skip to Main Content

IT MSP Due Diligence – Comprehensive Guide for Investors and CxOs

Finding the right team during IT MSP Due Diligence.

A robust IT Managed Service Provider (MSP) is more than a luxury—it’s a necessity. Especially for software-led companies that are laser-focused on product development, the peripheral IT demands can often be a blind spot, exposing them to potential security risks. Not good news for potential investors and an easy ‘red flag’ for us to raise during Technology Due Diligence.

Back Office IT is a common area of concern that’s reasonably easy to address post-investment/deal. Yet I still continue to meet numerous investors whose portfolio company has been attacked/hacked post-deal; whilst no one can guarantee 100% protection for these growing firms, its essential to address the known gaps.

To be clear, this post is about assessing a potential IT MSP to provide services to a firm, not assessing an IT MSP for potential investment or buyout.

Typical high-level scope

I assume the ‘standard’ checkpoints are often the first ports of call: scope, timing, pricing, customer references, technical certifications, vendor partnerships, SLAs, insurance details, system uptime, and response times.

I think the concern is that software development and IT infrastructure appear to have the same skillset but are chalk and cheese. I always see IT Infrastructure as a ‘Lego-brick’ building where software creates bricks. That’s as scientific as you get when you’ve had this long in the industry 🙂

You may also want to refer to Scott & Scott LLP’s ‘Legal Guide to Managed Services’, written for Managed Service Providers but provides insight into these firms’ legal requirements and behaviours.

For instance, many MSPs cut corners. The report states that 50% of IT MSPs present Master Service Agreements, MSAs, that lawyers did not professionally draw up due to cost-cutting. As the business model is about cost-cutting, this cost-cutting may be elsewhere in the business, so I would ask if they have legal representatives and who they are.

Watch out for Private Equity Buy and Build

Many IT MSPs are growing through acquisition, and good for them. It is a little controversial considering our core market, but I would advise assessing whether the firm(s) you are considering is on an acquisition journey and, if they are – how well they are integrated with the core firm. Because firms that are not well integrated leave a trail of unhappy employees/engineers.

How do you find this out?

First, Google search for ‘ACME acquires’ to see if the firm has completed some acquisitions and, if they have acquired in your local area, see if you can speak to a local engineer.

I try to talk to the End User Computing (laptops/users) engineers. They are customer-facing and usually at the brunt of poor project management or stressful jobs. I realise this may seem like a generalisation, but I’ve had enough time with engineers to know this is a concern.

Note: some of the most well-known MSPs on an acquisition spree are also high on the ‘Great Places to Work’ demonstrating M&A works.

IT MSP Due Diligence Checklist

As you move forward with the process of either outsourcing your IT requirements to an MSP or transitioning to a new one, here are the definitive steps for due diligence:

1. Certification and Compliance:

  • ISO 27001 Certification: This internationally recognised standard for information security management systems is pivotal. Especially if your firm works with larger businesses.
  • Cyber Essentials Plus: A rigorous check against varied types of cyber attacks, ensuring the MSP’s protective measures are comprehensive. We like it, because it’s practical and hands-on proof that cyber is a high priority,

2. Competency in Cybersecurity:

  • Advanced Skillset: Whilst many MSPs will be able to deal with generic migrations, setup and support, not many have future thinking knowledge, Ensure they know GDPR, and can implement Data Loss Prevention, Cloud Access Security Brokers and ways and measures to secure your precious IP – the code.
  • Gap Analysis and Proactive Support: The MSP’s prowess should be proactive in identifying potential security pitfalls and proactively erecting countermeasures.

3. Expertise with Key Tools:

  • Office 365 Mastery: Given its ubiquitous use in businesses, proficiency with Office 365 is paramount.
  • Cloud Platforms Proficiency: Mastery of Microsoft Azure, Google Cloud, and AWS is crucial. Beyond just familiarity, they should have proven experience in migrations between these platforms.
  • Cost Optimisation: If your firm is to scale rapidly, you must ensure the IT MSP has the skills to select the correct licensing and configure cost-optimal cloud solutions.

4. Service Level and Response:

  • Defined Support Strategy: The MSP’s roadmap for support should be crystal clear, leaving no room for ambiguities.
  • Prompt Response Times: In IT, delays can be lethal. An assurance of swift support response is non-negotiable. Ask for evidence.

5. Independence and Corporate Structure:

  • Ensure Independence: An independent MSP is ideal. If PE-backed, aligning closely with the HQ is critical to circumvent service delivery hiccups.
  • Peek into Employee Satisfaction: Platforms like Glassdoor are invaluable in gauging the internal health and morale of the MSP.

6. Relationships:

  • Vendor Accreditations: A thorough vetting of the MSP’s vendor accreditations will affirm their capability to address issues beyond basic IT needs.
  • Vendor Management: Enquire which vendors currently provide a dedicated Manager, which indicates a higher profile and growth.

7. Consistency and Expertise:

  • Engineer Consistency: A continuous association with a single engineer can be a boon for understanding and fine-tuning your IT landscape.
  • vCIO Services: An MSP offering vCIO services is a reassuring hint of the strategic acumen nestled within their team.
  • Engineer reference: Engaging with an MSP engineer can offer direct insights into their operations and ethos.
  • Technology Compatibility: Ensure there’s no mismatch in technological familiarity, especially concerning your firm’s proprietary tools.

8. Case Study and Onboarding:

  • Similar Customer Profile: Request the MSP to delineate a client comparable in size and technology, offering a clearer lens into their expertise and approach.
  • Onboarding and Relationship Dynamics: Gain clarity on their onboarding process and the evolution of client relationships thereafter.

The Bottom Line: Why IT MSP Due Diligence Is Worth the Time and Effort.

IT MSP due diligence is more than just a technical exercise—it’s a mission-critical strategic alignment. If done well, your firm/portfolio firm will be ‘wedded’ to the supplier for years. Investors, take heed: sidestepping this robust evaluation could result in unforeseen pitfalls.

By aligning with an MSP that meets the stringent criteria above, you’re not merely fortifying your business; you’re building a flexible and secure foundation for your business’s future.

Hutton Henry
Hutton Henry
Hutton has worked with Private Equity Portfolio firms and Private Equity funds since 2015. Having previously worked in post-merger integration for large firms such as Ford and HP, Hutton understands the value of finding issues prior to M&A deals. He is currently the founder of Beyond M&A and provides technology due diligence for VC, PE and corporate investors, so they understand their technology risks before entering into a deal.

Take our FREE Scorecard to find out if your investment is at risk.

Discover the value of technology in your portfolio and target investments to gain more confidence and uncover potentially significant risks that could affect the value of a sale or an acquisition.

More Stories

Back To Top