Most deals don’t fail because the lawyers weren’t good enough. They fail because the process wasn’t structured well enough. A due diligence checklist is not a formality. It is the architecture that keeps a complex, multi-party transaction from collapsing under its own weight.
This article sets out a practical framework for M&A lawyers and in-house teams who need to run due diligence at deal speed, without missing the workstreams that tend to surface problems late.
What Is Due Diligence and Why the Checklist Matters
Due diligence is the process by which a buyer confirms what it thinks it is buying. That covers the legal, financial, operational, and commercial reality of a target, and the gap between what the seller presents and what the records actually show.
The checklist matters because deals move fast and teams are stretched. Without a structured workstream framework, items fall through: a lease with a change-of-control clause, an IP assignment that was never executed, a regulatory filing that lapsed. Any one of these can reopen price negotiations, delay closing, or kill the deal entirely.
We have written separately about the broader M&A due diligence process and what a well-run review looks like end to end. This article focuses specifically on the checklist layer: what goes in, in what order, and where in-house teams typically lose ground.
Core Workstreams: The Complete Due Diligence Checklist
A full due diligence review spans several parallel workstreams. These are the areas every checklist should cover.
Corporate and entity structure: Confirm the target’s corporate records are in order. That means reviewing articles of incorporation, bylaws, board and shareholder resolutions, capitalization tables, and any outstanding equity instruments such as options, warrants, and convertible notes. Check for any prior name changes, restructurings, or dormant entities that carry legacy liability.
Contracts and commercial agreements: Review all material contracts, including customer agreements, supplier contracts, distribution agreements, joint ventures, and exclusivity arrangements. Flag change-of-control provisions, auto-renewal terms, assignment restrictions, and any contracts with termination rights triggered by the transaction. High-volume contract review benefits from dedicated resource and clear triaging criteria. For commercial due diligence context (the financial and market dimensions of these same agreements), teams often work through commercial due diligence in parallel.
Intellectual property: Confirm ownership of all key IP assets. That means checking IP assignments from founders and early employees, patent and trademark registration status, any third-party licenses (inbound and outbound), and open-source software obligations. Software companies, in particular, often have IP ownership gaps that weren’t apparent at the term sheet stage.
Employment and labor: Review key executive contracts, equity arrangements, non-compete and non-solicit provisions, and any change-of-control payments. Check for pending employment disputes, WARN Act obligations in the US, and HR policy compliance across all jurisdictions where the target has employees.
Litigation and disputes: Get a full picture of active, threatened, and settled litigation. That includes regulatory investigations, customer disputes, employment claims, and any arbitration proceedings. Assess materiality and tail risk, not just the face value of the claim.
Real estate and assets: Review all leases and owned property, including change-of-control and consent requirements. Confirm title to key physical assets. In cross-border deals, include local jurisdiction review for real estate that may be subject to foreign ownership restrictions.
Data privacy and cybersecurity: Confirm compliance with applicable data protection frameworks (CCPA, GDPR, HIPAA, depending on the target’s footprint). Review data processing agreements, breach history, and security certifications. Regulatory compliance in this area can move fast, and gaps create post-closing exposure. Compliance and regulatory support is typically a dedicated workstream, not an afterthought.
Financial and tax: Review audited financials, tax returns, and any outstanding tax liabilities or audits. Confirm that tax structures used by the target are defensible and that any cross-border arrangements are properly documented. This workstream runs alongside, not after, the legal review.
Regulatory and licensing: Map every license, permit, and regulatory approval the target holds and confirm all are current. Identify any that will require consent or re-application post-closing. In PE transactions, this workstream often requires fund-specific analysis, including regulatory change-of-control thresholds that apply at the fund level, not just the portfolio company. We have written a dedicated guide on private equity due diligence for teams running fund acquisition or roll-up processes.
Environmental, social, and governance: ESG due diligence has moved from optional to expected in the last three years. Review environmental compliance, supply chain obligations, and any public ESG commitments that will transfer with the business.
