In the life of a CFO, few responsibilities carry more weight than leading the assessment of a potential acquisition. The financial and reputational stakes are asymmetric: a thorough process occasionally surfaces a fatal flaw that kills a deal worth killing. A superficial process can commit a company to hundreds of millions in consideration for a business that was not what it appeared to be.
The most dangerous form of failure is not missing a document. It is asking the wrong questions, accepting management representations without verification, or allowing deal momentum to suppress the rigorous skepticism that the process demands.
What Due Diligence Actually Is (and Is Not)
Due diligence is frequently described as a document review process. That framing understates it. Due diligence is verification and risk assessment: a structured effort to independently confirm that the business you are buying matches the business you were sold. Documents are inputs. The outputs are a clear-eyed view of risk, a defensible purchase price, and a set of contractual protections appropriate to what you found.
The primary workstreams in a comprehensive M&A diligence process include:
- Financial: Quality of earnings, financial statement review, cash flow analysis, working capital normalization, and identification of debt or debt-like items.
- Operational: Business model assessment, revenue quality, management team evaluation, scalability analysis, and customer and supplier concentration risk.
- Legal: Contract review, intellectual property, litigation, corporate structure, and regulatory compliance.
- Tax: Federal and state tax positions, net operating losses, transfer pricing, and tax exposure identification.
- HR and Cultural: Compensation structure, benefits liabilities, key employee retention, and organizational culture assessment.
- Commercial: Market size, competitive positioning, customer relationships, and sales pipeline validation.
- IT and Cybersecurity: Technology infrastructure, systems integration risk, technical debt, and security posture.
The CFO owns financial and operational review directly and provides oversight across the other workstreams. Buy-side work — which is the focus of this article — is oriented toward identifying risks that affect price and deal structure. Sell-side work, by contrast, is conducted before going to market to anticipate buyer questions, clean up findings proactively, and accelerate the buyer's process.
Building Your Due Diligence Team
No CFO completes a serious M&A diligence process alone. The workload is too broad, the subject matter too specialized, and the time compression too severe. Building the right team before the process begins — not during it — is one of the most consequential decisions in the entire transaction.
| Role | Responsibility | Typical Source |
|---|---|---|
| CFO / Finance Lead | Financial analysis, model oversight, synthesis of findings | Internal |
| M&A Counsel | Legal review, reps & warranties, contract review, deal structure | External law firm |
| Financial Advisor / IB | Deal structure, valuation, market context, process management | Investment bank |
| Accounting / QoE Firm | Historical earnings normalization, GAAP compliance review | Accounting firm (Big 4 / regional) |
| Tax Advisor | Tax structure, NOLs, transfer pricing, identified tax exposures | Accounting firm |
| IT Advisor | Systems assessment, cybersecurity posture, technical debt | IT consulting firm |
| HR / Compensation | Benefits liabilities, retention risk, culture assessment | HR consultant / employment attorney |
| Environmental (if applicable) | Site contamination assessment, regulatory exposure | Environmental consultant |
Engage advisors with direct experience in your target's industry. A healthcare services acquisition and a manufacturing acquisition have fundamentally different risk profiles, regulatory environments, and normalized earnings benchmarks. Advisors who specialize in your sector will identify issues that generalists miss.
Financial Due Diligence Checklist
Financial due diligence is the CFO's core responsibility in any acquisition. The goal is not to audit the company — the accountants do that — but to develop independent conviction about the quality and sustainability of earnings, the reliability of the balance sheet, and the true cash generation of the business.
Quality of Earnings (QoE) Analysis
The Quality of Earnings analysis is the most critical deliverable in financial due diligence. Its purpose is to normalize reported earnings to reflect the true, sustainable economic earnings of the business — stripping out items that inflate historical results and identifying recurring cost structures that management may have obscured.
The core output is an EBITDA bridge: a line-by-line reconciliation from reported EBITDA to adjusted EBITDA, showing each add-back and haircut with supporting evidence. Common adjustment categories include:
- One-time items: Legal settlements, restructuring charges, non-recurring consulting fees, or one-time gains from asset sales. Sellers will add back everything; the acquirer's job is to challenge each item.
- Management perks: Personal vehicle allowances, personal travel, life insurance premiums, and family member compensation. Legitimate add-backs in private company acquisitions but must be benchmarked against market-rate replacements.
