M&A Due Diligence: The Complete Guide for Buyers and Sellers

M&A due diligence is the investigation period between signing a letter of intent and committing to the purchase. It is your last real opportunity to verify everything the seller has told you, discover what they have not, and price the deal based on reality instead of promises.

Most buyers focus on the financial side: verify revenue, check expenses, normalize EBITDA. That matters. But in practice, the issues that kill deals or cost buyers hundreds of thousands post-closing are almost always legal - a contract that terminates on change of control, IP that was never properly assigned to the company, an employment agreement that triggers a six-figure severance payment, or an environmental liability buried in a lease.

This guide covers all 7 major categories of M&A due diligence, a comprehensive checklist, common red flags, timeline expectations, and how findings should translate into purchase agreement protections. It sits at the intersection of two broader frameworks: the role of M&A counsel and the complete business acquisition process.

What Is M&A Due Diligence?

Due diligence in an M&A transaction is the systematic investigation a buyer conducts to verify the seller's representations about the business before committing to the purchase. It is not optional and it is not a formality. It is the mechanism through which the buyer converts the seller's claims into verified facts, and the mechanism through which unverified risks are priced into the deal structure.

Who participates: The buyer's M&A attorney leads legal due diligence. A transaction CPA leads financial due diligence. The buyer or operational consultants lead operational diligence. All three workstreams run simultaneously after the LOI is signed, with the attorney typically coordinating access to the data room and managing the overall process.

Buyer-side vs. seller-side: Buyer due diligence is investigative - the buyer trying to verify and discover. Seller-side due diligence (also called reverse due diligence) is preparatory - the seller reviewing their own business before going to market so they control what gets discovered and when.

Stages of due diligence: Pre-LOI preliminary diligence is based on limited information - typically a confidential information memorandum - and its purpose is to determine whether the deal is worth pursuing at the offered price. Post-LOI confirmatory diligence is the full investigation, conducted during the exclusivity period granted by the LOI. Pre-closing diligence is a final check, confirming that representations remain accurate as of the closing date. Most of the work happens in the post-LOI confirmatory phase.

The 7 Major Categories of M&A Due Diligence

Every due diligence process should cover these seven categories. The depth depends on the business, industry, and deal size - but omitting any category entirely is how problems get missed. Each category is covered in its own section below.

Financial Due Diligence

Led by: Transaction CPA. Key deliverable: Quality of Earnings (QoE) report.

Financial due diligence is the foundation. Its core product, the Quality of Earnings report, verifies the seller's claimed earnings, normalizes one-time items, and identifies accounting inconsistencies. In most mid-market deals, the QoE reveals adjustments that change the effective purchase price from the seller's asking number - sometimes significantly.

Quality of Earnings scope: The QoE examines three to five years of financials, isolates one-time revenue events (a large contract that will not recur, a pandemic-era subsidy, a related-party transaction), normalizes owner add-backs to distinguish genuinely discretionary expenses from those necessary to run the business, and arrives at a normalized EBITDA that reflects the business's true recurring earnings capacity.

Normalized EBITDA calculation: Sellers often present EBITDA with aggressive add-backs - owner salary above market rate, personal expenses run through the company, one-time professional fees for the sale process itself. The QoE scrutinizes each add-back for legitimacy. The gap between seller-presented EBITDA and QoE-adjusted EBITDA typically runs 10 to 30 percent in mid-market deals.

Working capital peg and true-up: The working capital peg sets the target level of net working capital the seller must deliver at closing. If actual working capital falls below the peg, the seller owes the buyer the difference. Negotiating a fair peg - based on trailing average working capital rather than a single high-water month - is a critical function of financial due diligence that protects against sellers drawing down receivables or inflating payables before closing.

Revenue recognition and concentration: Financial due diligence examines whether revenue is recognized consistently with GAAP, whether any customer represents more than 20 percent of total revenue, and whether reported revenue reflects cash collected or merely billed. Revenue concentration and recognition inconsistencies are among the most common financial red flags.

