How much should an SME spend on IT?

Best-in-class SMEs spend 3-5% of revenue on IT (including personnel, infrastructure, software, and security). Most acquired SMEs are significantly under-investing at 1-2% of revenue, creating tech debt that manifests as security vulnerabilities, manual processes, and inability to scale. Budget for a 50-100% increase in IT spend in the first 18 months.

What are the most critical IT issues to address after an acquisition?

Priority 1 (first 30 days): cybersecurity basics - password policies, multi-factor authentication, backup verification, and endpoint protection. Priority 2 (months 2-4): business continuity - disaster recovery plan, cloud backup, key system documentation. Priority 3 (months 4-12): modernization - cloud migration, ERP evaluation, and automation of manual processes.

Post-Acquisition Technology Audit: A CEO’s Playbook

12 min read

When you acquire a small or mid-sized business through a search fund, you are almost certainly inheriting a technology environment shaped by years of ad hoc decisions, deferred investments, and an owner who viewed IT as a cost center rather than a strategic asset. Before you can execute your digital transformation roadmap, you need a rigorous, structured audit of everything technology-related in the business. This playbook gives you the framework to do exactly that.

Why technology matters in acquired SMEs

Technology is not a side concern, it is the connective tissue of modern business operations. In a typical search fund acquisition, the target generates $3M-$30M in revenue and employs 20-200 people. At this scale, technology decisions have an outsized impact on margins, scalability, and risk.

Operational efficiency. Manual processes that worked at ten employees become bottlenecks at thirty. Technology lets you scale operations without proportionally scaling headcount , the primary lever for margin expansion in most value creation plans.
Data-driven decisions. A CEO who builds a KPI dashboard on clean, reliable data will consistently outperform one relying on gut instinct and accounting reports that arrive three weeks late.
Risk mitigation. A single ransomware attack can shut down operations for weeks. A failed server with no backup can destroy years of customer and financial data. Technology risk is business risk, and acquirers routinely underestimate it.
Valuation impact. At exit, buyers will scrutinize your technology stack. A well-architected, cloud-based, documented environment commands a premium. Legacy systems and tech debt become negotiation points that reduce your multiple.

The technology audit framework

A thorough audit covers five domains. During your first 100 days, complete at least a high-level assessment of each. A deeper dive into critical areas can follow in months three through six.

1. Infrastructure

Servers and hosting. On-premise, data center, or cloud? What is the age of physical hardware? On-premise servers older than five years are past warranty and increasingly likely to fail without warning.
Networking. Document routers, switches, firewalls, Wi-Fi, and VPN configurations. Check internet bandwidth and redundancy, many SMEs run on a single ISP with no failover.
End-user devices. Inventory all laptops, desktops, and mobile devices. Note OS versions, hardware age, and whether devices are company-owned or BYOD.
Telephony. Legacy PBX or hosted VoIP? Phone systems are often overlooked but can represent significant monthly costs.

2. Applications

Catalog every software application in use. For each, document:

Name, vendor, version, and whether it is SaaS or locally installed.
Purpose, department, and number of users.
Annual cost including maintenance and hosting fees.
Contract terms: renewal dates and auto-renewal clauses.
Integration points with other systems.

You will discover redundant tools and “shadow IT” subscriptions. If you are considering an ERP implementation, this inventory becomes the foundation for requirements gathering.

3. Data

Where does critical data live? In many SMEs, customer records and financial data live on individual desktops, in email inboxes, or in personal cloud accounts the company does not control. Map every data source.
Backup status. Verify backup frequency, location, encryption, and, critically, when backups were last tested. A backup that has never been restored is not a backup.
Data quality. Are customer records complete and deduplicated? Poor data quality will undermine every analytics initiative you attempt.
Ownership. Verify that all data, domain names, and cloud accounts are owned by the company entity, not by the former owner personally or an external consultant.

4. Security

Access controls. Who has admin access? Are there shared passwords? Have former employees been deprovisioned? In many SMEs, accounts for people who left years ago remain active.
Authentication. Is MFA enabled on email, banking, and critical systems? If not, enabling it is your highest-impact security quick win.
Endpoint protection. Are devices running managed antivirus? Are OS and application patches applied regularly?
Compliance. Does the business handle regulated data (HIPAA, PCI, GDPR)? If so, are required controls in place?
Cyber insurance. Many general commercial policies exclude cyber incidents entirely. Standalone coverage costs $1,000-$5,000 per year for most SMEs.

