Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Due Diligence Report is a structured investigative document that consolidates the findings of a pre-transaction review of a target company, asset, or counterparty into a single deliverable for decision-makers. It examines the target across every material dimension β financial performance and quality of earnings, legal and contractual exposure, operational health, IT and cybersecurity posture, HR and organizational structure, and environmental and regulatory compliance β then translates those findings into a prioritized risk register and specific deal recommendations. Unlike a checklist or data room index, the report interprets evidence rather than cataloguing it, giving the acquiring party a clear picture of what they are buying and what it will cost to address identified risks.
Proceeding to a purchase agreement or investment close without a completed due diligence report means unknown liabilities transfer to the buyer at signing β undisclosed litigation, overstated revenue, unlicensed software, contaminated land, or an HR claim that surfaces on day two of ownership. These are not theoretical risks: post-closing indemnification disputes are among the most common and expensive forms of commercial litigation, and most originate in findings that were visible in the data room but never assembled into a formal analysis. A structured report forces every workstream β financial, legal, operational, technical β to surface findings in one place, rate their severity, and propose mitigations before the purchase price is locked. For lenders, it documents the basis for credit decisions. For investors, it justifies valuation adjustments. For buyers of any size, it transforms negotiation from a gut-level exercise into a data-driven conversation grounded in verifiable evidence. This template gives you the framework to produce that report without starting from a blank page.
| If your situation is⦠| Use this template |
|---|---|
| Acquiring a private company end-to-end (full M&A deal) | Due Diligence Report |
| Rapid pre-LOI screening of a target with limited data room access | Due Diligence Checklist |
| Assessing a high-value vendor or supplier before contracting | Vendor Due Diligence Report |
| Evaluating a potential investor or funding source | Investor Background Check Report |
| Reviewing a real estate asset before purchase | Real Estate Due Diligence Report |
| Preparing a summary memo for board approval of a transaction | Board Resolution β Acquisition Approval |
| Documenting findings after a merger integration review | Post-Merger Integration Plan |
Why it matters: Revenue timing manipulation and deferred expense recognition are easy to hide in summary schedules but visible in bank statements and invoices. Undetected, they result in overpayment and post-close write-downs.
Fix: Trace at least the top 20 revenue transactions per year to signed contracts, invoices, and cash receipts before finalizing the financial section.
Why it matters: When a data room is incomplete or management withholds information, the report's silence implies the review was comprehensive β creating liability for the report author when gaps emerge post-close.
Fix: Document every requested item not provided in a scope-limitation section. Each gap should state what was requested, what was received, and what risk remains unquantified as a result.
Why it matters: A list of 30 findings with equal weight gives the deal team no basis for prioritization. Price adjustment negotiations stall when the buyer cannot distinguish a $10,000 issue from a $1 million liability.
Fix: Rate every finding high, medium, or low and attach a dollar estimate of exposure. Items below the agreed materiality threshold go to an appendix, not the main register.
Why it matters: Undisclosed data breaches, unlicensed enterprise software, and GDPR or CCPA non-compliance transfer to the buyer at close and have resulted in multi-million-dollar post-closing liabilities in recent transactions.
Fix: Include at minimum a software license audit, a review of any reported security incidents in the past three years, and confirmation that the target's data handling practices meet applicable privacy law requirements.
Why it matters: Open items without a named responsible party and resolution deadline remain unresolved through signing, surface as post-closing disputes, and erode the buyer-seller relationship immediately after the deal closes.
Fix: Each open item in the recommendations section must name the party responsible for resolution and include a specific deadline tied to the expected signing or closing date.
Why it matters: Preliminary findings shared with the counterparty or leaked to third parties have caused deals to collapse, triggered defamation claims, and created negotiating leverage in the wrong hands.
Fix: Apply a 'DRAFT β NOT FOR DISTRIBUTION' watermark to every version before final sign-off. Establish a single authorized distribution point β typically the deal lead β for all external sharing.