Legal Due Diligence

Led by: M&A Attorney. Key deliverable: Legal due diligence memo with risk assessment and deal term recommendations.

Legal due diligence verifies that the company is properly organized, the seller actually owns what they are selling, and there are no hidden liabilities or title defects that would transfer to the buyer at closing. This is the category where buyers new to M&A have the largest blind spots, and where post-closing disputes most commonly originate.

Corporate records: The review begins with formation documents - articles of incorporation or organization, bylaws, operating agreements - and works through board minutes, shareholder registers, stock certificates, and good standing certificates. Gaps in board minutes or missing filings can indicate governance problems that create ownership disputes or officer authority questions.

Material contracts review: Every significant customer, supplier, lease, license, and financing agreement must be reviewed for provisions that could affect the transaction. The most consequential provisions are change-of-control clauses that allow termination if the business is sold, assignment restrictions that require third-party consent, and auto-renewal windows that are approaching. A contract review without specific attention to these provisions is not legal due diligence - it is document collection. See the business purchase agreement guide for how these issues translate into purchase agreement protections.

Pending litigation and regulatory matters: The review covers all pending, threatened, and reasonably anticipated legal proceedings, including regulatory investigations and government agency inquiries. An existential litigation claim or a regulatory proceeding that could result in license revocation are due diligence findings that must be specifically indemnified in the purchase agreement.

Liens and secured debt: UCC-1 financing statements, tax liens, judgment liens, and other encumbrances on business assets must be identified and cleared before closing. In an asset purchase, the buyer is acquiring specific assets and needs confirmation those assets are unencumbered. In a stock purchase, the buyer inherits all liabilities, including any secured debt.

Data privacy compliance: Depending on the industry and customer base, the target may be subject to GDPR, CCPA, HIPAA, or other data privacy frameworks. Legal due diligence verifies that the company has appropriate data processing agreements, privacy policies, and consent mechanisms in place - and that there are no unreported data breaches that create pending regulatory exposure.

Operational Due Diligence

Led by: Buyer (with operational consultants if needed). Key deliverable: Operational risk assessment and transition plan.

Operational due diligence answers a different question than financial or legal review: can this business continue to perform without the current owner? Financial due diligence tells you what the business earned. Operational due diligence tells you whether those earnings are sustainable after the ownership transition.

Key employee assessment: Identify the employees the business cannot function without, verify their current employment agreements and non-compete status, and assess what it would take to retain them through the transition. Key person dependency - where the business runs on the owner's relationships - is one of the most common and most underweighted operational risks in SMB acquisitions.

Customer concentration analysis: Revenue concentration above 20 to 25 percent in a single customer is a deal structure issue. If that customer leaves post-closing, the business may not be able to service its acquisition debt. The deal structure must account for this risk through earnout provisions tied to customer retention or escrow holdbacks.

Supplier and vendor dependencies: Identify single-source suppliers, exclusive distribution arrangements, and vendor relationships that are relationship-dependent rather than contractually secured. Any supplier that can walk if the ownership changes is an operational risk that must be identified and addressed. The business acquisition process guide covers how to structure transition management agreements that address these risks.

Commercial Due Diligence

Led by: Buyer (with market research support if needed). Key deliverable: Commercial assessment memo.

Commercial due diligence validates the market context for the financial projections. It answers the question the QoE cannot: are the business's revenues sustainable given market conditions, competitive dynamics, and customer behavior?

• Market size and growth rates: Verify that the market the business operates in supports the seller's growth projections. A business in a contracting market with a 15% CAGR target needs scrutiny.
• Competitive positioning: Identify direct and indirect competitors and assess the business's defensible differentiation. A competitive moat based solely on the owner's personal relationships is not a moat - it is a key person risk.
• Customer satisfaction and retention: Review contract renewal rates, churn history, and Net Promoter Score data if available. Declining retention is a leading indicator of revenue deterioration that may not yet appear in the trailing financials.
• Pricing power: Assess whether the business can raise prices without losing customers. Businesses without pricing power are structurally vulnerable to margin compression.
• Sales pipeline and backlog: For businesses with project-based or contractual revenue, the pipeline is a primary indicator of near-term performance. Verify that the backlog is real, contracted, and not dependent on customer relationships that may not survive the ownership transition.