5. IT spend

Build a complete picture. Aggregate every technology expense: software, hosting, hardware, telecom, MSP fees, contractor invoices, and staff costs. Express the total as a percentage of revenue.
Benchmark. Typical SME IT spending is 3%-6% of revenue. Below 2% signals accumulated tech debt. Above 8% suggests redundant tools or over-engineered solutions.
Identify waste. It is common to find $20K-$50K in annual savings by canceling unused subscriptions and eliminating redundant tools during the first spend review.

Common tech debt in SMEs

Unsupported software. Applications on versions that no longer receive security patches, Windows Server 2012, QuickBooks Desktop 2018, custom apps on deprecated frameworks.
Single points of failure. One server, one internet connection, one person who understands the billing system.
Tribal knowledge. Business logic embedded in spreadsheets or Access databases that only one person understands.
No documentation.Network diagrams, configurations, and procedures exist only in someone’s head.
Deferred hardware. Servers and workstations years past replacement age, where each additional year increases failure risk and eventual cost.
No disaster recovery plan. If the office floods or ransomware encrypts every file, most acquired SMEs have no documented, tested recovery process.

Quick wins in the first 90 days

Cloud migration for email and files

Migrating from on-premise Exchange or a local file server to Microsoft 365 or Google Workspace is one of the highest-value quick wins. These platforms deliver enterprise-grade email, cloud storage, and collaboration for $6-$22 per user per month. Migration takes one to three weeks for 20-100 employees and eliminates the cost and risk of maintaining on-premise servers.

Cybersecurity basics

Enable MFA everywhere. Email, banking, CRM, ERP. Free to minimal cost; prevents over 99% of credential attacks.
Deploy endpoint protection. CrowdStrike, SentinelOne, or Microsoft Defender for Business at $5-$12 per endpoint per month for real-time threat detection.
Deprovision former employees. Audit all system access and revoke accounts immediately. Establish a formal offboarding checklist.
Implement a password manager. 1Password Business or Dashlane at $4-$8 per user per month replaces shared passwords and sticky-note credentials.

Backup and disaster recovery

Implement the 3-2-1 rule: three copies of critical data, on two different media, with one stored off-site. Cloud backup solutions like Veeam, Datto, or Acronis cost $200-$1,000 per month and provide automated, encrypted, verified backups. Document a disaster recovery plan, test it quarterly, and answer: if we lose everything tomorrow, how do we resume operations and how long will it take?

When to invest vs. when to wait

Distinguishing urgent investments from those that can wait is one of the hardest judgment calls. The right tools and frameworks help you evaluate these trade-offs systematically.

Invest now

Security vulnerabilities that expose the business to data loss, regulatory penalties, or operational shutdown.
Single points of failure: no redundancy for critical systems, people, or connections.
Compliance gaps that create legal and financial exposure.
Revenue-enabling technology like a CRM for a sales team with no pipeline visibility.

Wait and plan

ERP replacement. Unless the current system has data integrity issues, a migration benefits from thorough planning.
Custom software. What seems unique often has an off-the-shelf solution at a fraction of the cost.
Advanced analytics and AI. These require clean data and integrated systems first.
Nice-to-have automation. Automating merely inconvenient processes can wait for higher priorities.

Build vs. buy decisions

Default to buying. SaaS tools exist for virtually every SME function. They are battle-tested, continuously updated, and vendor-supported. Custom software is none of these things.
The true cost of building. Custom projects routinely cost 2-3x their estimate and take twice as long. A $50K build easily becomes $150K over three years when you add maintenance, security patches, and enhancements.
When building makes sense. Only when the process is truly unique, no commercial product fits, and the functionality creates competitive advantage. In practice, fewer than 5% of SME technology needs justify custom development.
The middle path. Low-code platforms like Airtable, Monday.com, or Microsoft Power Apps let you build lightweight workflows without traditional development, ideal for bridging gaps between off-the-shelf tools.

IT staffing: MSP vs. in-house

Managed service providers (MSPs)

An MSP provides outsourced IT support, help desk, monitoring, patch management, backups, and basic cybersecurity, for $100-$250 per user per month. For companies with 20-50 employees, an MSP is almost always more cost-effective than an internal hire. Evaluate providers on response time SLAs, industry references, security certifications (SOC 2, ISO 27001), and pricing transparency. Avoid long-term contracts until the relationship is proven.