- Non-recurring revenue: Government grants, PPP loan income, one-time project fees. Revenue add-backs are more dangerous than cost add-backs because they inflate the earnings base without improving sustainability.
- Related party transactions: Rent paid to a related-party landlord above or below market, management fees paid to a sponsor, or services purchased from family-owned businesses. Normalize all to prevailing market rates.
Beyond the EBITDA bridge, the QoE must address revenue quality: customer concentration (what percentage of revenue is represented by the top one, three, and ten customers?), contract terms and renewal rates, churn data, and gross margin sustainability. Margins that expanded rapidly during the diligence period should be scrutinized closely — they can reflect genuine operating leverage or deliberate cost deferral staged to flatter the sale process.
QoE on working capital: One of the most consequential QoE outputs is the normalized working capital calculation. This determines the working capital peg in the purchase agreement — the level of working capital the buyer expects at close. An inflated peg protects the buyer; an understated one transfers value to the seller through post-close true-up adjustments.
Financial Statement Review
The financial statement review is distinct from the QoE. Its purpose is to assess the reliability of the historical financial record and identify balance sheet exposures that affect purchase price.
- 3–5 years of audited financial statements (unqualified opinions preferred; qualified opinions require explanation)
- YTD actuals compared to prior year and management's internal budget
- Revenue disaggregated by customer, product or service line, and geography
- Cost structure analysis: fixed versus variable components, step functions in headcount or infrastructure
- Complete debt schedule: all existing obligations, covenant compliance, prepayment penalties, acceleration triggers
- Off-balance sheet liabilities: operating leases (pre-ASC 842), contingent liabilities, purchase commitments, guarantees
- Capital expenditure history disaggregated between maintenance capex and growth capex
Cash Flow Analysis
Free cash flow is what acquirers ultimately buy. EBITDA is a proxy; cash is the reality. A thorough cash flow analysis reconciles EBITDA to free cash flow and identifies the drivers of any divergence. High-EBITDA businesses with poor cash conversion are a frequent source of post-close disappointment.
The cash conversion cycle — how efficiently the business converts revenue to cash — should be calculated and compared against industry benchmarks. Deteriorating days sales outstanding or inventory balances growing faster than revenue are warning signs worth investigating before close.
| Balance Sheet Item | Question to Answer |
|---|---|
| Deferred revenue | Is revenue being recognized correctly? What are the future service obligations associated with the deferred balance? |
| Customer deposits | What are the conditions for release? Are there obligations to deliver before the deposit converts to earned revenue? |
| Inventory | Is inventory valued at lower of cost or market? Has the aging been reviewed for obsolete or slow-moving items? |
| Goodwill | Has impairment testing been conducted? Are there qualitative indicators of impairment in the reporting unit? |
| Contingent liabilities | What is the exposure from pending litigation, warranty claims, earn-outs, or environmental liabilities? |
Operational Due Diligence
Financial review answers: “What has this business been?” Operational review answers: “What will this business be?” Both are required for a well-underwritten acquisition.
Business Model and Revenue Quality
The most durable acquisitions are built on businesses with predictable, recurring revenue. The review should map the revenue model along a spectrum from high-predictability (multi-year contracts, subscription SaaS) to low-predictability (project-based, transactional, spot revenue), and calculate what percentage of next year's expected revenue is already contracted or highly likely to recur.
Pricing power is a qualitative but critical factor. A business that has consistently raised prices above inflation without losing customers has a competitive moat. A business that competes primarily on price, or that has seen margin compression despite revenue growth, is in a more fragile competitive position than its top-line trajectory suggests.
Customer lifetime value and churn data should be validated against the company's own claims. Net revenue retention above 100% (indicating expansion revenue from existing customers) is a positive signal. NRR below 90% should trigger deep inquiry into the underlying causes.
Management Team Assessment
The people who built the business may or may not be the people who will run it after close. The assessment must answer: what happens if the founder or CEO leaves?
- Team depth and succession: Identify the two to three people whose departure would most damage the business. Assess whether their roles can be filled from within or will require external hiring.
- Retention risk: Review option vesting schedules and change of control provisions. Many founders have fully vested by the time an acquisition occurs — the financial incentive to remain disappears at close.
- Compensation benchmarking: Private company management teams are frequently under-compensated relative to market. Adjust the forward operating model to reflect market-rate replacements; this affects ongoing EBITDA.
