Merger and Acquisition Due Diligence Checklist

Execute the mutual NDA before any data flows. Confirm the engagement letter names the buyer entity, target, fee structure (fixed vs. T&E with cap), and explicitly excludes opining on valuation — diligence is procedures-based, not an attest engagement under SSARS.

Verify each diligence team member has read access to the VDR (Datasite, Intralinks, Firmex, or SharePoint). Send the PBC list to the seller's CFO with a 5-business-day response window; track outstanding items weekly so fieldwork doesn't stall.

Pull audited statements plus the management letters and any going-concern footnotes. Compiled or reviewed-only financials are a red flag for a deal of size — flag any auditor change in the period and ask why.

Bridge reported EBITDA to adjusted EBITDA: owner compensation normalization, one-time legal settlements, PPP/ERC credits, related-party rent, discontinued product lines. Document each adjustment with a supporting workpaper — these are the numbers that drive the purchase price.

Calculate trailing 12-month average net working capital and propose the peg. Include AR, AP, inventory, prepaid, and accrued expenses; exclude cash and debt (typical cash-free, debt-free deal structure). Disagreements over the peg are the most common post-close dispute.

Compare management's forecast against historical CAGR, customer pipeline, and bookings backlog. Flag hockey-stick assumptions: pricing increases without a contractual basis, headcount-driven revenue growth without hiring plans, margin expansion without identified levers.

Pull the last three years of 1120 / 1120-S / 1065 plus state returns. Reconcile book-to-tax (Schedule M-1/M-3), confirm NOL carryforwards survive Section 382 limitation, and check S-corp shareholder basis schedules where applicable.

Run a 50-state revenue summary against post-Wayfair economic-nexus thresholds (commonly $100K or 200 transactions). Cross-reference where the target has registered and filed. Unregistered nexus is a very common indemnification item — the lookback can be 7+ years in most states.

For each state with unregistered nexus, estimate back tax + interest + penalties through the lookback period. Coordinate with deal counsel on Voluntary Disclosure Agreement (VDA) strategy versus carving the exposure into the indemnification cap or escrow.

Tie 941s to W-3 totals and confirm federal deposits hit the semiweekly or monthly schedule based on lookback. Late deposits stack penalties (2% / 5% / 10% / 15%) and signal weak controls. Also confirm any ERC claims have substantiation files.

Pull customer master agreements, supplier contracts, leases, and loan documents. Flag every change-of-control, assignment, and consent provision — these become closing-condition consents and can give counterparties pricing leverage.

Request the litigation schedule, demand letters, and EEOC charges from the past five years. Tie reserves on the balance sheet to outside counsel's loss-contingency assessments per ASC 450 (probable / reasonably possible / remote).

Confirm all industry-specific licenses (state operating licenses, professional registrations, environmental permits) are current and transferable. Some licenses require pre-closing notification; others trigger automatic revocation on change-of-control.

Schedule a half-day on-site or video walkthrough of order-to-cash, procure-to-pay, and production. Look for key-person dependencies, manual reconciliations, and processes that exist only in spreadsheets — these are integration risks and synergy candidates.

Build the full application stack: ERP (NetSuite, Sage Intacct, Dynamics), CRM, payroll, HRIS, productivity. Capture seat counts, renewal dates, and per-seat pricing. SaaS contracts with annual lock-in and auto-renewal clauses are common surprises post-close.

Request the WISP, SOC 2 report (if any), MFA coverage, EDR deployment, and the breach log. Confirm cyber insurance policy limits and exclusions. A target without a written security plan is a GLBA / state-law indemnification trap.

Bring in a third-party firm (Mandiant, CrowdStrike, Kroll) to validate scope and remediation of the prior incident. Confirm whether notification obligations under HIPAA, state breach laws, or contractual customer terms have been fully discharged.

Pull the full census: title, base, bonus, equity, hire date, location, exempt/non-exempt classification. Watch for exempt classifications that don't meet FLSA duties tests — a common wage-and-hour exposure on top of any state-law overtime issues.

Identify the top 10–20 employees the deal thesis depends on. Review existing employment contracts, change-of-control bonuses, non-competes, and vesting acceleration. Build the retention pool sizing to bring into final negotiations.

Pull the latest Form 5500, plan document, and any DOL or IRS correspondence. Late deferral remittances (past 7 business days) are a frequent prohibited transaction; confirm corrections under VFCP if found. Also confirm no controlled-group issues post-close.

Identify customers representing the top 80% of revenue and arrange blind reference calls (often via the deal advisor to preserve confidentiality). Probe satisfaction, renewal intent under new ownership, and any recent pricing pushback.

Build the competitor map with pricing, positioning, and recent funding/M&A activity. Pull the target's pipeline win-loss data for the trailing 12 months — eroding win rates against a specific competitor signals a thesis problem.

Confirm patents, trademarks, copyrights, and domain names are owned by the target entity (not a founder personally). Verify open-source licenses in the codebase don't trigger copyleft obligations on proprietary product.

Conduct structured interviews with the target's leadership team on decision-making, performance management, and remote/in-office norms. Founder-led targets joining a process-heavy buyer often produce the largest post-close integration friction.

Walk through the synergy model line by line: revenue cross-sell, vendor consolidation, shared-services back office. For each, name an owner, a Day-1/Day-100/Year-1 milestone, and a risk-adjusted achievability rating to feed the final IC memo.

Consolidate findings into the IC memo: QoE bridge, working capital peg, top five risks with proposed reps/indemnities, synergy plan, and recommended price adjustments. Attach supporting workpapers as appendices.

Lead partner reviews the memo with the deal team. Document the recommendation, condition any proceed on specific reps/indemnities or escrow sizing, and capture digital sign-off before the buyer's investment committee meeting.