Buying a business without a systematic due diligence checklist risks hidden liabilities and overpayment. Most checklists treat every deal the same, but the smart approach is phase-based—different questions at pre-LOI, confirmatory diligence, and post-close, with clear owners for each workstream. This guide provides a scalable checklist, a realistic 30–60–90 day timeline, and a downloadable template—plus a public-records workflow (Secretary of State, UCC filings, civil litigation, adverse media) that many buyers overlook until it’s too late. For the public records portion, consider a company background check.
What Due Diligence Covers (in Plain English)
Due diligence has two jobs: confirm what the seller says and surface risks they may not realize exist. It turns assumptions into evidence so you can price, structure, or walk away with clarity. If you need a quick primer first, see due diligence: definition, types, and examples.
The core domains:
- Financial: Earnings quality, working capital needs, legitimate add-backs. See how to get a business credit report.
- Legal: Material contracts, change-of-control, undisclosed liens/disputes (backgrounder on what is a lien).
- Operational: Process resilience, supply chain, documentation, and reliance on the owner.
- Reputational (Public Records): Adverse media screening and business reputation issues to uncover.
- Cyber & Data Privacy: Breach history, access controls, compliance posture.
- People: Key employees, classification (W-2 vs 1099), retention risk; for execs, see executive background checks.
Put specialist owners on each lane: a CPA for financials and tax, M&A counsel for legal and contracts, and a public-records vendor to pull Secretary of State filings, UCCs (start with What in the world is a UCC filing?), litigation, and sanctions/adverse media. The goal isn’t to find zero problems—it’s to size the issues, negotiate protections, and walk away from fatal risks before funds are wired.
Before the LOI: Fast Triage & Red Flags
Pre-LOI triage should be quick and focused. You’re hunting for “no-go” signals before exclusivity.
High-level asks (pre-LOI):
- TTM financials and basic KPIs (gross margin, cash flow).
- Customer concentration summary and a rough asset list.
- Signs of seller readiness (reviewed/audited financials, preliminary QoE, organized data room).
Quick public-record sniff test (light background screen):
Notes:
• Lenders often view customer concentration above ~25–30% as a yellow flag that warrants tighter terms and stronger protections.
• UCC-1 filings are generally effective for five years unless continued; even after payoff, a termination must be filed to clear the record.
Not sure where to start? Run a company background check—SoS, UCC, liens, lawsuits, and adverse media—typically delivered within 24–72 hours (scope and jurisdiction can extend timelines).
Post-LOI Confirmatory Diligence: Master Checklist
Once you sign an LOI, verify representations, quantify risks, and build the foundation for your purchase agreement. Coordinate workstreams across Buyer, CPA, Counsel, and vendors. If you need a deeper framework, see M&A due diligence: the ultimate guide.
Corporate & Public-Record Checks
| Item to Request |
What to Verify |
Owner (Buyer/CPA/Counsel/BusinessScreen) |
Risk if Missed |
| Certificate of Good Standing (SoS) |
Entity active; agent current; no suspensions |
Counsel / BusinessScreen |
Closing delays; admin penalties |
| Formation docs & bylaws/operating agreement |
Proper formation; cap table aligns |
Counsel |
Title/cap table disputes |
| UCC-1 filings (state/county) |
Secured parties; collateral; priority; termination recorded |
Counsel / BusinessScreen |
Liens attach to assets; loss of priority |
| Federal/state/local tax liens |
Outstanding obligations |
CPA / BusinessScreen |
Back taxes; liens at close |
| Civil litigation & bankruptcy search |
Pending suits; judgments; bankruptcies |
Counsel / BusinessScreen |
Undisclosed liability; reputational harm |
| Adverse media & sanctions (as relevant) |
Negative press; regulatory actions; sanctions/PEP |
BusinessScreen / Counsel |
Financing/customer risk |
| Licenses & permits |
Current and transferable; no suspensions |
Buyer / Counsel |
Fines; operational shutdown |
Helpful how-tos: UCC filings • How to find civil case records • What is a lien.
