Technology due diligence is the most commonly skipped diligence category in ETA acquisitions — and the one that produces the most unpleasant post-close surprises. Most lower-middle-market businesses are not running sophisticated technology stacks, but they are dependent on specific software, data, and systems in ways that can disrupt operations if you do not understand them before you close. Here is what to look for.
Why IT Diligence Matters Even for Non-Tech Businesses
A landscaping company running its routing on one employee's personal phone, a pest control business storing all customer data in a spreadsheet on the owner's laptop, and an HVAC company using an outdated scheduling system that only one person knows how to operate are all technology risks — regardless of the industry. When the employee leaves, the phone goes with them. When the laptop fails, the customer data is gone. When the system breaks, operations stop.
Technology is infrastructure. Like equipment or facilities, it has condition, age, and dependency characteristics that affect business continuity and the cost of ownership. The cost of addressing technology issues post-close — replacing systems, migrating data, training staff, remediating security gaps — is frequently $15,000–$75,000 for a business in the $1M–$5M revenue range. That is a purchase price adjustment you should have captured before signing.
Software Licenses and Subscriptions
Request a complete inventory of all software the business uses, along with license types, user counts, and annual costs. Common issues: software licensed in the owner's personal name (which may not transfer with the business and may require re-purchase), pirated or unlicensed software (creates legal liability and immediate remediation cost), subscription services with annual auto-renewal commitments the seller did not disclose, and mission-critical software without current maintenance agreements (meaning security patches and updates have stopped).
The IT inventory review often surfaces monthly software costs the seller had not accurately tracked — subscriptions accumulated over years without consolidation. This information matters for both due diligence (is there financial statement accuracy here?) and operations (what can you eliminate on day one to improve margins?).
Data: Where It Lives and Who Controls It
The most operationally critical question in IT diligence is: where does the data live and who controls it? Customer data stored in a CRM that is properly backed up and accessible by multiple team members is very different from customer data in a spreadsheet on the owner's personal computer that is not backed up anywhere.
Map every data category: customer records (contact information, purchase history, contract details), operational data (scheduling, routing, job history), financial data (QuickBooks or accounting software), and employee data (payroll, HR records). For each: where is it stored, who has access, is it backed up, and what happens if the primary person who manages it leaves?
Businesses where the owner is the only person with admin access to key systems are a specific risk category. If the owner's credentials are required to access the accounting software, the customer database, or the email system — and the owner is leaving — you need a plan to transfer those credentials before close, not after.
Cybersecurity: The Baseline You Must Establish
Cybersecurity practices in small businesses are frequently nonexistent. vCTO advisory firm survey data shows 67% of small businesses have no documented cybersecurity policy, 44% have no automated backup or disaster recovery plan, and 38% are running outdated or unsupported operating systems (Windows versions beyond end-of-life, for example). These are not just compliance issues — they are operational risks. A ransomware attack or data breach in the first year of ownership can cost more than the business generates in free cash flow.
The minimum cybersecurity baseline you should establish by day 30: all admin passwords changed from seller's credentials; multi-factor authentication enabled on all critical systems (email, banking, accounting software, customer CRM); automated cloud backup configured and tested; all devices inventoried; and a documented process for employee offboarding (revoking access when employees leave). This takes approximately 20–40 hours of IT professional time and costs $2,000–$8,000. It is not optional.
System Dependencies and Vendor Relationships
Identify every software vendor or IT service provider the business currently uses and understand the contract terms. Key questions: does the current IT support vendor have a contract that transfers with ownership? Are there software subscriptions tied to the seller's personal email or credit card? Does the business use any custom-built software (extremely common in manufacturing and specialized services) for which the original developer may no longer be available?
Custom software is the highest-risk IT finding. A business that built proprietary scheduling software 10 years ago, has no documentation, and relies on one employee who understands how it works is running on technical debt that will eventually come due. Price this risk explicitly in your purchase price or negotiate an escrow for technology migration costs.
What to Do With IT Findings
Document all findings in a technology risk summary. Prioritize: issues that could cause immediate operational disruption (no backup, owner-only access, unlicensed mission-critical software) versus issues that are important but not urgent (outdated hardware, informal practices). For immediate risks, negotiate a specific indemnification or price adjustment. For ongoing technology improvement costs, budget them explicitly in your year-one operating plan — they are not optional and they are not free.