HR and Employment Due Diligence

Led by: M&A Attorney. Key deliverable: Employment risk assessment memo.

Employment due diligence is a subset of legal review that deserves its own category because the liability exposure is distinct and the review process is specialized. Hidden employment liabilities - misclassified workers, underfunded benefit obligations, pending EEOC claims - frequently surface post-closing because sellers either do not recognize them as issues or actively conceal them.

Employee roster and compensation: Review the full employee list, compensation levels, benefit structures, and equity grants. Identify any compensation commitments that trigger on a change of control - these are often buried in executive employment agreements and can represent material closing costs.

Non-compete and non-solicit enforceability: Non-compete agreements are only as valuable as they are enforceable. State law governs enforceability and varies significantly. A non-compete that is valid in Michigan may be unenforceable in California. Review each key employee's agreement against the law of the state where they work - not where the company is organized. The FTC's attempted non-compete ban is currently enjoined, but state-level enforcement landscape continues to evolve.

Employee classification compliance: Misclassified independent contractors are one of the highest-probability employment liabilities in SMB acquisitions. Businesses that have classified workers as 1099 contractors when they should be W-2 employees face IRS back-tax exposure, state employment tax liability, and potential class action risk. In a stock purchase, these liabilities transfer to the buyer. In an asset purchase, they remain with the seller entity - but the practical risk of workforce disruption is the same.

Benefits obligations: Review all employee benefit plans - health insurance, 401(k), profit sharing, any defined benefit pension obligations. Underfunded pension plans are a specific liability category that must be quantified and addressed in the deal structure. Even in businesses without formal pension plans, accrued vacation, PTO, and deferred compensation obligations must be identified.

Technology and IP Due Diligence

Led by: M&A Attorney (with IP counsel or technical consultants if needed). Key deliverable: IP ownership verification memo.

For technology companies, SaaS businesses, and any company where proprietary knowledge or software drives value, IP due diligence can be the most critical category. The central question is not "what IP does the company have?" - it is "does the company actually own it?"

Source code ownership: Software created by employees during employment is owned by the employer if the right IP assignment agreements are in place. Software created by contractors is owned by the contractor unless there is a written work-for-hire agreement or IP assignment. Many businesses have significant portions of their codebase created by contractors who were never asked to sign IP assignment agreements. The business does not own that code.

Open source license compliance: Copyleft licenses such as GPL require that any software incorporating GPL-licensed code be made available under the same terms. If a company's proprietary product incorporates GPL code without disclosure, the company may be required to open-source its own code - which eliminates the value of the proprietary technology. Open-source license compliance is a specialized area that requires technical review of the codebase.

Patent and trademark status: Review all registered patents, trademarks, and copyrights - and verify that renewal fees have been paid and maintenance obligations met. A patent that has lapsed for failure to pay maintenance fees is worthless. A trademark registration that has not been used in commerce for three years may be subject to cancellation.

Data security audit: Review the company's data security practices, prior breach history, and cyber insurance coverage. A company that processes payment card data, healthcare information, or personal data of EU residents has regulatory compliance obligations that create ongoing liability if not properly managed. Any prior data breach that was not properly reported to regulators and affected individuals is a liability that transfers to the buyer.

Environmental and Regulatory Due Diligence

Led by: Environmental consultant and M&A Attorney. Key deliverable: Phase I Environmental Site Assessment and regulatory compliance memo.

Environmental liabilities are unusual in one important respect: they can follow the property regardless of who caused the contamination. If you acquire real property that was contaminated by a prior owner's industrial operations, you may be liable for remediation costs even though the contamination predates your involvement. This makes environmental due diligence non-negotiable for any deal involving owned or leased real property.

