SMB Acquisition: The IT Due Diligence Checklist That Prevents Post-Signing Surprises

You're about to sign an LOI (or you already have) and one question lingers: 'what will IT cost me after the deal?'. The goal of an IT due diligence isn't to produce an encyclopedic technical audit — it's to turn unknowns into actionable numbers so you can decide and negotiate.

The reality (business pain)

You're buying the ability to deliver (customers, production, invoicing). If IT breaks, everything slows down.
The risk isn't 'a server' — it's a business outage, data loss, or non-compliance.
The real trap: hidden costs (licenses, integrators, cybersecurity, obsolescence, technical debt).

The method (inverted, decision-oriented)

1) Map in 60 minutes: what keeps the business running

Express checklist (if you only have one hour)

Core systems: ERP, CRM, invoicing, payroll, line-of-business tools.
Critical data: where it lives, who has access, how it's backed up.
Dependencies: key vendors, integrators, hosting provider, licenses, source code.
Single points of failure: 'if this goes down, we can no longer…' (produce, deliver, invoice, collect).

2) Check the red flags (the 8 that cost money)

Shared admin accounts with no MFA (cyber risk + vendor lock-in).
Untested backups (the backup exists… but the restore fails).
Unmaintained / obsolete ERP/CRM (catch-up cost).
Licenses registered to an individual or a third party (disruption risk).
Vague vendor contracts (no SLA, no reversibility, no inventory).
Customer data scattered across spreadsheets and mailboxes with no governance.
Undocumented custom integrations (one departure = one outage).
No logging or monitoring (incidents are discovered too late).

3) Quantify to negotiate (the key point)

An unquantified risk is useless in a negotiation. The useful deliverable is a short list: (a) risk, (b) probability/impact, (c) remediation cost, (d) timeline.

How to quantify quickly (without kidding yourself)

Remediation cost: missing licenses + updates + baseline security (MFA, backups, EDR).
Outage cost: 1 day of disrupted operations (production, invoicing, delivery) × margin/day.
Dependency cost: what happens if the key vendor or in-house admin leaves?
Compliance cost: contracts, GDPR, data retention, access rights.

4) Secure the closing (simple clauses to request)

IT asset inventory (applications, licenses, domains, access, admins) attached to the deal.
Transfer of ownership (licenses, cloud accounts, domain names, code repositories).
Vendor reversibility (terms, timelines, documentation).
Commitment to hand over access (MFA, named admin accounts).

5) Build a 100-day plan (to avoid 'post-deal chaos')

Days 1–15: take over access, enable MFA, secure backups, inventory.
Days 15–45: stabilize ERP/CRM, document integrations, address priority red flags.
Days 45–100: standardize (processes, tools) + improvement roadmap (not the other way around).

Expert insight (reassurance)

An effective IT due diligence comes down to one question: 'does this help me decide and negotiate?'. If the report is 80 pages but doesn't quantify remediation costs, it doesn't serve the buyer. Conversely, 10 well-documented red flags + a cost estimate + a 100-day plan is immediately actionable.
— ABC OPTIM

Next step (the 'coffee chat')

If you're in the LOI phase, send us 3 items (list of core tools, managed services/hosting contract, and an anonymized export of applications/subscriptions if available). We'll send back a 'short list' of items to investigate + a remediation estimate. ABC OPTIM supports executives and buyers (Paris) with this lean format: IT due diligence focused on risks + cost estimates + 100-day plan.

Pillar version (comprehensive): 'SMB Buy / Sell: The Complete IT Due Diligence Guide (Risks, Cost Estimates, Clauses, 100-Day Plan)'.