- Non-compete agreements: Assess enforceability under applicable state law. California's prohibition on non-competes materially affects retention strategy in technology and professional services transactions.
Operations and Scalability
The valuation paid for a business typically reflects an assumption about future performance that exceeds current results. The operational review must stress-test whether the business can actually deliver that performance. A business that requires proportional headcount growth to grow revenue is fundamentally less valuable than one that can scale revenue on a relatively fixed cost base.
Systems and technology infrastructure should be assessed for single points of failure and technical debt requiring near-term capital investment. Supplier concentration is a risk that rarely appears in financial statements but can be existential: a business sourcing 70% of its inputs from a single supplier has a critical dependency that may not be adequately reflected in purchase price.
Need an M&A advisory or accounting firm for this process?
Browse pre-vetted accounting firms, financial advisory providers, and M&A advisors in the CFOTechStack Marketplace. Filter by transaction size, industry, and service type.
M&A Due Diligence Red Flags
Experience across hundreds of transactions produces a consistent set of warning signs. Each of these, individually, may be explainable. Multiple red flags appearing in a single deal signal that the process needs to intensify — or that the deal should not proceed.
| Red Flag | What It Signals | Recommended Response |
|---|---|---|
| Revenue concentration >25% in one customer | Existential dependency; losing this customer would materially impair earnings | Negotiate earnout tied to customer retention through integration period |
| Declining gross margins over 3 years | Pricing power erosion, competitive pressure, or structural cost creep | Deep dive into unit economics; adjust valuation multiples downward |
| Working capital increasing faster than revenue | Potential cash drain post-close; business may require more working capital than the model assumes | Adjust purchase price mechanics or add working capital true-up provisions |
| Key man dependency (founder is the company) | Significant transition risk; value may not transfer to new ownership | Retention package, employment agreement, earnout contingent on continuity |
| Auditor changes in last 3 years | Potential accounting disagreements or auditor concerns about management integrity | Request predecessor auditor consent; discuss reasons for change directly |
| Aggressive revenue recognition | Inflated historical earnings; reported results do not reflect economic reality | Independent QoE is non-negotiable; model haircuts into valuation |
| Material weaknesses in internal controls | Financial statements may be unreliable; remediation will require post-close investment | Escrow a portion of proceeds or negotiate a purchase price reduction |
| Unresolved litigation | Contingent liability that may transfer to buyer unless indemnified | Price to worst-case scenario or require robust representations and warranties insurance |
| ERP migration in progress | Operational disruption risk; integration complexity is materially higher during a system transition | Delay close until migration is stable; carve out operational risk in price adjustment |
The Quality of Earnings Report
The QoE report is the single most important deliverable in buy-side financial review. It is produced by an independent accounting firm — explicitly not the target's existing auditor, and not the buyer's own accounting team — to ensure objectivity. The cost ranges from $75,000 to $300,000 for mid-market transactions, depending on complexity, the number of entities, and geographic scope. That fee is routinely the best money spent in the entire transaction.
A well-constructed QoE report delivers several specific outputs:
- Adjusted EBITDA bridge: A line-by-line reconciliation from reported to adjusted EBITDA, with each add-back and haircut supported by evidence and discussed with management.
- Normalized working capital: A calculation of the sustainable level of working capital required to run the business, used to set the working capital peg in the purchase agreement.
- Debt and debt-like items: Identification of obligations that reduce equity value but may not appear in the formal debt schedule — deferred revenue associated with unperformed obligations, accrued but unpaid bonuses, and underfunded pension obligations.
- Revenue and customer analysis: Independent validation of revenue by customer, product line, and contract structure, reconciled to audited financial statements.
The QoE is not optional: Buyers who rely on seller-provided financial summaries without an independent QoE regularly discover post-close that adjusted EBITDA was materially overstated. The QoE fee is insurance against a purchase price error that could dwarf it by an order of magnitude.
