Buying / Selling an SMB: The Complete IT Due Diligence Guide (Risks, Costing, Clauses, 100-Day Plan)

    Comprehensive pillar article for CEOs and acquirers: how to run an IT due diligence that drives decisions and negotiations, quantify risks, and secure the closing with a 100-day plan.

    Published on Updated on 14 minBy Théo Fleury, Founder ABC OPTIMComplete guide
    Share:LinkedIn

    Key takeaways

    • Problem: 'invisible' IT becomes an unforeseen CAPEX/OPEX after closing (and a discount lever during negotiation).
    • Solution: a decision-oriented IT due diligence — inventory, red flags, costing, transfer clauses, and a 100-day plan.
    • Result: fact-based negotiation (price/earn-out/warranties) + faster post-deal integration with fewer surprises.

    An IT due diligence is not an 'encyclopedic' audit. It's a decision-making and negotiation tool. Your goal: turn IT uncertainty into a short list of quantified risks with a realistic execution plan.

    The essentials in 30 seconds

    The CEO / acquirer deliverable

    • Inventory: applications, cloud, licenses, vendors, admin access
    • Top 10 red flags (probability/impact) in business language
    • Costing (ranges): remediation + downtime cost (order of magnitude)
    • Closing clauses: ownership transfer, reversibility, access, evidence (MFA/backups)
    • 100-day plan: D1–15 / D15–45 / D45–100

    Why IT impacts the price (and the timeline)

    • IT underpins the ability to invoice/produce/deliver: if it goes down, the business slows down.
    • Hidden costs are common: licenses, obsolescence, custom integrations, missing baseline security.
    • Buyers pay for predictability: ambiguity becomes a discount or warranty demands.

    IT due diligence: the 6-question framework (to scan)

    1. What keeps the business running day-to-day (core systems)?
    2. What is fragile (red flags)?
    3. What is not transferable (licenses, cloud, domains, vendors)?
    4. How much does remediation cost (CAPEX/OPEX)?
    5. What is the downtime risk (daily impact, dependencies)?
    6. What is the 100-day plan to stabilize without 'post-deal chaos'?

    The minimum IT data room (to require)

    Documents + evidence

    • Application inventory + versions + criticality
    • Contracts: cloud, hosting, managed services, integrators (SLAs + reversibility)
    • Licenses: ownership, renewals, vendor accounts
    • Domains + cloud accounts + code repositories (if applicable): clear ownership
    • Named admin access + MFA (not shared)
    • Backups: policy + proof of a restore test
    • Major incidents over the past 24 months + remediation actions

    Red flags: the 12 that hurt (and how to translate them into €/$)

    • Shared admin accounts / no MFA → intrusion risk + dependency.
    • Untested backups → prolonged downtime risk.
    • Licenses under an individual's / third party's name → disruption risk.
    • Single vendor with no reversibility → operational risk.
    • Obsolete ERP/CRM (end of support) → catch-up cost.
    • Undocumented custom integrations → risk when a key person leaves.
    • No monitoring / logs → late detection.
    • Weak access management (ex-employees) → risk.
    • Shadow IT → data leakage + costs.
    • Fragile shop-floor network / Wi-Fi (manufacturing) → downtime.
    • Verbal-only contracts → budget / service uncertainty.
    • Inconsistent data → operational errors.

    Quick costing

    Translate into decisions

    • Remediation: licenses + baseline security (MFA/EDR/backups) + updates + integrator
    • Business downtime: margin/day × probable days (order of magnitude)
    • Key-person dependency: 'what happens if X leaves?'
    • Timeline: how many weeks to stabilize?

    Closing clauses: what a CEO must lock down

    • Ownership transfer: licenses, domains, cloud accounts, code repositories.
    • Handover of access: named admin accounts + MFA + complete list.
    • Vendor reversibility: documentation, timelines, formats.
    • Inventory appended to the deal (reduces ambiguity).

    100-day plan (simple and effective example)

    1. D1–15: take over access, enable MFA, secure backups, build inventory.
    2. D15–45: fix priority red flags, document integrations, stabilize ERP/CRM.
    3. D45–100: standardize processes + KPI dashboards, build 6–12 month roadmap.

    Expert insight

    The best IT due diligence is the one that changes the conversation: less 'technical jargon', more 'risk + cost + timeline'. That's what makes the negotiation fact-based and the post-deal execution actionable.

    FAQ — IT Due Diligence

    How long does a useful IT due diligence take?

    For an SMB, a format useful for negotiation typically takes 1–2 weeks (if documents are available). A 72-hour scan can already surface the major red flags.

    What justifies a price discount?

    Ambiguity (transferability, security, dependencies) and uncertain remediation costs. Evidence (MFA, tested backups) + costing reduces the discount.

    Do you need to replace the ERP after an acquisition?

    Not necessarily. Priority: continuity + stabilization. The 'replace' decision is made after a fact-based assessment and a 100-day plan.

    Next step

    Send us 3 items: (1) list of core tools, (2) managed services / hosting contract, (3) backup status (restore test evidence if available). ABC OPTIM will send back a short list of areas to investigate + a remediation cost estimate — useful for deciding and negotiating.

    Contact us

    Related articles

    ← All guides