Due Diligence Checklist: What to Verify Before Buying an IT Business

A complete 40-point checklist covering financials, traffic, legal, technical, and operational aspects of buying an online business.

Buying an IT business without proper due diligence is like buying a car without looking under the hood. The numbers in a listing may look great, but the real picture only emerges when you verify each claim independently. This checklist covers everything a serious buyer should examine.

Financial due diligence

Request Stripe / PayPal / bank export for last 12 months — verify against stated MRR.
Check for revenue spikes that inflate averages — exclude one-time payments.
Confirm expense breakdown: hosting, contractors, software, ads, owner salary.
Verify net profit margin — ask for P&L if available.
Check for pending refunds, chargebacks, or disputed payments.
Confirm subscription billing dates don't cluster at the end of reporting periods.
Ask for tax returns if the business operates as a registered entity.

Traffic and customer due diligence

Request Google Analytics view access or exported reports for 12+ months.
Verify traffic sources: what % is organic, paid, direct, referral.
Check organic keywords in Ahrefs or SEMrush — look for ranking concentration risk.
Verify subscriber counts / user counts match reported numbers.
Check churn rate: request cohort data or calculate from MRR graphs.
Ask for customer concentration: does one client account for >20% of revenue?
Review app store ratings if a mobile app is involved.

Legal and ownership due diligence

Confirm legal ownership of domain(s) — check WHOIS and request transfer confirmation.
Verify trademarks and brand IP ownership.
Review all active contracts (customers, contractors, software licences).
Check for pending litigation or claims.
Confirm GDPR / data privacy compliance for EU-facing businesses.
Verify that revenue is attributable to the entity/person selling (no silent partners).

Technical due diligence

Review codebase quality: ask for a short walkthrough or access to a private repo.
Check tech stack dependencies — are any deprecated or approaching end-of-life?
Verify hosting setup: who holds the accounts, can they be transferred?
Check third-party API dependencies and terms (can they be transferred or re-keyed?).
Review uptime history and incident logs if available.
Assess documentation quality: are there SOPs for running the business?

Operational due diligence

Map all tasks the current owner does weekly — estimate hours per week.
Identify which tasks require specific skills you don't have.
Review contractor/team agreements and whether they'll stay post-sale.
Ask about seasonal patterns and why revenue may vary.
Understand the customer acquisition process end-to-end.

Red flag: a seller who refuses to share screen during a Loom walkthrough, or who takes more than 48 hours to respond to basic financial questions. Speed and transparency signal confidence in the numbers.

What happens if due diligence reveals problems?

Not every problem is a dealbreaker. A high-but-declining churn rate could be acceptable at a lower price. Technical debt might be manageable if you have the skills. Use your findings to renegotiate price rather than walk away — a 20% discount on a solid business with one fixable problem is often a better deal than a clean business at full price.