Financials & Tax
| Item to Request |
What to Verify |
Owner |
Risk if Missed |
| 3–5 yrs financials (P&L/BS/CF) |
Trends; seasonality; margin durability |
CPA |
Overpay; cash shortfall |
| Quality of Earnings (QoE) |
EBITDA normalization; recurring vs one-time |
CPA |
Inflated earnings; valuation disputes |
| Add-backs & related-party items |
Personal expenses; non-arm’s-length deals |
CPA |
Overstated EBITDA |
| Sales-tax nexus & compliance |
States with nexus; liabilities |
CPA / Counsel |
Penalties; audits |
| Payroll liabilities & classification |
W-2 vs 1099; unpaid payroll taxes |
CPA / HR |
Misclassification penalties |
| AR aging & DSO |
Collectability; concentration |
CPA |
Working capital gap |
| Inventory valuation/turnover |
Obsolescence; costing method |
CPA |
Write-downs post-close |
| Debt schedule & encumbrances |
Loans/LOCs; prepayment penalties |
CPA / Counsel |
Surprise debt; consents required |
Working capital peg (make it explicit):
- Define NWC components used in the deal.
- Use 12–18-month average; adjust for seasonality and known changes.
- Include pro-forma post-close items (e.g., market-rate owner salary).
- Run a sample calculation in the APA; set dispute mechanics.
Commercial & Customers
| Item to Request |
What to Verify |
Owner |
Risk if Missed |
| Revenue by customer (3 yrs) |
Concentration; any single customer >20–30% |
Buyer / CPA |
Financing friction; revenue cliff |
| Churn & retention |
Cohort retention; renewal rates |
Buyer |
Overestimated durability |
| Backlog & pipeline |
Signed/undelivered work; conversion |
Buyer |
Post-close revenue gaps |
| Warranties/returns/refunds |
Exposure and trends |
Buyer / Counsel |
Unexpected liabilities |
| Pricing & margin by SKU/service |
Margin compression; pricing power |
Buyer / CPA |
Profit erosion |
| Marketing efficiency (CAC/LTV) |
Attribution sanity; payback |
Buyer |
Unsustainable growth assumptions |
For the overall approach, see commercial due diligence.
Legal & Contracts
| Item to Request |
What to Verify |
Owner |
Risk if Missed |
| Material contracts |
Assignability; change-of-control; auto-renewals |
Counsel |
Terminations; renegotiations |
| Real-estate leases |
Landlord consent; options; obligations |
Counsel |
Location loss; cost spikes |
| Credit facilities & loan docs |
Prepayment; change-of-control triggers |
Counsel |
Acceleration risk |
| IP registrations & assignments |
Ownership; filings; liens |
Counsel |
Loss of brand/IP rights |
| NDAs / non-competes / non-solicits |
Scope; enforceability |
Counsel |
Post-close competition |
| Vendor DPAs |
Data-privacy obligations |
Counsel |
Regulatory exposure |
Change-of-control nuances are covered in M&A due diligence.
People & HR
| Item to Request |
What to Verify |
Owner |
Risk if Missed |
| Employee census & org chart |
Roles; tenure; key-person risk |
HR / Buyer |
Talent loss; continuity risk |
| I-9s & eligibility |
Documentation compliance |
HR / Counsel |
Fines; audits |
| Classification audit |
W-2 vs 1099 |
HR / CPA |
Penalties; back taxes |
| Benefits, PTO, leave accruals |
Liabilities and parity |
HR / CPA |
Unexpected costs; attrition |
| Employment agreements |
Non-compete/solicit; retention |
Counsel |
Leaks to competitors |
| Handbook & policies |
Compliance baseline |
HR / Counsel |
Employment claims |
If leaders are critical to continuity, consider executive background checks.
Operations, IT, & Data/Privacy
| Item to Request |
What to Verify |
Owner |
Risk if Missed |
| Systems map & licenses |
Dependencies; access; compliance |
IT / Buyer |
Vendor cutoffs; outages |
| Backups & DR plan |
Frequency; restore tests |
IT / Buyer |
Data loss; interruption |
| Breach/incident logs |
Incidents; notifications; remediation |
IT / Counsel |
Hidden liabilities |
| Access controls/offboarding |
MFA; admin rights; terminations |
IT / Buyer |
Insider risk |
| PII/PHI/PCI scope |
Applicability (GDPR/CCPA/HIPAA/PCI) |
Counsel / IT |
Fines; remediation costs |
| Tracking consents |
Cookie/consent records |
Counsel |
Regulatory scrutiny |
| Cyber insurance |
Limits; exclusions; claims |
Risk / Counsel |
Uninsured loss |
For persistent oversight, see continuous monitoring in AML compliance.
