What is Due Diligence?
Due diligence (DD) is the formal investigation that a buyer conducts before acquiring a company. It is the PE industry’s version of “trust, but verify.” The seller and their investment bank present the company in the most favorable light through the CIM; due diligence is where the buyer independently validates every claim, uncovers hidden risks, and determines the true value of the business. DD is organized into workstreams — parallel tracks of investigation each led by specialists. Financial DD is typically conducted by an accounting firm (e.g., Deloitte, KPMG, or a boutique QoE firm). Legal DD is handled by a law firm. Commercial DD may be done by a strategy consulting firm (e.g., Bain, L.E.K.) or the deal team itself. IT, HR, and environmental DD involve additional specialists as needed. The output of DD directly impacts the deal: findings can change the purchase price (through adjustments to the working capital peg, identification of debt-like items, or QoE adjustments to EBITDA), change the deal structure (representations and warranties, indemnities, escrows), or kill the deal entirely (if a deal-breaker is discovered).Why It Matters
Incomplete diligence is the single biggest source of PE deal failures. A customer concentration risk that was not investigated, an environmental liability that was missed, or a quality of earnings adjustment that was too aggressive can turn a promising investment into a loss. The DD checklist ensures every critical area is covered, tracked, and escalated appropriately. The diligence process also generates institutional knowledge. Even if a deal does not close, the findings inform future deal evaluation. A firm that rigorously tracks DD outcomes — what was found, what was missed, what ultimately mattered post-close — builds a compounding advantage in deal evaluation over time. DD costs are significant. A typical lower middle market deal (500K-500M-3-5M. Given these costs, disciplined tracking ensures that money is spent on the highest-priority items first.Key Concepts
| Term | Definition |
|---|---|
| Quality of Earnings (QoE) | An independent analysis of a company’s earnings to determine “normalized” or “run-rate” EBITDA, adjusting for one-time items, owner perks, and accounting anomalies |
| Data Room | A secure virtual repository (e.g., Intralinks, Datasite) where the seller uploads company documents for buyer review |
| Working Capital | The operating cash tied up in the business (accounts receivable + inventory - accounts payable); typically normalized and set as a “peg” in the purchase agreement |
| Red Flag | A significant finding that may be a deal-breaker or require material changes to price or structure |
| P0 / P1 / P2 | Priority levels — P0 items are gating to LOI or close, P1 items are important but not gating, P2 items are nice-to-have |
| LOI | Letter of Intent — a non-binding agreement on key deal terms that typically precedes full diligence |
| Debt-Like Item | An obligation that behaves like debt but may not appear on the balance sheet — examples include deferred rent, unfunded pension liabilities, or certain litigation reserves |
| Reps and Warranties | Seller’s contractual statements of fact about the business; findings in DD often result in specific reps or indemnities to protect the buyer |
| Net Working Capital Peg | The agreed-upon level of working capital the seller must deliver at closing; deviations result in a dollar-for-dollar price adjustment |
How It Works
Scope the Diligence
Define: target company name and sector, deal type (platform acquisition, add-on, growth equity, recap, carve-out), deal size/complexity, key concerns to prioritize, and timeline (LOI/close targets).
Generate Workstream Checklists
Generate a comprehensive checklist across all major workstreams, tailored to the sector. Covers Financial DD (QoE, working capital, debt, capex, tax), Commercial DD (market size, competition, customers), Legal DD (contracts, litigation, IP, regulatory), Operational DD (management, IT, supply chain), HR DD (org chart, compensation, key person risk), IT DD (tech stack, security, scalability), and Environmental/ESG.
Track Status
Each item tracks: workstream, priority (P0/P1/P2), status (Not Started, Requested, Received, In Review, Complete, Red Flag), owner, and notes.
Escalate Red Flags
Maintain a running red flag summary: what was found, which workstream, severity (deal-breaker / significant / manageable), mitigant or path to resolution, and impact on valuation or deal terms.
