Workflow Templates for Accounting: Merger and Acquisition Due Diligence Checklist

Engagement Setup

Sign NDA and confirm engagement scope

Execute the mutual NDA before any data flows. Confirm the engagement letter names the buyer entity, target, fee structure (fixed vs. T&E with cap), and explicitly excludes opining on valuation — diligence is procedures-based, not an attest engagement under SSARS.

Confirm data room access and PBC list

Verify each diligence team member has read access to the VDR (Datasite, Intralinks, Firmex, or SharePoint). Send the PBC list to the seller's CFO with a 5-business-day response window; track outstanding items weekly so fieldwork doesn't stall.

Financial Due Diligence

Review three years of audited financials

Pull audited statements plus the management letters and any going-concern footnotes. Compiled or reviewed-only financials are a red flag for a deal of size — flag any auditor change in the period and ask why.

Build the quality of earnings analysis

Bridge reported EBITDA to adjusted EBITDA: owner compensation normalization, one-time legal settlements, PPP/ERC credits, related-party rent, discontinued product lines. Document each adjustment with a supporting workpaper — these are the numbers that drive the purchase price.

Tie working capital to the target peg

Calculate trailing 12-month average net working capital and propose the peg. Include AR, AP, inventory, prepaid, and accrued expenses; exclude cash and debt (typical cash-free, debt-free deal structure). Disagreements over the peg are the most common post-close dispute.

Stress-test management projections

Compare management's forecast against historical CAGR, customer pipeline, and bookings backlog. Flag hockey-stick assumptions: pricing increases without a contractual basis, headcount-driven revenue growth without hiring plans, margin expansion without identified levers.

Tax Due Diligence

Review federal and state income tax returns

Pull the last three years of 1120 / 1120-S / 1065 plus state returns. Reconcile book-to-tax (Schedule M-1/M-3), confirm NOL carryforwards survive Section 382 limitation, and check S-corp shareholder basis schedules where applicable.

Audit sales-tax nexus across states

Run a 50-state revenue summary against post-Wayfair economic-nexus thresholds (commonly $100K or 200 transactions). Cross-reference where the target has registered and filed. Unregistered nexus is a very common indemnification item — the lookback can be 7+ years in most states.

Quantify state nexus liability exposure

For each state with unregistered nexus, estimate back tax + interest + penalties through the lookback period. Coordinate with deal counsel on Voluntary Disclosure Agreement (VDA) strategy versus carving the exposure into the indemnification cap or escrow.

Confirm payroll tax filings and deposits

Tie 941s to W-3 totals and confirm federal deposits hit the semiweekly or monthly schedule based on lookback. Late deposits stack penalties (2% / 5% / 10% / 15%) and signal weak controls. Also confirm any ERC claims have substantiation files.

Legal and Compliance Due Diligence

Inspect material contracts for change-of-control

Pull customer master agreements, supplier contracts, leases, and loan documents. Flag every change-of-control, assignment, and consent provision — these become closing-condition consents and can give counterparties pricing leverage.

Review pending and threatened litigation

Request the litigation schedule, demand letters, and EEOC charges from the past five years. Tie reserves on the balance sheet to outside counsel's loss-contingency assessments per ASC 450 (probable / reasonably possible / remote).

Verify regulatory licenses and permits

Confirm all industry-specific licenses (state operating licenses, professional registrations, environmental permits) are current and transferable. Some licenses require pre-closing notification; others trigger automatic revocation on change-of-control.

Operational and IT Due Diligence

Walk through core operational processes

Schedule a half-day on-site or video walkthrough of order-to-cash, procure-to-pay, and production. Look for key-person dependencies, manual reconciliations, and processes that exist only in spreadsheets — these are integration risks and synergy candidates.

Inventory IT systems and SaaS contracts

Build the full application stack: ERP (NetSuite, Sage Intacct, Dynamics), CRM, payroll, HRIS, productivity. Capture seat counts, renewal dates, and per-seat pricing. SaaS contracts with annual lock-in and auto-renewal clauses are common surprises post-close.

Assess cybersecurity controls and incident history

Request the WISP, SOC 2 report (if any), MFA coverage, EDR deployment, and the breach log. Confirm cyber insurance policy limits and exclusions. A target without a written security plan is a GLBA / state-law indemnification trap.

Engage external cyber forensics review

Bring in a third-party firm (Mandiant, CrowdStrike, Kroll) to validate scope and remediation of the prior incident. Confirm whether notification obligations under HIPAA, state breach laws, or contractual customer terms have been fully discharged.

Human Resources Due Diligence

Review employee census and compensation

Pull the full census: title, base, bonus, equity, hire date, location, exempt/non-exempt classification. Watch for exempt classifications that don't meet FLSA duties tests — a common wage-and-hour exposure on top of any state-law overtime issues.

Examine key-employee retention agreements

Identify the top 10–20 employees the deal thesis depends on. Review existing employment contracts, change-of-control bonuses, non-competes, and vesting acceleration. Build the retention pool sizing to bring into final negotiations.

Audit 401(k) plan compliance

Pull the latest Form 5500, plan document, and any DOL or IRS correspondence. Late deferral remittances (past 7 business days) are a frequent prohibited transaction; confirm corrections under VFCP if found. Also confirm no controlled-group issues post-close.

Commercial and Market Due Diligence

Interview top customers on concentration

Identify customers representing the top 80% of revenue and arrange blind reference calls (often via the deal advisor to preserve confidentiality). Probe satisfaction, renewal intent under new ownership, and any recent pricing pushback.

Map competitive landscape and win-loss

Build the competitor map with pricing, positioning, and recent funding/M&A activity. Pull the target's pipeline win-loss data for the trailing 12 months — eroding win rates against a specific competitor signals a thesis problem.

Review IP portfolio and trademark filings

Confirm patents, trademarks, copyrights, and domain names are owned by the target entity (not a founder personally). Verify open-source licenses in the codebase don't trigger copyleft obligations on proprietary product.

Cultural Fit and Integration Readiness

Assess cultural alignment with management

Conduct structured interviews with the target's leadership team on decision-making, performance management, and remote/in-office norms. Founder-led targets joining a process-heavy buyer often produce the largest post-close integration friction.

Identify integration risks and synergy gaps

Walk through the synergy model line by line: revenue cross-sell, vendor consolidation, shared-services back office. For each, name an owner, a Day-1/Day-100/Year-1 milestone, and a risk-adjusted achievability rating to feed the final IC memo.

Findings and Partner Sign-Off

Compile diligence findings memo

Consolidate findings into the IC memo: QoE bridge, working capital peg, top five risks with proposed reps/indemnities, synergy plan, and recommended price adjustments. Attach supporting workpapers as appendices.

Hold partner review and final recommendation

Lead partner reviews the memo with the deal team. Document the recommendation, condition any proceed on specific reps/indemnities or escrow sizing, and capture digital sign-off before the buyer's investment committee meeting.