Common Gaps In-House Teams Miss Under Deal Pressure
Timeline compression is the biggest driver of due diligence failure. When the business wants to close in six weeks, the checklist gets triaged informally rather than systematically.
The workstreams most likely to be underdone are IP ownership, data privacy, and mid-tier contracts. Senior lawyers focus on the headline issues: the material agreements, the key regulatory approvals. The second tier of contracts, which often contains the most problematic change-of-control language, gets a lighter review or none at all.
Regulatory workstreams suffer when the deal team lacks jurisdiction-specific expertise. A US-based in-house team reviewing a target with operations in the EU, APAC, or LATAM may not have the local law knowledge to assess compliance accurately without external support.
Teams frequently prepare disclosure schedules under pressure with insufficient cross-referencing to the underlying due diligence findings. That creates post-signing risk when a disclosure turns out to be incomplete or inconsistent with the representations.
Document management is also underestimated. VDR organization, naming conventions, and status tracking across multiple workstreams require dedicated coordination, especially when the team is running legal review, responding to management Q&A, and negotiating transaction documents simultaneously.
When to Bring in External Legal Support for Due Diligence
The decision to bring in external lawyers is not about the quality of your internal team. It is about bandwidth and specialization at a moment when both are under maximum pressure.
Most in-house legal teams are built for steady-state. A mid-market acquisition or a competitive auction process is not steady-state. When the checklist covers eight workstreams across multiple jurisdictions and the timeline is compressed, the gap between what your team can do and what the deal requires becomes a liability.
External M&A support is most useful in three scenarios: when the deal volume exceeds internal capacity, when the target operates in jurisdictions where you lack local expertise, and when specific workstreams (document review, IP analysis, regulatory mapping) require dedicated resource that would otherwise pull senior lawyers away from the deal-critical items.
LawFlex deploys vetted due diligence teams within 24 to 48 hours, matched to the specific workstreams and jurisdictions your deal requires. The model is flexible legal staffing without a long-term commitment: you bring in the capacity you need for the duration of the deal, then scale back when it closes. For process-heavy workstreams, legal process outsourcing handles the high-volume document review and VDR management that would otherwise slow the transaction. Teams running document-intensive reviews benefit from dedicated eDiscovery and document review support that scales with the VDR volume, not the size of your internal team.
LawFlex is ranked Tier 1 by Chambers and Partners (the leading independent legal rankings firm) and operates across 50+ jurisdictions, which matters when your deal has a cross-border dimension your internal team can’t cover alone.
FAQ: Due Diligence Checklist
What should a due diligence checklist include?
A complete due diligence checklist covers corporate structure, material contracts, intellectual property, employment and labor, litigation history, real estate, data privacy, financial and tax matters, regulatory licensing, and ESG. The weight given to each workstream depends on the target’s industry, size, and jurisdictional footprint.
How long does due diligence take for an M&A deal?
Timelines vary significantly by deal complexity. A straightforward mid-market transaction might complete due diligence in three to four weeks. A cross-border acquisition with multiple workstreams and regulatory approvals can take two to three months. Competitive auction processes are often compressed to four to six weeks regardless of complexity.
What is the most commonly missed area in due diligence?
IP ownership gaps and data privacy compliance are among the most frequently underdone workstreams, particularly in tech and software transactions. Mid-tier commercial contracts (those below the threshold that triggers automatic senior review) also carry significant risk that is often missed under time pressure.
When should an in-house team bring in outside lawyers for due diligence?
When the transaction volume, timeline, or jurisdictional scope exceeds what the internal team can cover without compromising either the review quality or the team’s ability to handle ongoing business-as-usual matters. External support is most efficiently structured as deal-specific, without a retainer or long-term engagement.
What is a virtual data room and how does it affect due diligence?
A virtual data room (VDR) is a secure online repository where the seller organizes and shares transaction documents. The quality of VDR organization directly affects the efficiency of due diligence: poorly indexed rooms extend timelines and increase the risk that material documents are missed. Dedicated document review teams with VDR management experience make a measurable difference on larger deals.