Worked Example: SaaS Company Acquisition DD
Below is a numerical walkthrough of a due diligence process for a hypothetical $120M EV acquisition of a B2B SaaS company.Deal Context
- Target: CloudMetrics Inc., a B2B SaaS company providing analytics dashboards
- Revenue: $18M ARR, growing 35% YoY
- Stated EBITDA: $3.6M (20% margin)
- Asking price: $120M EV (33x EBITDA, or ~6.7x ARR)
- Deal type: Platform acquisition
- Timeline: LOI signed, 45 days to close
Financial DD: Quality of Earnings Deep Dive
The QoE provider (boutique accounting firm) reviews 3 years of financials and identifies the following adjustments:| Item | Management EBITDA Impact | QoE Adjustment | Adjusted Impact |
|---|---|---|---|
| Reported EBITDA | $3,600,000 | — | — |
| Owner salary above market | +$200,000 | Normalize to market rate | +$200,000 |
| One-time legal settlement | +$150,000 | Non-recurring, add back | +$150,000 |
| Capitalized development costs (should be expensed) | -$400,000 | Reduce EBITDA | -$400,000 |
| Revenue recognition timing (2 months early on 3 contracts) | -$180,000 | Adjust to proper period | -$180,000 |
| Under-market rent (related party landlord) | -$60,000 | Normalize to market | -$60,000 |
| Adjusted EBITDA | $3,310,000 |
Working Capital Analysis
| Component | Average (12 mo) | Current | Peg Proposal |
|---|---|---|---|
| Accounts Receivable | $2.1M | $2.8M (elevated) | $2.1M |
| Prepaid Expenses | $0.3M | $0.3M | $0.3M |
| Deferred Revenue | ($3.2M) | ($3.8M) (elevated) | ($3.2M) |
| Accounts Payable | ($0.4M) | ($0.3M) | ($0.4M) |
| Net Working Capital | ($1.2M) | ($1.0M) | ($1.2M) |
Commercial DD: Customer Analysis
| Metric | Finding | Severity |
|---|---|---|
| Top customer concentration | Customer A = 22% of ARR ($3.96M) | Red Flag — single customer >20% |
| Top 5 concentration | 52% of ARR | Yellow — elevated |
| Logo churn (annual) | 8% | Green — acceptable for SMB SaaS |
| Net dollar retention | 112% | Green — healthy expansion |
| Contract structure | 60% annual, 40% month-to-month | Yellow — high month-to-month |
DD Checklist Status (Week 3 of 6)
| Workstream | Total Items | Complete | In Review | Outstanding | Red Flags |
|---|---|---|---|---|---|
| Financial | 24 | 18 (75%) | 4 | 2 | 1 (capitalized dev costs) |
| Commercial | 16 | 10 (63%) | 3 | 3 | 1 (customer concentration) |
| Legal | 20 | 8 (40%) | 5 | 7 | 0 |
| Operational | 12 | 6 (50%) | 2 | 4 | 0 |
| HR/People | 10 | 4 (40%) | 2 | 4 | 0 |
| IT/Security | 14 | 3 (21%) | 2 | 9 | 0 |
| Total | 96 | 49 (51%) | 18 | 29 | 2 |
Sector-Specific DD Additions
| Sector | Additional DD Items |
|---|---|
| Software/SaaS | ARR quality, cohort analysis, hosting costs, SOC2 compliance, code review, technical debt assessment, customer data privacy (GDPR/CCPA), product roadmap viability |
| Healthcare | Regulatory approvals, reimbursement risk, payor mix, compliance history, HIPAA, state licensing, malpractice history, credentialing |
| Industrial | Equipment condition, environmental remediation, safety record (OSHA), maintenance capex vs. growth capex, union agreements, permits |
| Financial Services | Regulatory capital, compliance history, credit quality, BSA/AML, state licensing, fiduciary obligations |
| Consumer | Brand health, channel mix, seasonality, inventory management, product liability, recall history, supply chain resilience |
| Technology-Enabled Services | Client contract structure, revenue recognition, consultant utilization rates, offshore delivery, IP ownership |
Full Workstream Checklist Detail
Financial Due Diligence
Quality of Earnings (P0)- Revenue recognition policies and consistency across periods
- EBITDA adjustments: one-time items, owner add-backs, pro forma run-rate
- Customer-level revenue analysis (top 10/20 customers by year)
- Revenue by type: recurring vs. non-recurring vs. professional services
- Gross margin analysis by product/service line
- Cost structure analysis: fixed vs. variable
- Working capital normalization and peg calculation
- Debt and debt-like items identification
- Capital expenditure analysis: maintenance vs. growth
- Cash flow quality: EBITDA to free cash flow conversion
- Federal, state, and local tax compliance history
- Net operating loss carryforwards
- R&D tax credit history and supportability
- Transfer pricing (if international operations)
- Sales tax nexus and compliance
- Change of control implications on tax attributes
- 338(h)(10) election feasibility
- Audit history (audited, reviewed, compiled, or none)