Phase I Environmental Site Assessment: A Phase I ESA is a non-invasive investigation conducted by an environmental professional that reviews historical land use records, regulatory databases, aerial photographs, and conducts a site inspection. It identifies recognized environmental conditions (RECs) that may indicate contamination. A Phase I costs $3,000 to $5,000 and takes 2 to 4 weeks. If a Phase I identifies RECs, a Phase II (which includes soil and groundwater sampling) is warranted before closing.

Industry-specific regulatory obligations: Healthcare businesses require HIPAA compliance review. Financial services businesses require review of AML, KYC, and FINRA compliance. Food and beverage businesses require FDA compliance assessment. Any deal above the HSR threshold (approximately $119.5 million in 2026) requires antitrust filing. Regulatory due diligence must be tailored to the specific industry - a generic checklist applied to a healthcare acquisition will miss the issues that matter.

M&A Due Diligence Timeline

Most mid-market deals complete due diligence in 30 to 90 days. The right timeline depends on the business's complexity, the quality of the seller's data room, and the number of parallel workstreams running simultaneously. Rushing due diligence to meet an artificial deadline is among the most costly mistakes a buyer can make. The problems are still there. You just do not find them until after closing, when the cost comes entirely out of your pocket.

Pre-LOI vs. post-LOI diligence: Pre-LOI preliminary review is based on limited information and its purpose is to determine whether to pursue the deal. Post-LOI confirmatory diligence is the full investigation during the exclusivity period. The LOI should specify the diligence period length and include milestone-based extension provisions - do not accept a 30-day diligence period for a complex business without extension rights. Review the reasons to engage M&A counsel before signing the LOI for how diligence scope is negotiated at that stage.

What causes timeline blowouts: Incomplete data rooms are the most common cause. When the seller's data room is disorganized or documents arrive in waves, the buyer's team cannot complete review on schedule. A seller who takes three weeks to respond to document requests is effectively consuming the buyer's due diligence period. M&A counsel negotiates data room access protocols and seller response timelines in the LOI to prevent this.

M&A Due Diligence Checklist

The following checklist is organized by category. It covers the core items that should be requested and reviewed in every mid-market acquisition. Specific businesses - healthcare, technology, financial services, manufacturing - will require additional items beyond this baseline.

Common Due Diligence Mistakes

The patterns that cause acquisitions to fail or produce post-closing disputes are consistent across transactions. The most detailed analysis of these mistakes - with real-world context and specific process failures - is in the companion article: 9 Due Diligence Mistakes That Kill M&A Deals. A brief preview of the top failures:

• Trusting the seller's financials without independent verification. The QoE is not optional. Reviewing the seller's own financial statements without independent analysis is not financial due diligence.
• Rushing to meet an artificial deadline. The problems are still there. You just own them after closing instead of pricing them before.
• Skipping legal due diligence entirely. Representations and warranties are after-the-fact remedies. Legal due diligence is before-the-fact prevention. Both are necessary.
• Not reviewing contracts for change-of-control provisions. A supplier or customer contract that terminates on sale is a material risk. It will not surface without a thorough contract review.
• Ignoring customer concentration risk. Revenue concentrated in one or two accounts without contractual protection is a deal structure issue, not a minor concern.
• Not translating findings into deal terms. Identifying problems without adjusting the deal structure to reflect them is the most common and avoidable mistake of all.

Who Runs Due Diligence: Attorney vs. Accountant vs. Broker

Due diligence is a team effort, but each advisor has a distinct role. Understanding who does what - and when - prevents both duplication and gaps.

Buyer-Side vs. Seller-Side Due Diligence

Most buyers think of due diligence as something that happens to the seller. Smart sellers think of it as something they prepare for - and use to their advantage.

Buyer-side diligence is investigative. The buyer is trying to verify what the seller claims, discover what the seller has not disclosed, and identify risks that should change the price or structure of the deal. The buyer's interest is completeness - finding everything before closing.

Seller-side reverse due diligence is preparatory. The seller reviews their own business 12 to 18 months before going to market, identifies the issues that buyers will flag, and fixes what can be fixed. Issues that cannot be fixed are disclosed proactively and priced into the asking price, rather than discovered mid-diligence and used as renegotiation leverage by the buyer.