Due Diligence Timeline
M&A due diligence for a mid-market transaction typically runs four to six weeks from data room access to synthesis. The timeline compresses for smaller transactions and extends for complex multi-entity, cross-border, or regulated-industry deals. Managing the timeline requires a detailed workplan with clear ownership for each workstream.
| Phase | Timeline | Key Activities |
|---|---|---|
| Kickoff | Week 1 | Execute NDAs, gain data room access, complete initial document review, develop management Q&A list, align team on scope and responsibilities |
| Financial Review | Weeks 2–4 | QoE analysis, detailed financial modeling, cash flow analysis, debt and debt-like item identification, working capital normalization |
| Operational Review | Weeks 2–5 | Management interviews, operations review, customer reference calls, pipeline and backlog analysis, systems and technology assessment |
| Legal and Tax | Weeks 3–6 | Contract review, IP ownership confirmation, litigation review, tax structuring analysis, regulatory compliance assessment |
| Synthesis | Weeks 5–6 | Risk assessment and pricing, purchase price adjustment modeling, LOI or SPA negotiation informed by findings, escrow and indemnification structuring |
Using Findings in Negotiations
Every material finding in a due diligence process has a dollar value, a risk adjustment, or both. The CFO's job in the negotiation phase is to translate findings into specific purchase agreement provisions that protect the buyer's interests.
Findings typically result in one of four outcomes:
- Purchase price adjustments: A reduction in the headline consideration reflecting a confirmed issue — lower adjusted EBITDA, a liability that was not disclosed, or a working capital shortfall.
- Representations and warranties: Contractual commitments from the seller that specific facts are true. R&W insurance has become common in mid-market transactions, allowing buyers to claim against an insurer rather than the seller directly.
- Escrows and holdbacks: A portion of the purchase price held in escrow for a defined period. Typical structures hold 10–15% of purchase price in escrow for 12–24 months.
- Earnout structures: A portion of the purchase price made contingent on post-close performance. Useful for bridging valuation gaps or retaining key-person risk.
The discipline required in this phase is to evaluate each finding on its merits rather than in the context of deal momentum. A motivated buyer who has invested six weeks in diligence and announced the deal internally faces significant psychological pressure to minimize findings and close. That pressure is the enemy of sound deal underwriting.
Knowing when to walk away is the most valuable skill in M&A. The circumstances that warrant abandonment include material misrepresentation by the seller, undisclosed liabilities that exceed the economics of the deal, or fundamental questions about business model integrity that cannot be resolved through contractual protections.
Sell-Side Preparation: Getting Ready to Be Assessed
If you are on the sell side of a transaction, preparing before engaging buyers compresses timelines, reduces deal risk, and frequently supports valuation. Buyers who encounter a well-organized, diligence-ready seller develop higher confidence in management and in the quality of the business.
- Organize 3–5 years of financial statements: Ensure audited financials are clean, consistently presented, and reconciled to management accounts. Year-over-year accounting policy changes should be documented and explained.
- Commission a sell-side QoE: Preparing your own Quality of Earnings report before going to market lets you anticipate buyer adjustments, defend your EBITDA narrative, and avoid surprises that could reopen price negotiations late in the process.
- Document one-time items proactively: Every add-back you claim will be challenged. Prepare contemporaneous documentation — board approvals, invoices, board minutes — that supports each adjustment before buyers ask for it.
- Resolve open legal matters: Pending litigation, unresolved tax disputes, and open regulatory matters are buyer concerns. Resolving them before going to market removes issues that would otherwise require indemnification structures or price adjustments.
- Organize the data room carefully: A well-organized, comprehensively populated data room signals a professionally run company. Disorganized or incomplete data rooms signal operational dysfunction and increase buyer anxiety, which translates into more aggressive scrutiny and price pressure.
Looking for M&A advisory or valuation support?
Browse the CFOTechStack Marketplace for pre-vetted M&A advisors, valuation firms, and accounting providers. Or see our companion guide on business valuation methods.
Key Takeaways
- Due diligence is verification and risk assessment, not document collection. The goal is independent conviction about what the business actually is.
- The Quality of Earnings analysis is the most important financial deliverable. It is non-optional and should be conducted by an independent accounting firm.
- Build your team before the process begins: M&A counsel, a QoE firm, tax advisor, and IT advisor at minimum for any transaction above $20M.
- Red flags are negotiating data points, not deal killers by default — but multiple red flags in a single deal require heightened scrutiny and pricing discipline.
- Every material finding translates to a specific protection: price adjustment, escrow, representation and warranty, or earnout.
- Sell-side preparation — including a proactive sell-side QoE — compresses timelines and supports valuation.