- Accounting policy changes in last 3 years
- Related party transactions
- Off-balance-sheet liabilities
Commercial Due Diligence
Market and Competition (P0)- Total addressable market (TAM) sizing and growth rate
- Market share and competitive positioning
- Key competitors and differentiation
- Barriers to entry
- Regulatory or technology disruption risks
- Customer concentration (top 1, 5, 10, 20 as % of revenue)
- Customer retention and churn rates (logo and dollar)
- Net Promoter Score or satisfaction data
- Contract renewal rates and terms
- Pricing power assessment
- Customer reference calls (minimum 5-8)
- Sales pipeline and backlog
- Sales team structure and quota attainment
- Sales cycle length and trends
- Channel mix (direct, partner, online)
- Marketing spend effectiveness
- Win/loss analysis
Legal Due Diligence
Corporate (P0)- Corporate structure and entity chart
- Capitalization table and equity agreements
- Material contracts review (customer, supplier, partner)
- Change of control provisions in key contracts
- Pending and threatened litigation
- Historical litigation and settlements
- Regulatory investigations or inquiries
- Patent portfolio and protection status
- Trademark registrations
- Trade secret protections
- Open-source software compliance
- Key technology licenses
- Industry-specific regulatory compliance
- Permits and licenses
- Data privacy compliance (GDPR, CCPA, state laws)
- Environmental compliance
Operational Due Diligence
Management (P0)- Management team assessment (strengths, gaps, retention risk)
- Organizational structure and key person dependencies
- Employment agreements and non-competes
- Compensation benchmarking
- Technology stack assessment
- Cybersecurity posture and penetration test results
- Disaster recovery and business continuity plans
- Technical debt assessment (for software companies)
- System scalability
- Supply chain analysis and vendor dependencies
- Facilities and real estate review
- Insurance coverage adequacy
- Process documentation and SOPs
HR and People Due Diligence
- Organization chart and headcount trends (P0)
- Compensation and benefits benchmarking (P1)
- Pension and retirement plan obligations (P0 if DB plan exists)
- Key employee retention risk assessment (P0)
- Culture assessment and employee engagement data (P1)
- Union or collective bargaining agreements (P0 if applicable)
- Employee handbook and policy compliance (P2)
- Workers’ compensation claims history (P1)
Environmental and ESG
- Environmental liabilities (Phase I/II assessments) (P0 for industrial)
- Regulatory compliance history (P1)
- ESG risks and reporting (P2)
- Carbon footprint and sustainability initiatives (P2)
Daily Workflow for Deal Teams
Day 1-3 (Scoping): Define the DD scope based on deal type and sector. Generate the initial checklist. Assign workstream leads. Send the first data request list to the seller. Week 1 (Initial Review): As documents arrive in the data room, check them against the checklist. Flag items where the seller is slow to respond — delays may indicate issues. Begin reviewing financial statements and key contracts. Week 2-3 (Deep Analysis): QoE provider delivers preliminary findings. Legal team reviews material contracts. Commercial DD begins with market research and customer interviews. Hold the first weekly DD status call. Week 3-4 (Red Flag Assessment): All P0 items should be addressed by now. Any red flags should be escalated to the deal lead. Begin assessing impact on price, structure, or deal viability. Update the IC with interim findings. Week 4-6 (Completion): Push to close all open items. Finalize the QoE report and working capital analysis. Compile the red flag summary. Prepare the DD findings section of the IC memo. Negotiate specific reps, warranties, and indemnities based on findings. Post-Close (Day 1-30): Validate any DD assumptions that could not be confirmed pre-close. Begin integration planning based on operational DD findings. Monitor working capital delivery vs. peg.Practice Exercise
You are leading diligence on a $75M EV acquisition of a regional healthcare services company with the following profile:- Revenue: $40M, growing 12% YoY
- EBITDA: $6M reported (15% margin)
- Sector: Outpatient physical therapy, 12 locations across 3 states
- Deal type: Add-on to your existing rehab services platform
- Key concern: The company recently expanded from 8 to 12 locations in 18 months
- Generate a prioritized DD checklist with at least 30 items across 5 workstreams. Label each P0, P1, or P2.
