomware targets and carry potential client indemnification liability.
Request a full incident history including any client-impacting breaches, ransomware events, or data loss incidents.
Undisclosed prior incidents create legal liability and reputational exposure that transfers to the buyer at close.
Red flag: Seller is evasive or vague about historical incidents; any undisclosed breach discovered post-close is a deal-killer.
Review the target's cyber liability insurance policy — coverage limits, claims history, and exclusions.
Inadequate cyber coverage exposes the buyer to uninsured indemnification claims from clients post-acquisition.
Red flag: Cyber liability policy has coverage below $1M, contains MSP-specific exclusions, or has had claims in the past 24 months.
Audit client contracts for indemnification and liability provisions related to cybersecurity incidents.
Broad indemnification clauses obligating the MSP for client losses from a breach represent uncapped financial exposure.
Red flag: Multiple client agreements include unlimited liability clauses for security incidents with no cap on damages.
Assess compliance with relevant frameworks (HIPAA, CMMC, SOC 2) if the MSP serves regulated industries.
Serving healthcare or government clients without proper compliance frameworks creates regulatory and contractual liability.
Red flag: MSP services healthcare or DoD clients but has never completed a HIPAA risk assessment or CMMC evaluation.
Audit the PSA, RMM, billing, and security toolsets to understand integration complexity, licensing transferability, and any post-close vendor or contract surprises.
Document all PSA, RMM, documentation, and billing platforms with current contract terms and pricing.
Incompatible toolsets between acquirer and target can require costly migration projects that disrupt service delivery.
Red flag: Target uses a legacy or sunset PSA/RMM platform with no migration path to acquirer's standard toolset.
Confirm all software licenses, vendor agreements, and OEM partnerships are current and assignable to a new owner.
Non-transferable vendor agreements can force expensive re-licensing or loss of preferred partner status post-close.
Red flag: Microsoft, Cisco, or other key vendor partner agreements are non-assignable or require requalification post-acquisition.
Review vendor payment history and identify any deferred or outstanding obligations to technology suppliers.
Deferred vendor payments signal cash flow stress and may result in service interruptions or license revocations post-close.
Red flag: Target has past-due balances with critical vendors or has had licenses suspended in the trailing 12 months.
Assess whether the target's internal IT infrastructure and client monitoring tools meet current security standards.
An MSP with an insecure internal stack undermines trust with clients and creates liability for the acquiring entity.
Red flag: Target does not use multi-factor authentication internally or lacks endpoint detection across its own infrastructure.
Find IT Services Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
Most experienced MSP acquirers target businesses where at least 60% of total revenue is true monthly recurring revenue backed by signed managed services agreements. Businesses below 50% MRR typically trade at lower multiples (3–5x EBITDA) and carry higher post-close revenue risk due to the unpredictable nature of project and hardware revenue. During diligence, request a PSA-generated MRR report and reconcile it to bank deposits — do not rely solely on seller-prepared spreadsheets.
Start by mapping every client relationship and technical function to a specific individual. Ask the seller to walk you through who handles escalations, client QBRs, vendor relationships, and billing for each top-10 account. If the answer is consistently 'me,' you have a significant key man problem. Mitigants include a 12–24 month employment agreement with the seller, stay bonuses for critical technical staff, and deal structuring that ties a portion of purchase price to MRR retention 12 months post-close.
MSPs are high-value targets for ransomware because compromising one provider can cascade to dozens of client environments. During diligence, request a full incident history, review cyber liability insurance coverage and exclusions, and audit client contracts for indemnification language. Engage a third-party cybersecurity firm to conduct an external vulnerability assessment of the target's own infrastructure before closing. Any prior breach that wasn't disclosed upfront is a deal-killer — the legal and reputational liability transfers with the business.
The most effective structure ties a meaningful portion of the purchase price to MRR retention 12–24 months post-close via an earnout or equity rollover. A common approach in the MSP space is 80–85% of the purchase price paid at close with 15–20% contingent on hitting MRR retention thresholds (e.g., retaining 90% of closing MRR at month 12). This aligns seller incentives during the transition period and provides financial protection if key clients don't renew after the ownership change.
More IT Services Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored IT Services targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers