The M&A Due Diligence Checklist: 12 Workstreams to Cover Before You Sign

An M&A due diligence checklist organizes the review of a target into about 12 workstreams and 180+ items — spanning corporate records, financials, tax, legal, contracts, commercial position, intellectual property, technology, data privacy, people, regulatory compliance, and environmental matters. Its job is simple: make sure nothing material is missed before you sign, and keep scope disciplined so the review does not balloon in cost and time.

A good checklist is not a formality — it is the backbone of the data room request list, the structure for tracking what has and has not been answered, and the first line of defense against the surprises that kill deals after signing. Here is the full set of workstreams to cover.

The 12 due diligence workstreams

• Corporate records & good standing — incorporation documents, bylaws, cap table, shareholder agreements, board minutes, subsidiaries.
• Financial — audited statements, quality of earnings, working capital, debt and liabilities, budgets and projections.
• Tax — returns and filings, historical exposures, structuring, transfer pricing, ongoing audits.
• Legal & litigation — pending or threatened litigation, judgments, settlements, regulatory actions.
• Material contracts — customer, supplier, and partner agreements, with attention to change-of-control, assignment, and exclusivity terms.
• Commercial & customer — market position, pipeline, customer concentration, churn, and revenue durability.
• Intellectual property — patents, trademarks, copyrights, ownership and assignment, licenses, and open-source exposure.
• Technology & IT — systems and architecture, technical debt, infrastructure, and key dependencies.
• Data privacy & cybersecurity — policies, past incidents, regulatory compliance (e.g., APPI, GDPR), and security controls.
• Human resources — org chart, key employees, compensation, employment agreements, benefits, and labor disputes.
• Regulatory & compliance — licenses, permits, and industry-specific regulatory obligations.
• Environmental & real estate — owned and leased property, lease terms, and environmental liabilities.

Where to start: the core three

Not every workstream carries equal weight. On most deals, three do the heaviest lifting. Financial due diligence tests whether the earnings are real and sustainable — the quality-of-earnings work that underpins the price. Legal due diligence determines what you are actually buying and what liabilities come with it, from contracts and litigation to IP ownership. Commercial due diligence asks whether the market and customer base will hold up after the deal closes. The remaining workstreams matter, but they usually confirm or complicate the picture these three establish — so scoping them first keeps cost and attention where the deal risk really sits.

How to use the checklist

• Prioritize by risk — front-load the workstreams that carry the most deal risk for this specific target, rather than reviewing everything at equal depth.
• Drive the request list — turn the checklist into the data room request list so gaps are visible from day one.
• Track Q&A centrally — log every question and answer against its checklist item so nothing falls through the cracks.
• Version the findings — keep a single source of truth as new documents arrive, instead of scattered notes across the team.

A due diligence checklist does not find risk by itself — it makes sure that every place risk could hide gets looked at.

Red flags to watch for

• Customer concentration — a few accounts driving most of revenue.
• Off-balance-sheet or undisclosed liabilities.
• Unclear IP ownership or unlicensed open-source dependencies.
• Change-of-control clauses that let key contracts terminate on the deal.
• Pending or threatened litigation and regulatory actions.
• Key-person dependency and thin management bench.
• Gaps in data privacy or regulatory compliance.

Working the checklist faster with AI

The checklist tells you what to look for; the work is in reading the documents that answer it. This is where AI helps most. Specter, our AI platform for M&A due diligence, reads the entire data room against the workstreams above — mapping documents to checklist items, flagging what is missing, surfacing the red flags, and citing every finding back to its source. The deal team works from a structured, evidence-linked view instead of a folder of thousands of files, and keeps full control over what is accepted.