Insurance & Risk
| Item to Request |
What to Verify |
Owner |
Risk if Missed |
| Certificates of Insurance |
Lines, limits, endorsements |
Risk / Counsel |
Coverage gaps |
| Claims history (5 yrs) |
Frequency/severity trends |
Risk |
Premium spikes |
| Coverage gaps |
Cyber, E&O, D&O needs |
Risk / Counsel |
Catastrophic exposure |
| Tail coverage |
Claims-made policies |
Risk / Counsel |
No cover for pre-close incidents |
Physical & IP Assets
| Item to Request |
What to Verify |
Owner |
Risk if Missed |
| Fixed-asset register |
Titles/serials; condition |
Buyer / Appraiser |
Overvalued/missing assets |
| Liens/encumbrances |
Clean title; releases |
Counsel / Buyer |
Third-party claims |
| Maintenance logs |
Age; capex needs |
Buyer |
Immediate spend |
| Trademarks/copyrights/patents |
Ownership; conflicts |
Counsel |
Brand/IP loss |
| Open-source audit |
License compliance |
IT / Counsel |
Forced disclosure |
Asset Purchase vs Stock Purchase: What Changes in Diligence
Deal structure alters priorities and risk:
- Liability Tail: Stock deals inherit all liabilities. Asset deals reduce tail but still require lien checks and proper transfers.
- Contract Assignability: Asset deals often need counterparty consent; stock deals may still trigger change-of-control clauses.
- Licenses & Permits: Many are non-transferable in asset deals; confirm early.
- Tax Treatment: Asset deals may allow a basis step-up (coordinate with tax counsel).
- Employee Transfer: Asset deals may trigger re-onboarding and benefits changes; some jurisdictions impose TUPE-like rules—confirm with counsel.
Asset Purchase Due Diligence Checklist (Focus Areas)
- Assignability/novation grid for material contracts and leases.
- UCC termination filings for liens tied to assets you are acquiring (see UCC filings).
- Title, serials, and chain-of-ownership for key equipment/IP.
- Environmental diligence for owned/long-term-leased real property.
- License/permit re-application timelines and contingencies.
Timeline & Owners: 30-, 60-, and 90-Day Paths
Days 1–10 (Setup & Triage): Buyer assembles team/data room; Counsel requests list & consent map; CPA requests/QoE kickoff; BusinessScreen initiates SoS, UCC, liens, litigation, adverse media searches.
Days 11–30 (Deep Dive): Buyer site visits/interviews; CPA normalization & working-capital work; Counsel contracts/litigation/IP; BusinessScreen delivers reports & red flags.
Days 31–50 (Issues & Negotiation): Quantify risks; price adjustments; reps/warranties, indemnities, consents; monitor fresh filings.
Days 51–60 (Final Checks): Close conditions; APA/SPA; closing balance sheet & true-up; Day-1 integration.
If you need deal-wide playbooks, see M&A due diligence.
Small Business Due Diligence Checklist
Smaller targets often have unique patterns (cash receipts, owner add-backs, related-party arrangements). Helpful primers: company due diligence and verify partners and investors before you fund.
Pay close attention to:
- Commingled expenses (normalize EBITDA).
- Sales-tax nexus across states (see how to search tax lien filings).
- Related-party leases and services (market-rate?).
- Owner-dependent operations (key technician/rainmaker risk).
- Cash handling controls and variance between POS deposits and books.
Due Diligence Questions to Ask When Buying a Business
Use these in management interviews and request written answers:
- Customer concentration & stability: % of revenue by top 3; renewal risk; handshake deals.
- Off-books obligations: Side letters; deferred comp; guarantees.
- Pending disputes & notices: Complaints; audits; regulatory warnings (learn how to find civil case records).
- Undisclosed liens/encumbrances: Security interests or pledges (overview: what is a lien).
- Data incidents & breaches: Events, notifications, remediation.
- Related-party transactions: Entities owned by principals.
“Verify, not trust” is the operating system. Treat every claim as a hypothesis to be tested: triangulate seller answers against public-record pulls (SoS, UCC, litigation, liens), primary financials (GL, bank recs, QoE), and third-party touchpoints (customer/vendor calls, landlord/lender confirmations, license issuers). Ask for underlying source documents—not summaries—and reconcile totals across systems; sample high-risk items, spot-check anomalies, and reperform key calculations. Log exceptions with timestamps, attach evidence, and escalate anything that’s unverifiable or inconsistent with cash, contracts, or filings. The goal isn’t gotcha—it’s a defensible audit trail that distinguishes noise from real exposure before you wire funds.
