Due DiligenceDue DiligenceData Rooms

M&A Due Diligence: Checklist and Process

The first time I sat on the sell side of an acquisition, I thought our company was buttoned up. We had clean books, a tidy cap table, and customers who loved us. Then the buyer's diligence list landed

By Rohan Nayak12 min readUpdated July 2026
M&A Due Diligence: Checklist and Process
On this page

The first time I sat on the sell side of an acquisition, I thought our company was buttoned up. We had clean books, a tidy cap table, and customers who loved us. Then the buyer's diligence list landed, ninety-odd line items across legal, financial, tax, IP, HR, and security, and I realized "buttoned up" and "ready for M&A due diligence" are not the same thing. Diligence is where a deal either earns its price or quietly loses it. This guide is the practical version I wish someone had handed me before that first request list arrived.

Short answer: M&A due diligence is the structured investigation a buyer runs on a target company before closing an acquisition, to confirm what they are buying, surface risks, and validate the price. It usually runs four to twelve weeks across financial, legal, commercial, technical, tax, and HR workstreams, almost always inside a virtual data room where the seller posts documents and the buyer's team reviews them under controlled access.

What M&A due diligence actually is

M&A due diligence is the buyer's homework. After a letter of intent or term sheet is signed, the acquirer gets a defined window to verify every material claim the seller has made and to look for anything the seller did not mention. Think of it as the gap between "this looks like a good deal" and "we have confirmed this is a good deal, in writing, with documents to prove it."

It is a form of due diligence specific to mergers and acquisitions, and the stakes are the whole transaction. The findings feed three concrete outcomes: the final price, the representations and warranties in the purchase agreement, and the closing conditions the buyer can walk away on.

A useful way to frame it: diligence is not about proving the company is perfect. Every company has warts. It is about making sure the buyer knows exactly which warts they are inheriting, has priced them, and has papered the rest into the contract. A deal does not die because a problem exists. It dies because a problem surfaces late and erodes trust.

Who runs it, and when

On a typical mid-market deal, M&A due diligence is a buyer-led effort with a cast of specialists.

  • The acquirer's corporate development or deal team owns the process and the request list. They set the workstreams, chase answers, and roll findings into the deal model.
  • Outside counsel handles legal: corporate records, contracts, litigation, IP ownership, employment, and regulatory.
  • Accountants or a transaction advisory firm run financial due diligence, often a quality-of-earnings analysis, plus tax.
  • Technical and security specialists run technical due diligence on the codebase, architecture, and infrastructure.
  • Commercial or market analysts run commercial due diligence on the market, customers, and competitive position.

On the sell side, the seller and their advisors (an investment banker or M&A advisor, plus their own counsel) prepare the data room, answer questions, and manage the flow. I have run that sell-side seat, and the job is mostly anticipation: stocking the room with what you know the buyer will ask for, before they ask.

As for when, the heavy diligence phase sits after the LOI and before signing. There is often light pre-LOI diligence (enough to justify an offer), then the formal phase opens once exclusivity is granted. Timelines vary, but a focused mid-market deal commonly runs four to eight weeks of intensive review, and complex or regulated deals run longer.

The M&A due diligence process, step by step

Here is the sequence I have seen work, on both sides of the table.

  1. Sign the LOI and set scope. The letter of intent defines price, structure, and an exclusivity period. The buyer's team uses it to scope the diligence plan and assign workstream leads.
  2. Issue the request list. The buyer sends a master diligence checklist, often categorized into financial, legal, tax, commercial, technical, HR, and IT. This is the backbone of the whole exercise.
  3. Open the data room. The seller stands up a virtual data room for due diligence, organizes it to mirror the request list, and grants the buyer's team controlled access. A well-structured room is the single biggest lever on how fast diligence moves.
  4. Review by workstream. Each specialist team works its area in parallel. Accountants validate earnings, counsel reads contracts, engineers audit the stack. They log questions as they go.
  5. Run Q&A. Buyer questions and seller answers flow through a tracked Q&A process, ideally inside the data room so nothing gets lost in email threads. This is where most of the real information transfer happens.
  6. Confirmatory checks and site visits. Reference calls with key customers, management presentations, and (where relevant) physical or systems inspections.
  7. Produce findings. Each workstream writes up a due diligence report summarizing what was confirmed, what raised concern, and what it means for the deal.
  8. Negotiate and adjust. Findings feed price adjustments, specific indemnities, escrow holdbacks, reps and warranties, and closing conditions. Then the deal moves to signing and close.

