The IT Due Diligence Checklist Before You Acquire a Business

Most SMB acquisitions spend three to six months on financial and legal due diligence. The IT environment gets an afternoon. That gap shows up after close, when the servers you inherited need six-figure emergency upgrades that nobody budgeted for, or when a compliance violation at the acquired company triggers a regulatory inquiry that’s now your problem.

IT due diligence protects you from buying problems disguised as assets. This checklist covers the five areas that matter most for businesses in the 50 to 500 employee range.

Infrastructure and Licensing

The target company’s hardware, software, and cloud services become your responsibility at close. Before you sign, get a full inventory.

Hardware lifecycle. Request a list of every server, workstation, network switch, firewall, and wireless access point, along with purchase dates and warranty status. Equipment older than five years is likely approaching end of life. Servers running Windows Server 2019 or older will need upgrades. Firewalls on expired firmware create security exposure you’ll own on day one.

Software licensing. Audit every software license: Microsoft 365 tenants, line-of-business applications, security tools, backup solutions, and any industry-specific software. You need to answer three questions for each. Is the license transferable? Is it current? What does renewal cost? Some vendor agreements include change-of-control clauses that void the license on acquisition. Discovering that after close means paying for new licenses at full price with no negotiating room.

Cloud footprint. If the target uses Azure, AWS, or other cloud services, review the account structure, monthly spend, and resource utilization. Cloud environments built by whoever was available tend to accumulate unused resources and oversized instances that inflate costs. A simple audit of reserved instances versus on-demand spend can reveal thousands in monthly waste that nobody on the target’s team has addressed.

Internet and telecom contracts. Check ISP agreements, phone systems, and any colocation contracts. These often have multi-year terms with early termination penalties. If you’re planning to consolidate the acquired company’s office into your location, you need to know what it costs to exit their existing agreements.

Security Posture

The target’s security weaknesses become your security weaknesses the moment their network connects to yours. A breach at the acquired company after close is your breach.

Vulnerability assessment. Request recent vulnerability scan results, or commission an independent cybersecurity risk assessment before close. You’re looking for unpatched critical vulnerabilities, exposed services, weak authentication configurations, and evidence of prior compromise. The methodology mirrors what a good IT provider evaluates on day one with any new client, but the stakes are higher because you’re deciding whether to buy.

Endpoint protection. What EDR or antivirus solution is deployed, and is it managed or just installed? Unmanaged endpoint protection is barely better than none. Check whether the solution covers every device, or whether some endpoints, particularly employee laptops and remote workstations, are running without protection.

MFA and identity management. Is multi-factor authentication enforced for all users, or only some? Are there shared admin accounts without MFA? Companies that still use shared passwords for critical systems represent both a security risk and a cultural problem you’ll need to address post-acquisition.

Breach history. Ask directly: has the company experienced a data breach, ransomware attack, or significant security incident in the past three years? If yes, what was the scope, how was it remediated, and were any regulatory notifications required? Undisclosed breaches can carry lingering legal liability that transfers with the acquisition.

Backup and disaster recovery. Verify that backups exist, that they’re tested regularly, and that recovery time objectives and recovery point objectives are documented. A company that claims daily backups but hasn’t tested a restore in two years doesn’t actually have a functional disaster recovery plan.

Compliance Liabilities

Regulatory obligations travel with the business. If the target handles healthcare data, credit card transactions, defense contracts, or consumer personal information, their compliance status becomes yours at close.

HIPAA. For healthcare-adjacent businesses, request the most recent risk assessment, any audit findings, and documentation of staff training. Gaps in HIPAA compliance carry penalties that can reach $2.1 million per violation category per year. These penalties don’t reset when ownership changes.

CMMC and defense contracts. If the target holds Department of Defense contracts, verify their CMMC certification level and timeline. Phase 2 enforcement is active, and a target that claims compliance but hasn’t completed a certified assessment may put your existing defense contracts at risk through association.

PCI DSS. For businesses processing credit card payments, review their Self-Assessment Questionnaire or Report on Compliance. Ask about their compensating controls and whether they’ve had any payment card data incidents. Visa and Mastercard fines for non-compliance fall on the merchant of record, which will be you after close.

Texas privacy law. The Texas Data Privacy and Security Act applies to businesses that operate in Texas or process Texas residents’ data. If the target company collects consumer data, they should have a privacy policy, consent mechanisms, and data processing agreements with their vendors. If they don’t, you’ll need to build these from scratch while already being subject to the law.

Cyber insurance. Review the target’s cyber insurance policy. Does it transfer with the acquisition? Will the insurer honor it under new ownership? Many policies include change-of-control provisions that require notification or re-underwriting. You may need to extend your own policy to cover the acquired entity, and your insurer will want to see the security controls across the combined environment before quoting a premium.

IT Staff and Vendor Relationships

Technology decisions are only half the picture. The people who manage and the vendors who support the target’s IT environment matter just as much.

Internal IT knowledge. Does the target have an IT manager, a team, or a single person who handles everything? If one person holds all the institutional knowledge about system configurations, passwords, and data locations, you have a key-person risk that needs mitigation before close. Document everything that lives in that person’s head during the transition period.

Managed service provider contracts. If the target uses an MSP, review the contract terms, including service scope, termination clauses, and transition assistance obligations. Some MSP contracts include restrictive terms that make switching providers difficult or expensive. Others include intellectual property provisions that claim ownership of configurations and documentation created during the engagement.

Vendor access. Map every vendor that has access to the target’s systems or data. This connects directly to the vendor security vetting process you should already be running for your own vendors. Each vendor relationship at the acquired company needs the same scrutiny: what data do they access, what security controls do they maintain, and what are the contract terms?

The Integration Plan

Due diligence tells you what you’re buying. Integration planning tells you what it costs to make it part of your environment. Start this planning before close, not after.

Network integration. Connecting two networks creates risk if one is less secure than the other. Plan for a segmented integration where the acquired company’s network operates in an isolated zone until you’ve remediated critical findings. This prevents a compromised system at the acquired company from reaching your production environment.

Identity consolidation. Merging two Microsoft 365 tenants, two Active Directory forests, or two sets of cloud accounts is one of the most technically complex parts of any acquisition. It affects every user’s email, file access, and application authentication. Budget 60 to 120 days of identity consolidation work for a 100-person company, and expect some disruption during the migration.

Standardization timeline. Bring the acquired company’s IT environment up to your standards, or build a plan with your managed IT provider to do so. This includes deploying your security stack, your backup solution, your endpoint management tools, and your monitoring platform across the acquired environment. For most SMB acquisitions, full standardization takes three to six months.

A virtual CIO can run the full IT due diligence process alongside your deal team, translating technical findings into business risk that informs your purchase price and integration budget.