What to Monitor After Close (First 100 Days)
- Public-record monitoring: New UCC filings and litigation alerts (starter: UCC filings).
- Adverse media & sanctions: Automated news/regulatory monitoring (primer: adverse media screening and sanction screening for businesses).
- Licenses/permits & insurance: Renewal calendars.
- Contract consents/expiries: Confirm all required consents; track renewals.
- Data-privacy cadence: Quarterly checks on processing, DPAs, incidents.
- Working-capital true-up: Deliver calc within the APA window (often 60–90 days).
- Integration checkpoints: 30/60/90-day milestones.
For continuous oversight, see continuous monitoring and operationally adjacent continuous background screening.
Download: Business Purchase Due Diligence Checklist (Google Sheet/PDF)
Put this framework into action with the template:
- Phase-by-phase checklists (Pre-LOI, Confirmatory, Post-Close)
- Role assignments (Buyer, Counsel, CPA, BusinessScreen)
- Risk-rating columns to prioritize findings
- Public-record search workflow (SoS, UCC, liens, litigation, adverse media)
- Working-capital peg calculator
- Contract assignability tracker
You can also explore the ultimate due diligence checklist (Excel templates) for additional formats.
How BusinessScreen Helps (Fast Public-Record & Reputation Diligence)
Public-record searches live across federal/state/county systems with different interfaces and naming conventions. BusinessScreen.com consolidates that workflow, typically delivering comprehensive company background reports within 24–72 hours (scope and jurisdiction can extend timelines).
Coverage includes:
- Secretary of State: status, officers, agent, name history, good standing.
- UCC liens: secured parties, collateral, filing dates, continuation/termination (guide: UCC filings).
- Litigation & judgments: federal/state civil cases, judgments, liens, bankruptcies (how-to: how to find civil case records).
- Adverse media & sanctions (as relevant): adverse media screening and sanction screening for businesses.
- Beneficial ownership context (see verify beneficial ownership).
- Ongoing monitoring (see continuous monitoring).
Prefer to validate legitimacy up front? Use business verification.
FAQs
What documents are needed for due diligence when buying a small business?
At minimum: 3 years of P&L/BS/CF, tax returns, customer list with revenue by customer, employee census, material contracts (customer/vendor/lease/loan), IP registrations, insurance policies, and business licenses. For stronger diligence, add AR/AP aging, inventory reports, equipment lists, org charts, handbook/policies, and a QoE. Run public-record searches (SoS, UCC filings, liens, litigation, adverse media) in parallel.
What is the difference between asset purchase and stock purchase due diligence?
Asset deals emphasize contract assignability, clean title to specific assets, UCC termination filings, and environmental checks. Stock deals require broader historical diligence—tax, litigation, regulatory compliance, data privacy/cyber—since you inherit the whole entity. See: M&A due diligence.
How long does due diligence take after an LOI?
Commonly ~60 days, ranging from ~30 (simple) to 90+ (complex/cross-border). Timelines hinge on completeness of financials, document readiness, and third-party consents. Negotiate flexibility for extensions in the LOI. Related: sealing the deal—pre-acquisition due diligence.
What public-record searches should I run?
At minimum: Secretary of State, UCC lien searches (state/county), tax liens, civil litigation (federal/state), judgments/bankruptcies, and adverse media. Starters: UCC filings • tax lien filings • civil case records.
How do I check customer concentration and verify revenue quality?
Request a 3-year customer revenue report and calculate each customer’s share. If a single customer exceeds ~20–30%, treat it as concentration risk; verify with invoices, payments, and contract terms. A QoE normalizes revenue for one-time events and tests sustainability. See commercial due diligence.
What data-privacy questions should I ask?
Ask about any breach/incident history, notifications, and remediation; request privacy policies, vendor DPAs, records of processing (where applicable), and evidence of GDPR/CCPA/HIPAA/PCI alignment based on operating footprint. For ongoing oversight, see continuous monitoring.
Compliance & Disclaimer
This guide is for general information, not legal or financial advice. Regulations, transfer rules, and data-privacy regimes vary by jurisdiction and industry—consult your attorney and CPA.
%201.png)
.png)