The process is iterative, not linear. A finding in the financial workstream often triggers a new request in legal, and a Q&A answer can open three more questions. Good deal teams expect that and build slack into the timeline.

The M&A due diligence checklist

This is the core request list, organized the way most buyers send it. Treat it as a starting frame, not gospel; every deal trims or adds based on the target. For a deeper, room-ready version, see the due diligence data room checklist.

WorkstreamWhat the buyer asks forWhat they are really checking
CorporateFormation docs, cap table, board minutes, shareholder agreements, stock ledgerClean ownership and authority to sell
Financial3 years of financials, monthly P&L, AR/AP aging, revenue recognition policyEarnings are real, recurring, and as stated
TaxReturns, filings, audit history, transfer pricing, nexus analysisNo hidden tax liabilities transferring to the buyer
CommercialCustomer list, churn, pipeline, contracts, top-customer concentrationRevenue is durable and not at flight risk
LegalMaterial contracts, litigation, regulatory, change-of-control clausesNo landmines in the contract base
Intellectual propertyIP assignments, patents, trademarks, open-source usage, license termsThe company actually owns what it sells
TechnologyArchitecture, codebase health, infrastructure, scalability, tech debtThe product can be maintained and grown
Security and complianceSecurity policies, SOC 2 or ISO 27001 status, breach history, data handlingNo security debt or compliance gap
HROrg chart, comp, key-employee agreements, retention, benefitsThe team stays and key people are locked in
InsurancePolicies, claims history, coverage gapsLiabilities are covered

A practical tip from the sell side: build your room against this checklist before the buyer ever asks. When the first response to a request list is "it is already in the room, folder 4," you set a tone of competence that pays off in every negotiation that follows.

Common red flags

These are the findings that make a buyer's deal team slow down, reprice, or walk. If you are selling, fix what you can before you open the room.

  • Customer concentration. One client at 40 percent of revenue is a single point of failure. Buyers price that risk aggressively.
  • Messy cap table or unclear IP ownership. Unassigned IP from a contractor or an undocumented equity promise can stall a close for weeks.
  • Revenue recognition that does not survive a second look. Aggressive timing, one-time deals counted as recurring, or bookings dressed up as revenue.
  • Pending or threatened litigation that was not disclosed up front.
  • Key-person dependency with no retention plan. If the company is really three people and they can leave the day after close, that is a problem.
  • Security incidents or compliance gaps that surface mid-diligence rather than being disclosed early.
  • Disorganized or incomplete responses. This is the quiet one. A room that is half-empty, mislabeled, or slow to answer questions reads as a company that does not know its own numbers. Even when the underlying business is fine, sloppy diligence erodes the trust a deal runs on.

The pattern across all of these: late surprises kill deals far more often than known problems. A disclosed risk gets priced. An undisclosed one gets discovered, and discovery costs you credibility on everything else.

How a data room streamlines M&A due diligence

Every serious M&A deal runs through a virtual data room, and for good reason. Diligence is fundamentally a controlled-document problem: the seller has hundreds of sensitive files, the buyer has a dozen people across multiple firms who each need to see some of them, and everyone needs an audit trail. Email and a shared drive cannot do that safely.

