IT Due Diligence Checklist When Buying a Business

Why IT Due Diligence Matters When Buying a Business

Business buyers focus significant attention on financial records, property, staff, and customer relationships. IT is often overlooked until after settlement — when the new owner discovers that the ageing server was held together by custom scripts nobody understands, that the vendor's IT provider agreement terminated at settlement, or that the primary software system requires an expensive upgrade.

A thorough IT due diligence process before settlement surfaces these issues when they can be negotiated into the purchase price or addressed as conditions of sale.

Infrastructure Assessment

• [ ] Identify all servers: age, operating system, warranty status, vendor support status
• [ ] Identify all network equipment (routers, switches, Wi-Fi): age and firmware currency
• [ ] Identify all workstations and laptops: age, operating system (flag any Windows 10 devices)
• [ ] Identify any specialised equipment (POS terminals, industrial computers, medical devices)
• [ ] Confirm who owns the hardware — the business, a leasing company, or the current IT provider
• [ ] Check whether any hardware is past end-of-support and needs replacement

Software and Licences

• [ ] List all software in use: vendor, version, licence type (perpetual, subscription)
• [ ] Confirm all software licences are transferable on business sale
• [ ] Identify any software past end-of-support
• [ ] Check Microsoft 365 or Google Workspace tenancy: is it in the business name? What plan?
• [ ] Identify any custom software: who built it, who maintains it, is source code available?
• [ ] Confirm accounting software licence is transferable

Internet and Connectivity

• [ ] What is the current internet plan, provider, and contract term?
• [ ] Is there a failover connection?
• [ ] What is the monthly internet cost? Is the contract transferable on business sale?
• [ ] What is the actual measured speed and uptime history?

Security Assessment

• [ ] Has the business had any security incidents, data breaches, or ransomware events?
• [ ] Is MFA enabled on all accounts?
• [ ] When were security patches last applied?
• [ ] Is backup in place? When was it last tested?
• [ ] Is there a current IT security policy?

IT Provider and Support Arrangements

• [ ] Who is the current IT provider? What is the agreement term and notice period?
• [ ] Does the IT agreement terminate at business sale, or is it transferable?
• [ ] Does the IT provider have documentation of the environment?
• [ ] Is there a risk of the current IT provider withdrawing support after sale?

Data and Intellectual Property

• [ ] Where is customer and operational data stored?
• [ ] Is all customer data clearly in the business's ownership (not in a personal account)?
• [ ] Are email accounts on the business domain or personal accounts?
• [ ] Are social media accounts in the business name or the previous owner's personal accounts?

Why IT Due Diligence Is Often Skipped

IT due diligence is one of the most frequently skipped elements of business acquisition due diligence in Australian SMB transactions. The reasons are understandable: buyers are focused on financials, legal agreements, and operational verification; IT feels secondary. In practice, IT discoveries post-acquisition can be materially expensive:

• A 15-person medical practice running on a server past end-of-life, with no tested backup, requires immediate infrastructure investment post-acquisition
• A retail business with POS software that cannot be migrated to a new merchant acquirer creates weeks of remediation work during the busiest trading period
• A professional services firm with all passwords known only by one departing key employee is effectively locked out of its own systems

IT due diligence does not need to be technically complex. A structured checklist, reviewed by your IT provider, identifies the material IT risks before you commit to the acquisition.

The Core IT Due Diligence Checklist

Domain and email:

• [ ] Who owns the domain name and where is it registered? Is it in the business name?
• [ ] Can ownership transfer to you at settlement?
• [ ] Is email on the business domain or a personal/ISP email address?
• [ ] What email platform is used (Microsoft 365, Google Workspace, hosted cPanel)?
• [ ] What is the email history and archive situation?

Hardware:

• [ ] Full inventory of computers, servers, printers, and network equipment
• [ ] Age and condition of each device — Windows 10 vs Windows 11, EOL equipment
• [ ] Warranty status of servers and networking equipment
• [ ] Who owns the hardware — the business or a leasing arrangement?

Software and licences:

• [ ] What software is in use? Is it licenced correctly?
• [ ] Are licences in the business name or in the name of an individual?
• [ ] What are the ongoing subscription costs for software?
• [ ] Are there any software agreements that cannot be transferred?

Internet and telecommunications:

• [ ] Who is the internet provider? What is the contract status and term?
• [ ] What speed tier and what technology (NBN, Enterprise Ethernet)?
• [ ] Is there a failover or redundancy arrangement?
• [ ] What phone system is in use — and are the numbers transferable?

Security:

• [ ] Has there been any cybersecurity incident in the past three years?
• [ ] Is MFA enabled on accounts?
• [ ] What is the backup arrangement — and has it been tested?
• [ ] Are all devices running current, supported operating systems?
• [ ] Are there any known data breaches or Privacy Act incidents?

Data and cloud:

• [ ] Where is business data stored (on-premise server, cloud, staff personal computers)?
• [ ] What cloud services are in use, and are accounts in the business name?
• [ ] What is the data retention practice for client records?

Post-Acquisition IT Integration: The First 90 Days

After acquisition, IT integration is typically more complex and more disruptive than anticipated. A structured 90-day plan:

Days 1–30: Assess and stabilise. Complete the IT environment assessment (if not done pre-acquisition), identify immediate security gaps (no MFA, unpatched systems, no backup), and address critical risks. Do not make major changes during this period.

Days 31–60: Standardise. Align the acquired business's IT to your standards — enforce MFA, deploy your EDR, bring devices under your patch management, onboard to your managed IT platform.

Days 61–90: Integrate. Connect the acquired business to shared infrastructure where appropriate — move to the same Microsoft 365 tenant if planned, connect to site-to-site VPN if required, migrate data to shared repositories.

Ongoing: Communicate with staff. IT changes affect people's daily workflows. Clear communication about what is changing, when, and why — and accessible support during the transition — reduces disruption and builds trust with acquired staff.

Netluma IT conducts IT due diligence reviews for SE Queensland businesses acquiring other businesses. Call 1300 521 162 to arrange a review before your next acquisition.

Netluma IT conducts IT due diligence assessments for business buyers across SE Queensland. Call 1300 521 162 to arrange a pre-settlement IT assessment.