Due Diligence Guide: Acquiring an IT Services or MSP Business

Protect your investment by auditing MRR quality, key man dependency, cybersecurity exposure, and contract transferability before closing on any managed services acquisition.

Find IT Services Acquisition Targets

Acquiring an IT services firm or MSP requires scrutiny beyond standard financials. Recurring revenue quality, technical staff retention, cybersecurity liability, and PSA/RMM stack compatibility all directly affect post-close value. This guide walks buyers through three structured phases covering the most critical risks in lower middle market IT services transactions.

IT Services Due Diligence Phases

Phase 1: Revenue Quality & Customer Analysis

Validate the true recurring revenue base, assess customer concentration risk, and confirm contract transferability before proceeding to deeper diligence.

MRR Composition & Churn Analysiscritical

Request trailing 24-month MRR schedules broken out by client. Verify that recurring revenue represents 60%+ of total revenue and annual churn stays below 5%.

Customer Concentration Reviewcritical

Identify revenue by client and flag any single customer exceeding 15–20% of total revenue. Concentrated books dramatically increase post-close risk.

Contract Transferability Auditcritical

Confirm all managed services agreements are written, current, and contain assignment clauses allowing transfer to a new entity without client consent requirements.

Phase 2: Operational & Technical Risk Assessment

Evaluate service delivery infrastructure, staff dependency, and cybersecurity posture to identify operational risks that could impair value immediately after closing.

Key Man Dependency Evaluationcritical

Map which technical staff handle critical client relationships and escalations. Assess flight risk and develop retention strategies — stay bonuses or equity — before close.

Cybersecurity Posture & Incident Historycritical

Review the target's own security controls, any past breaches or ransomware incidents, and client-facing indemnification clauses that could create undisclosed liability.

PSA, RMM & Toolstack Auditimportant

Document all PSA, RMM, billing, and monitoring platforms in use. Assess integration complexity and licensing transferability, especially if acquiring into an existing MSP platform.

Phase 3: Financial & Legal Verification

Confirm financial representations, validate EBITDA normalization, and review legal agreements to ensure the deal structure accurately reflects business fundamentals.

EBITDA Normalization & Add-Back Scrutinycritical

Distinguish true recurring-revenue EBITDA from one-time hardware sales or project windfalls. Validate owner compensation add-backs against actual replacement cost for management.

Vendor & Licensing Agreement Reviewimportant

Audit all software, vendor partnership, and reseller agreements. Confirm assignability and flag any Microsoft, Cisco, or distributor agreements requiring re-certification post-close.

Tax Return & Bank Statement Reconciliationimportant

Cross-reference three years of tax returns against P&Ls and bank statements to identify unreported income, personal expenses, or revenue recognition inconsistencies.

IT Services-Specific Due Diligence Items

Request a client-by-client MRR bridge showing additions, expansions, and cancellations over the trailing 24 months to verify stated churn figures independently.
Verify that all managed services contracts include auto-renewal clauses and price escalation provisions — absence significantly reduces long-term revenue predictability.
Assess the target's own endpoint security, backup, and patch management compliance — MSPs are primary ransomware targets and internal gaps create immediate client liability.
Confirm all vendor certifications (Microsoft Partner, Cisco, etc.) are held by the business entity, not the individual owner, to ensure they survive ownership transfer.
Identify whether the seller personally owns key client domain accounts, credentials, or licensing portals — these must be formally migrated to the business prior to close.

Frequently Asked Questions

What recurring revenue percentage should an MSP have before I consider acquiring it?

Target at least 60% MRR as a share of total revenue. Higher MRR concentration means more predictable cash flow, lower integration risk, and justifies paying toward the higher end of the 4–7x EBITDA multiple range typical for IT services acquisitions.

How do I assess key man risk in an IT services acquisition?

Map every client relationship and technical escalation to specific staff. If the owner handles more than 30% of client touchpoints or holds unique technical knowledge, require a 12–24 month consulting agreement and negotiate retention bonuses for critical technical employees as deal conditions.

Can I use an SBA 7(a) loan to acquire an MSP or IT services business?

Yes. IT services businesses with strong MRR and documented financials are well-suited for SBA 7(a) financing. Typical structures include 10–20% buyer equity, an SBA loan covering the majority, and a 5–10% seller note to bridge any valuation gap.

What cybersecurity risks should I investigate before buying an MSP?

Review the target's internal security stack, any past breach or ransomware incident disclosures, and all client contracts for indemnification clauses. Undisclosed breaches or weak internal controls can create substantial post-close liability with enterprise or regulated-industry clients.

More IT Services Guides

Buy a IT Services Business →Due Diligence Checklist →Common Mistakes →Valuation Guide →SBA Loan Guide →Integration Guide →

Find IT Services businesses ready for acquisition

DealFlow OS surfaces targets with seller signals and motivation scores — so you know before you start diligence. Free to join.

Start finding deals — free

No credit card required