- Identify the 5 highest-priority P0 items for this specific deal and explain why each is critical.
- The QoE provider finds that $800K of EBITDA is from locations open less than 12 months that are not yet at run-rate profitability. How does this affect the valuation? Should you adjust the offer price, and by how much?
- Two of the 12 locations are leased from a company owned by the seller’s brother at 22/sq ft. What are the DD implications?
- Draft a red flag summary with 3 potential findings and their severity, mitigants, and impact on deal terms.
Common Mistakes
- Treating the checklist as static. A DD checklist is a living document. As you discover new information, add items. If the QoE reveals unusual revenue recognition, add specific revenue recognition items to the commercial workstream. Update weekly.
- Not prioritizing P0 items aggressively. With 96+ checklist items, the deal team must focus on what matters most first. Spending time on P2 items while P0 items remain open is a resource allocation failure.
- Assuming missing information is benign. If the seller has not uploaded a document after two requests, it is more likely that the document reveals something unfavorable than that someone forgot. Track response times and escalate persistent gaps.
- Failing to cross-reference across workstreams. Financial DD may reveal a customer concentration issue that commercial DD should investigate. Legal DD may find a contract with change-of-control provisions that operational DD needs to assess. Hold cross-workstream syncs weekly.
- Not quantifying red flags in dollars. A “red flag” without a dollar impact is not actionable. Every red flag should answer: “If this risk materializes, what is the financial impact in dollars?” This drives the price adjustment or indemnity negotiation.
- Over-relying on management representations. “Management told us” is not diligence. Verify every material claim with independent data: customer interviews, third-party market data, public records, and advisor confirmation.
- Ignoring the working capital peg negotiation. Working capital adjustments are dollar-for-dollar price changes. A 500K price change. Analyze the trailing 12-month average carefully, and watch for seller manipulation (accelerating collections or delaying payables before close).
- Starting legal DD too late. Legal review of material contracts often reveals change-of-control provisions, assignment restrictions, or termination rights that can fundamentally affect deal viability. Start contract review in Week 1, not Week 3.
- Not documenting the “why” behind passes on items. When you decide an item is low-risk and deprioritize it, document why. If the deal closes and that issue later becomes material, the documentation shows the decision was deliberate, not negligent.
- Underinvesting in IT/security DD for tech-enabled businesses. A SOC2 gap, a cybersecurity vulnerability, or technical debt that requires $2M to remediate can materially affect post-close value. For any technology-dependent business, IT DD should be a P0 workstream, not an afterthought.
How to Add to Your Local Context
Best Practices
- Cross-reference data room contents against the checklist to identify gaps
- Update the checklist as diligence progresses — it is a living document
- Hold weekly DD status calls with the full deal team to review progress and escalate issues
- When you find a red flag, immediately assess: is it a deal-breaker, a price adjustment, or a manageable risk?
- Never assume missing information is benign — always follow up and document the response
- Track cumulative diligence spend by workstream to manage costs against the DD budget
- Use the DD findings to draft specific reps and warranties in the purchase agreement — every material finding should map to a contractual protection
- After close, conduct a DD retrospective: what did we find, what did we miss, and what would we do differently next time?