Seller concerns during diligence: Confidentiality is the primary concern. The buyer's team is reviewing all of the seller's contracts, customer lists, pricing structures, and employee compensation - information that would be damaging if it reached competitors or employees prematurely. Managing data room access through NDAs, limiting access to specific team members, and using staged disclosure protocols (sharing less sensitive documents first) reduces confidentiality risk without impeding legitimate diligence. Your M&A counsel manages this process. See the asset purchase vs. stock purchase guide for how deal structure affects what information the seller must disclose.

Seller's Due Diligence Preparation Checklist

• Organize the data room before going to market. A disorganized data room is a red flag that signals deeper organizational problems. Have documents organized by category, labeled consistently, and accessible within 48 hours of a request.
• Conduct a pre-sale legal review. Have your M&A attorney review contracts, IP, and corporate records before any buyer sees them. Know your issues before they do.
• Fix what can be fixed. Get IP assignments signed. Renew expiring contracts. Cure corporate formalities. Update employee agreements. Every fixed issue is one fewer renegotiation point for the buyer.
• Prepare disclosure schedules in advance. The representations in the purchase agreement require you to disclose exceptions. Know your disclosures before negotiations start - not during them.
• Designate a single point of contact. All document requests and responses go through one person. All communications go through counsel. This prevents inconsistent statements that create problems.

Due Diligence Red Flags That Kill Deals

Not every red flag kills a deal. Most red flags are negotiation inputs - they change the price, structure, or indemnification profile. But certain findings are categorically deal-threatening, and buyers should know what they are before they encounter them.

How Due Diligence Findings Become Deal Terms

Due diligence findings are not just problems - they are negotiation inputs. Every material finding should trigger one of four responses: price adjustment, specific indemnification, a condition precedent, or deal termination. The M&A attorney's job is to make that translation. See the earnout agreements guide and the asset purchase agreement guide for how specific findings are addressed in deal documents.

When to Engage an M&A Attorney for Due Diligence

The answer is: before the LOI. Due diligence scope is negotiated in the LOI - the document that grants the buyer exclusivity and sets the timeline, access requirements, and process rules for the investigation. If you sign an LOI without M&A counsel, you have already conceded on the terms that govern the diligence process itself.

Before signing the LOI: M&A counsel reviews the LOI to ensure the diligence period is realistic, the exclusivity terms protect the buyer, and the structure of the LOI does not create unintended obligations. See the LOI template for acquisitions and best practices for LOI negotiation for the specific provisions that matter.

As DD findings emerge: Every material finding needs to be assessed for its impact on deal terms in real time. The attorney adjusts representations and warranties, indemnification structure, and escrow sizing as findings develop - not after the diligence period ends. Waiting until the end of diligence to assess deal term implications means losing negotiating leverage.

The full context for when and how M&A counsel operates is covered in What Does an M&A Attorney Do? and the complete guide to buying a business. Due diligence does not stand alone - it is one phase of a structured acquisition process where the attorney's role begins well before the investigation starts.

Acquisition Stars' Due Diligence Approach

• • Personal review on every deal. Alex Lubyansky reviews every data room, every material contract, and every significant finding personally. Not a junior associate on their first deal. 15+ years of M&A practice means knowing where problems hide and what the other side is looking for when they see them.
• • Findings become protections. The due diligence memo is not the end product. The end product is a purchase agreement that reflects every finding: adjusted price, specific indemnification, escrow structure, and closing conditions. We do not hand you a problem list. We hand you a protected deal.
• • Scope engagement, not hourly billing surprises. Due diligence scope is defined at engagement. You know what will be reviewed, how long it takes, and what the fee covers. No open-ended hourly meter running while we review your data room. See the due diligence services page for engagement structure.
• • Both sides of the table. We represent both buyers and sellers, which means we know what the other side looks for, how they price risk, and where they push back. When we run your due diligence, we are anticipating the counterparty's arguments before they are made. More at M&A attorney services and the small business acquisition attorney overview.

Frequently Asked Questions About M&A Due Diligence

Related Resources