The M&A Due Diligence Checklist for Modern Deal Teams

A mid-sized M&A transaction generates anywhere from 5,000 to 50,000 documents in a virtual data room. Financial statements, employment agreements, IP assignments, regulatory filings, environmental reports, insurance policies, board minutes. Every one of them carries information that can change the purchase price, restructure the indemnification terms, or kill the deal entirely. A due diligence checklist is what turns that volume into a structured investigation, and what separates a team that surfaces material risk from one that discovers it post-close.

The stakes keep growing. Transactions span more jurisdictions, implicate more regulatory regimes, and involve technology assets that did not exist a decade ago. Timelines have compressed. Clients and counterparties expect diligence to be both thorough and fast. And the categories that matter have expanded. Data privacy, ESG exposure, cybersecurity posture, and AI governance now sit alongside the traditional financial and legal categories that have anchored the process for decades.

This article walks through a due diligence checklist built for how transactional legal teams work today, category by category, including where AI-assisted review is changing what is possible at each stage.

What an M&A Due Diligence Checklist is for

The M&A due diligence checklist is the document that organizes the investigation of a target company across every risk domain relevant to a transaction. Financial records, legal structure, operations, tax compliance, intellectual property, human resources, environmental liabilities, technology infrastructure, regulatory standing, insurance coverage, and commercial positioning. Each category corresponds to a distinct set of documents, a distinct set of questions, and a distinct set of risks that can affect valuation, deal structure, or integration planning.

The checklist is typically prepared by buyer's counsel, with input from financial advisors, accountants, and subject-matter specialists depending on the industry and complexity of the target. It serves two connected purposes. First, it generates the formal request list sent to the seller, which defines what goes into the virtual data room. Second, it provides the structure that reviewers use to analyze and flag findings across every category. In most transactions, the process runs six to twelve weeks. The checklist drives the pace and the rigor of that entire period.

While scope varies by deal type, the underlying categories remain consistent whether the transaction is a full acquisition, a private equity investment, a joint venture, or a major asset purchase. A $3 million acquisition of a single-location services business and a $3 billion cross-border merger will look different in depth, but both require the same structural discipline.

Financial and Accounting

Financial diligence exists to answer one question. Are the numbers the seller is selling on the numbers the business actually produces? The purchase price is almost always a multiple of some measure of earnings, usually Earnings Before Interest, Taxes, Depreciation, and Amortization. If the EBITDA figure in the teaser is not the EBITDA the business will generate on a normalized, run-rate basis under your ownership, the price is wrong.

Financial statements

Three to five years of audited or reviewed financials, monthly trial balances, and a clear read on revenue recognition policies. For targets without audited financials, which is common in the lower middle market, the diligence team often has to reconstruct the financials from the underlying accounting records. Revenue recognition is where surprises usually show up. Aggressive policies inflate current-period revenue at the expense of future periods, which distorts the run-rate picture.

Quality of earnings

The quality of earnings report, or Q of E, is the central artifact of financial diligence. It takes reported EBITDA and applies adjustments to get to normalized EBITDA, stripping out non-recurring items like litigation settlements and transaction costs, correcting for owner compensation that will not continue post-close, and pro forma adjusting for acquisitions or divestitures during the look-back period. The gap between reported and normalized EBITDA is often the most consequential finding in the entire diligence process, and it frequently drives a price renegotiation.

Debt and liabilities

Funded debt is the obvious category. The diligence work is in the debt-like items, including capital leases, deferred revenue the buyer will have to perform against without receiving cash, earn-outs owed on prior acquisitions, accrued but unpaid bonuses, change-in-control payments triggered by the transaction, and any off-balance-sheet obligations. Debt-like items reduce the net proceeds to the seller, and the definition of indebtedness in the purchase agreement is where these findings land.

Working capital

Seasonality, collection cycles, inventory turns, and the calculation of the working capital peg that will govern closing mechanics. The peg is one of the most negotiated provisions in the purchase agreement, and getting it wrong costs the buyer real money at close. A business with significant seasonality requires a peg that accounts for where in the cycle the close will occur.

Legal and Corporate Structure

Legal diligence confirms the seller actually owns what it is selling, has the authority to sell it, and is not handing the buyer a set of obligations that reshape the deal. The volume of documents in a modern data room makes exhaustive review impractical on most timelines. The discipline is triage, knowing which categories matter for this transaction, which provisions within those categories matter, and which findings rise to the level of a deal issue.