In-house IT and the hybrid model

Consider an internal IT hire when you exceed 75-100 employees, operate proprietary systems, or have complex compliance requirements. The most effective approach for many search fund businesses is a hybrid: one internal IT manager for strategy and vendor management, supported by an MSP for day-to-day operations. For strategic technology leadership without a full-time executive, a fractional CTO at $3,000-$10,000 per month can conduct your audit, develop the roadmap, oversee implementations, and then reduce involvement once the foundation is in place.

Budgeting IT spend as a percentage of revenue

Year one: 4%-6% of revenue. Elevated spending to address deferred maintenance, close security gaps, and implement foundational systems. For a $10M business, this means $400K-$600K including one-time project costs.
Steady state: 3%-5% of revenue. Covers ongoing SaaS subscriptions, MSP or staff costs, hardware replacement on a lifecycle basis, and incremental improvements.
Capital vs. operating split. Distinguish recurring costs (subscriptions, MSP fees, telecom) from one-time investments (hardware, migrations). This matters for financial reporting and investor communication.
ROI tracking. For every significant investment, define expected return: labor hours saved, revenue enabled, risk reduced. Track actual results against projections to prevent IT spending from becoming an unchecked line item.

Putting it all together: the audit timeline

Weeks 1-2: Discovery. Inventory hardware, software, contracts, and expenses. Interview key users about pain points. Identify who currently handles IT.
Weeks 3-4: Assessment. Evaluate security, backups, infrastructure age, and application fitness. Score each domain on a red-yellow-green scale.
Weeks 5-6: Quick wins. Enable MFA, deprovision former employees, verify backups, cancel unused subscriptions.
Weeks 7-10: Roadmap. Build a prioritized 12-18 month technology roadmap with costs, timelines, and expected outcomes. Present to your board alongside the IT budget.
Weeks 11-12: Kick-off. Select vendors or an MSP and begin executing highest-priority initiatives.

A technology audit is not a one-time exercise. Revisit your technology health scorecard quarterly as systems improve and new risks emerge. Approach it with the same rigor you applied to your first 100 days and your digital transformation strategy: listen first, assess thoroughly, prioritize ruthlessly, and execute with discipline.

Frequently asked questions

How long does a post-acquisition technology audit take?

A thorough technology audit can be completed in 10-12 weeks following a structured approach. According to Gartner’s IT assessment framework, the process breaks down as: Weeks 1-2 for discovery (inventorying hardware, software, contracts, and expenses and interviewing key users), Weeks 3-4 for assessment (evaluating security, backups, infrastructure age, and application fitness), Weeks 5-6 for implementing quick wins (enabling MFA, deprovisioning former employees, verifying backups, canceling unused subscriptions), and Weeks 7-12 for building a prioritized 12-18 month technology roadmap with costs, timelines, and expected outcomes. A fractional CTO at $3,000-$10,000 per month can lead this process if you lack internal IT leadership.

How much IT waste is typically found in acquired SMEs?

According to Flexera’s annual IT spending waste report, organizations waste an average of 30-35% of their software spending on unused or underutilized licenses. In acquired SMEs, this waste is often even higher. It is common to find $20K-$50K in annual savings by canceling unused SaaS subscriptions, eliminating redundant tools (multiple project management platforms, duplicate email marketing services), and renegotiating vendor contracts that auto-renewed at inflated rates. The technology audit pays for itself through these savings alone, before you even begin investing in improvements. Document every software tool and subscription, including costs and contract renewal dates, and rationalize the portfolio within the first 90 days.

Should I use an MSP or hire an in-house IT person?

For businesses with fewer than 50 employees, a Managed Service Provider (MSP) is almost always more cost-effective. According to CompTIA’s managed services research, MSPs provide 24/7 monitoring, help desk support, patch management, and basic cybersecurity for $100-$250 per endpoint per month, which translates to $2,000-$7,500 per month for a 20-30 person company, a fraction of the $60K-$90K annual cost of a full-time IT hire plus benefits. Consider an internal IT manager when the business exceeds 75-100 employees, operates proprietary systems, or has complex compliance requirements. The most effective model for many search fund businesses is a hybrid: one internal IT manager for strategy and vendor management, supported by an MSP for day-to-day operations.

Sources

Gartner — IT Infrastructure Assessment Framework for Mid-Market Companies, 2024. Structured methodology for technology audits, scoring frameworks, and prioritization criteria.
Flexera — State of IT Visibility Report, 2024. Data on software spending waste, shadow IT prevalence, and license optimization opportunities across organizations of all sizes.
CompTIA — Trends in Managed Services, 2024. Research on MSP adoption patterns, cost benchmarks, and service delivery models for small and mid-sized businesses.