A real data room gives you four things email cannot:

  • Granular permissions. You decide which buyer-side groups see which folders. Counsel sees the legal folder, the bankers see the financials, and you can hold the most sensitive files (a key customer contract, source code) behind a separate gate until late-stage diligence. See how data room permissions work in practice.
  • Tracking and analytics. You see who opened what, which documents got attention, and where the buyer's team is spending time. On the sell side, that signal tells you what they are worried about before they say it.
  • Controlled Q&A. Questions and answers live in one tracked place instead of scattered across inboxes, so nothing falls through and there is a clean record.
  • Watermarking and leak deterrence. Per-viewer watermarks and download controls keep your most sensitive documents from walking out the door if a deal falls through.

This is the part of the process Plox is built for. I use Plox to run rooms where every document is a tracked link, viewers open files in the browser with no clunky download, and I get page-by-page analytics on who read what. You can set folder-level permissions, gate the room behind an NDA in one click, apply dynamic watermarks, and revoke access the moment a deal goes cold. Pricing is flat, published, and self-serve, with a free tier to start and a Data Rooms trial, so you can stand up a real room without a sales call. Enterprise VDRs like iDeals and Datasite are the right call when you are the target in a very large, heavily regulated transaction and counsel mandates formal audit certifications. For most founder and mid-market deals, a modern room is faster to run and far easier on the buyer.

If you are weighing tools, the best data room for due diligence comparison and a quick read on virtual data room cost will save you a few hours. The headline is simple: pick the room that lets you grant the right access fast, see who is reading, and look organized doing it. In diligence, organized is a competitive advantage.

Frequently asked questions

How long does M&A due diligence take?

It depends on deal size and complexity, but a focused mid-market acquisition commonly runs four to eight weeks of intensive review after the LOI is signed. Smaller, simpler deals can wrap in two to three weeks, while large or heavily regulated transactions often run three months or more. The single biggest variable in your control is how prepared the seller's data room is on day one.

What is the difference between M&A due diligence and a quality-of-earnings analysis?

M&A due diligence is the full investigation across every workstream, financial, legal, commercial, technical, tax, HR, and more. A quality-of-earnings analysis is one piece of it, sitting inside the financial workstream. The QoE specifically tests whether reported earnings are real, sustainable, and normalized for one-time items. It is usually the most scrutinized part of financial diligence, but it is a component, not the whole exercise.

Who pays for M&A due diligence?

Generally each side pays for its own advisors. The buyer funds the bulk of the cost because they are running the investigation, paying for accountants, lawyers, and technical reviewers. The seller pays for their own counsel and advisors to prepare the room and respond. On larger deals, sell-side teams sometimes commission their own vendor due diligence report to hand buyers a head start and keep the process moving.

Can a deal fall apart during due diligence?

Yes, and it happens regularly. Deals collapse in diligence when a buyer uncovers something material that was not disclosed, when the numbers do not hold up to scrutiny, or when a red flag like concentrated revenue or unclear IP ownership changes the risk picture. More often, diligence does not kill the deal outright but reprices it: the buyer lowers the offer, adds an escrow holdback, or expands the indemnities. Early, honest disclosure is the best defense against a surprise that ends the deal.

What documents should I put in the data room before buyers start?

Build the room against the diligence checklist before the request list arrives: corporate and cap-table records, three years of financials, tax returns, material customer and vendor contracts, IP assignments, key employee agreements, and your security and compliance documentation. A room that already mirrors the buyer's request list signals that you run a tight operation, and that impression carries weight through the rest of the negotiation.

Is a virtual data room necessary for M&A due diligence, or can I use a shared drive?

For anything beyond the smallest deal, a virtual data room is the right tool. A shared drive gives you no granular permissions, no view tracking, no controlled Q&A, and no watermarking, which means you cannot safely control who sees your most sensitive files or know how the buyer's team is engaging with them. A modern data room handles all of that and looks professional to the buyer, which matters more than founders expect.

Rohan Nayak

Written by Rohan Nayak · Co-founder, Plox

Rohan co-founded Plox. He spends most of his time with founders working out how to share a deck or a data room without losing control of it.

Connect on LinkedIn