Organizational documents

Articles of incorporation, bylaws, operating agreements, and minutes from board and shareholder meetings. This is the foundational review that establishes corporate authority, confirms the chain of approvals for prior material actions, and surfaces any governance gaps. Missing board consents, incomplete minute books, and unresolved prior corporate actions are the findings to watch for.

Capitalization table

A complete list of all shareholders, stock certificates, option grants, warrants, and any convertible instruments. Cap table reconstruction can itself consume a week of associate time on venture-backed targets. The findings that most often matter are unauthorized share issuances, option grants made outside an approved pool, and missing stockholder consents for prior financings or transactions. A clean cap table is the precondition for a clean deal.

Material contracts

Customer agreements, supplier agreements, partnership agreements, and any contract that generates significant revenue, commits significant spend, or imposes significant restrictions on the business. The provisions that matter most in an M&A context are change-of-control clauses that let counterparties terminate or renegotiate on deal announcement, assignment restrictions that affect whether the contract travels with the business, exclusivity and non-compete commitments that bind the acquirer post-close, most-favored-nation provisions that cascade pricing obligations, and auto-renewal mechanics that lock the buyer into terms it has not separately evaluated.

Litigation

Pending matters, threatened claims, settled matters with ongoing obligations, and any regulatory investigations or subpoenas. Individual cases are usually less telling than patterns. A target with three employment discrimination claims across five years is differently situated than one with thirty, even if each individual claim looks minor. Regulatory investigations deserve particular attention because they often signal exposure that has not yet been quantified in the financials.

Tax Compliance

Tax diligence identifies unpaid taxes, structural issues, and exposure that could transfer to the buyer at close. It sits at the intersection of legal and financial diligence and often drives decisions about deal structure, which in turn affects the after-tax outcome for both parties. Findings here feed directly into the representations and warranties, indemnification provisions, and sometimes the form of the transaction itself.

Tax filings

Three to five years of federal, state, and local income tax returns, along with any international filings for targets with cross-border operations. The review confirms the target has filed everywhere it is required to file, that reported positions are defensible, and that there are no unresolved issues carrying forward. Net operating losses and their availability after a change of control are often a material item, since Section 382 limitations can strand losses the buyer's model assumed were usable.

Sales and use tax

Verification of compliance across every jurisdiction where the company has nexus. Sales tax exposure is the most common tax surprise in mid-market transactions, particularly for software and services businesses whose customer footprint has outrun their filing footprint. A target with customers in forty states and sales tax returns in three is carrying contingent liability that belongs in the indebtedness definition or the escrow.

Audits and open matters

Correspondence regarding any open or past IRS and state tax audits, notices of proposed adjustments, voluntary disclosure agreements, and any tax positions the target has taken that could be challenged. Transfer pricing documentation is a required item for any target with international operations, since transfer pricing disputes can produce exposure measured in years of tax liability.

Intellectual Property

IP diligence confirms the target actually owns the assets its business depends on. For technology, media, and life sciences targets, IP is often the single largest driver of value. A gap in ownership, a license with unfavorable terms, or an open-source compliance issue can materially change what the buyer is acquiring. The review is about chain of title as much as it is about the registered assets themselves.

Registrations

A complete schedule of patents, trademarks, copyrights, domain names, and pending applications, with jurisdictional coverage and renewal status. The schedule should match the assets the business publicly represents as its own. Gaps between the marketing materials and the registration schedule are a flag. Lapsed or expired registrations, particularly in the markets where the target actually operates, are a second flag.

Ownership and assignment

Verification that all IP has been formally assigned to the company. This is where most IP diligence findings actually surface. Contractors who contributed to the product without signing a proper assignment can cloud ownership of the code or content the buyer believes it is acquiring. Employees in jurisdictions with different default IP rules, including parts of Europe and Asia, may require specific assignment language to transfer work product to the company. The remediation work can extend past closing if the gaps are not identified in time.

Licensing and open source

Inbound licenses the target relies on, outbound licenses the target has granted, and open-source software usage across the codebase. Open-source compliance has become a significant diligence area on software targets, since copyleft obligations in licenses like GPL can force disclosure of proprietary code if the software is distributed in certain ways. Most software targets run an open-source scan as part of sell-side preparation. Buyers that do not run their own independent scan are taking the seller's word on a material risk area.

