A complete M&A due diligence checklist is organized by workstream, because the financial, legal, operational, and tax reviews each request different documents and hunt for different red flags. All run simultaneously after the LOI, coordinated by the M&A attorney managing data room access. Here is the checklist structure.
Legal Workstream
Request and review: formation documents and good-standing certificates, board minutes and shareholder agreements (typically 3 to 5 years), all material contracts, litigation files, IP assignments and registrations, and employment agreements. Red-flag checks: undisclosed litigation, change-of-control provisions across all contracts, IP ownership chain completeness, environmental liabilities, and data privacy compliance (GDPR, CCPA, HIPAA) with no unreported breaches.
Financial Workstream
Request and review: balance sheets, income statements, tax documents, debt schedules, and the customer revenue detail. Red-flag checks: customer concentration (any customer over 20% of revenue), quality-of-earnings issues (revenue recognition, expense treatment), working capital surprises, deteriorating trends, and projection-vs-history disconnects.
Operational and Tax Workstreams
Operational review covers key-person dependencies, systems and technology condition, and deferred maintenance. Tax review covers the target's tax positions, exposures, and structure. Across all workstreams, a disorganized data room — old drafts beside final versions, documents not accessible within 48 hours of request — is itself a red flag signaling deeper organizational problems. The AI agent runs the red-flag checks across every document in every workstream. It's demonstrated at omnionlinestrategies.com/ai-agent-ma-due-diligence.