Human Resources and People

HR diligence evaluates workforce stability, retention risk, and potential labor liabilities. On most transactions, the people question is also the integration question. A deal model that assumes synergies from a combined sales force, or a sponsor thesis that depends on the current management team executing a growth plan, is only as good as the team that actually stays through close. HR diligence tests whether the assumptions hold.

Employee census

A complete list of all employees, their roles, compensation levels, years of service, and reporting relationships. The census surfaces two things worth watching for. The first is concentration, whether a handful of people hold disproportionate customer relationships, technical knowledge, or institutional memory. The second is compensation outliers, where specific employees are paid significantly above or below market in ways that will need to be addressed post-close.

Agreements and Retention

Employment contracts for executives and key employees, non-compete and non-solicit agreements, severance policies, and any change-of-control payments triggered by the transaction. The enforceability of non-competes varies materially by state, and in California and a growing list of jurisdictions they are effectively unenforceable. A target where half the senior team has enforceable non-competes they will invoke against the buyer is a meaningfully different acquisition than one where those agreements were never properly executed. Retention packages for key employees are often negotiated during diligence and become part of the overall deal structure.

Benefits

401(k) plans and any Employee Retirement Income Security Act (ERISA) compliance issues, health insurance policies, deferred compensation arrangements, and any underfunded pension obligations. Pension exposure on targets with legacy defined-benefit plans can be significant and is often the largest HR finding in magnitude. 280G parachute payment exposure on transactions involving public or formerly public targets also belongs in this review, since the tax gross-ups can affect deal economics.

Operations and IT

Operations and IT diligence tests whether the business will actually run the way the financials suggest it does. The historical numbers can be audited. Whether the business can sustain those numbers, or grow from them, depends on customer concentration, technology resilience, and the physical and digital infrastructure that supports day-to-day operations. These are forecast-testing workstreams, and they are where buyers most often cut corners under timeline pressure.

Customer concentration and commercial position

A breakdown of revenue by customer, product line, and geography, with specific attention to concentration. A target where the top ten customers represent eighty percent of revenue carries a different risk profile than one where they represent thirty percent, and the purchase agreement will reflect that through stronger reps, larger indemnification baskets, or earn-out structures tied to customer retention. Churn rates, net revenue retention, and the length and terms of customer contracts complete the picture. On private equity processes, commercial diligence typically includes blind customer interviews conducted through consultants, since the findings from actual customers usually differ from what management presents.

IT systems and cybersecurity

Software licenses and their assignment provisions, cloud services and vendor contracts, the technology architecture, and cybersecurity posture. On software and SaaS targets, this is a substantial workstream handled by dedicated technical diligence firms. The findings that matter most are rarely about the code being bad. They are about the code being fragile, undocumented, or concentrated in the heads of a small number of engineers who may or may not stay post-close. Cybersecurity review covers breach history, security certifications like SOC 2 or ISO 27001, incident response capabilities, and compliance with GDPR, CCPA, and the widening field of state privacy laws. An unreported or underreported breach carries contingent liability that can exceed the purchase price.

Physical assets and facilities

Deeds for owned property, leases for occupied facilities, equipment inventories, and maintenance records. Environmental assessments for any target with manufacturing operations or significant physical footprint, since environmental liabilities can dwarf other findings in magnitude. Lease assignment provisions matter because they determine whether the buyer can keep operating from the same locations without landlord consent, and consent requirements can become a closing condition that extends the timeline.

Regulatory, ESG, and AI Governance

Regulatory exposure, ESG, and AI governance are the categories that separate a current M&A due diligence checklist from a dated one. Five years ago, most of this work either did not exist as a distinct diligence area or was handled as a footnote. Today, each one regularly produces findings that move deal terms, and in some cases determines whether the transaction closes at all.

Regulatory exposure

Industry-specific licenses and permits, FCPA and anti-corruption program review, sanctions screening and export controls, and antitrust clearance under Hart-Scott-Rodino or foreign merger control regimes. The scope scales with the target's industry and geography. For cross-border transactions, foreign direct investment review in the US, UK, EU, and a growing list of other jurisdictions can add months to the closing timeline or, in a small but growing number of cases, block the transaction outright.

ESG and sustainability

Climate-related disclosure exposure, supply chain labor practices, emissions profile, and governance around environmental and social risk. The reason this has moved from footnote to checklist category is practical. ESG findings now affect financing availability, insurance pricing, and customer contracts. Targets with significant emissions exposure in jurisdictions with carbon pricing or mandatory climate disclosure rules carry contingent costs that belong in the diligence picture.

AI and data governance

Whether the target uses AI tools, whether those tools were trained on customer data, whether the training data was properly licensed, and whether the target's AI-related customer representations are accurate. This is the newest category on the list and the one most generic checklists miss entirely. Targets now routinely use AI vendors with opaque data practices, deploy models trained on scraped data with unclear licensing, or make AI-related claims in customer contracts that the technology does not fully support. The review should cover model provenance, training data sourcing, vendor contracts, customer disclosures, and compliance with the EU AI Act and the state-level AI regulations taking effect in the US.

How AI is Improving the Due Diligence Process for Deal Teams

For decades, due diligence has relied on junior associates manually reviewing thousands of documents, identifying relevant provisions, flagging risks, and summarizing findings for partners and clients. This manual approach is time-intensive, inconsistent across reviewers, and almost always forces the team to sample rather than review the full population of documents in a data room.

That sampling creates an inherent blind spot. A non-compete with an unusual geographic scope in one vendor agreement, or an earn-out trigger buried in a subsidiary's operating contract, can be missed entirely when only a fraction of the documents receive close review. AI is shifting the economics of the process by making full-population review practical for the first time.

AI-assisted analysis processes every document in the data room, extracting key provisions, flagging deviations from standard terms, and surfacing anomalies that a manual first pass would likely overlook. It also addresses a consistency problem that deal teams rarely talk about openly. On sizable transactions, the review is divided across multiple associates. Different reviewers apply different standards, flag different issues, and summarize findings at different levels of detail. AI provides a consistent baseline across every document, regardless of who is assigned to review it.

The distinction that matters most is not whether a team uses AI, but what kind of AI they use. General-purpose models can summarize documents and answer questions about them, but they lack the domain-specific training, citation grounding, and security architecture that transactional legal work demands. The output may be fluent but unverifiable. It may miss legal nuance. It may hallucinate provisions that do not exist. Platforms like Harvey, used by over 142,000 legal professionals including more than 60% of the AmLaw 100, represent a different approach to legal AI, one built from the ground up for legal reasoning and grounding every output in verifiable sources. For due diligence work, where every finding must be traceable to a specific document and a specific provision, that distinction is a matter of professional responsibility.

None of this replaces the judgment that experienced lawyers bring to interpreting findings and translating them into deal terms. An unusual termination clause still requires a lawyer to assess whether it is commercially significant. A deviation from market-standard warranty language still requires someone who understands the norms to determine whether it warrants attention in the purchase agreement. AI for due diligence accelerates the review, improves consistency, and allows teams to cover more ground in less time. But the checklist still defines what to look for. AI changes whether the team actually finds it.

Building a Checklist That Works for Your Deal Team

No two transactions carry the same risk profile, and the checklist should reflect that. The starting point for most teams is a template that covers the standard categories. Financial, legal, operational, HR, tax, IP, environmental, technology, insurance, and regulatory. But a template is only useful if the team calibrates it to the specifics of the deal at hand.

Calibration means adjusting scope and depth based on four variables. The size of the transaction, which determines how much diligence the economics can support. The industry of the target, which determines which categories carry the most weight. The jurisdictions involved, which determine what regulatory and compliance layers apply. And the buyer's risk tolerance, which determines how aggressively findings are pursued and how they translate into deal protections.

Data room organization matters more than most teams acknowledge. A well-structured virtual data room with clear folder hierarchies, search-friendly document titles, and watermarked files accelerates the review and signals that the seller takes the process seriously. A disorganized data room does the opposite. It slows everything down, forces reviewers to spend time on logistics rather than analysis, and raises questions about whether the company's internal operations are similarly disordered.

The most common mistakes are predictable. Collecting every available document without a plan for analyzing them. Treating the review as a single event rather than an iterative process that adjusts as new findings surface. Relying on templates that were last updated before data privacy, cybersecurity, and AI governance became standard categories. And applying inconsistent review standards across a team of associates without a shared understanding of what constitutes a material finding.

Every finding on the checklist should connect to a specific commercial outcome. A price adjustment, an indemnification provision, a representation in the purchase agreement, or a decision to walk away. The checklist is only as valuable as the decisions it informs. Harvey is built for exactly this kind of work, giving transactional teams the ability to review every document in the data room with the consistency, speed, and citation grounding that due diligence demands. If your firm is ready to see what that looks like in practice, request a demo.