Enter the target entity, transaction type, review period, and the names of all contributors (financial, legal, technical, HR). Specify any known scope limitations before work begins.
π‘ Agree on the scope document before the data room opens β expanding scope mid-review delays the report and complicates version control.
Use the report's section structure to build your data room request list. Map each document received to the section it informs and flag any requested items that were not provided.
π‘ Track missing documents in a running gap log rather than individual emails β the gap log becomes the basis for scope-limitation disclosures in the final report.
Trace reported revenue and EBITDA to source documents, prepare the normalization schedule, and calculate the working capital peg. Confirm net debt figures against bank statements and loan agreements.
π‘ Build the EBITDA bridge (reported β normalized) in a separate Excel tab and paste the summary into the report β this lets reviewers audit the math independently.
Assign each non-financial section to a specialist reviewer. Legal reviews contracts and litigation; HR reviews employment terms and headcount; compliance reviews licenses and regulatory filings.
π‘ Schedule a mid-point sync call after each reviewer has spent 50% of their allotted time β early flags can redirect the financial analysis before the model is finalized.
Pull one finding per identified risk from each section, assign a severity rating (high / medium / low), estimate financial exposure in dollars, and draft a recommended mitigation action for each.
π‘ Limit the risk register to findings with estimated exposure above a materiality threshold β typically 0.5β1% of deal value β so the deal team focuses on what matters.
Based on the risk register, state any recommended price adjustments, escrow holdbacks, reps-and-warranties insurance requirements, or walk-away conditions. Assign each open item a responsible party and deadline.
π‘ Frame recommendations in terms of deal structure, not deal sentiment β 'escrow holdback of $X for Y months' is actionable; 'we have concerns about litigation' is not.
Pull the overall risk rating, three to five most material findings, and the top two or three deal recommendations into a 1β2 page summary. The summary must be internally consistent with the body.
π‘ Have a reviewer who did not write the report read only the executive summary and confirm it accurately represents the findings without reading the full document.
Distribute the draft to all contributors for accuracy review, lock a final version with a report date and version number, and deliver to the client with a cover memo stating any remaining open items.
π‘ Never share a draft without a clear 'DRAFT β NOT FOR DISTRIBUTION' watermark. Preliminary findings shared prematurely have derailed negotiations and created legal exposure.
A due diligence report is a structured investigative document that summarizes the findings of a pre-transaction review of a target company, asset, or counterparty. It covers financial health, legal and contractual exposure, operational performance, IT and cybersecurity, HR and organizational structure, and regulatory compliance. The report provides the acquirer, investor, or lender with a consolidated risk picture and specific recommendations before signing a binding agreement.
Prepare it after signing a letter of intent (LOI) and gaining data room access, but before executing the purchase or investment agreement. For major partnerships or high-value vendor contracts, a condensed version is appropriate before signing any agreement with material financial exposure. The report should be finalized at least one to two weeks before the expected signing date to allow time to negotiate findings into deal terms.
A complete report covers: executive summary, transaction scope, financial analysis (including EBITDA normalization and working capital), legal and compliance review, operational assessment, IT and cybersecurity, HR and organizational review, environmental and regulatory exposure, a consolidated risk register with severity ratings, and recommendations with conditions precedent. Sections can be weighted by relevance β an asset acquisition may need less HR depth and more environmental detail.
For a small business acquisition (under $5M), a focused review typically takes two to four weeks. Mid-market deals ($5Mβ$100M) commonly run four to eight weeks. Large or complex transactions involving multiple jurisdictions, regulated industries, or significant IP portfolios can take three to six months. The timeline depends heavily on how quickly the target populates the data room and makes management available for interviews.
In most M&A transactions, a deal team comprising financial analysts, lawyers, and subject-matter specialists (IT auditors, HR consultants, environmental engineers) each contribute sections in their area of expertise. A lead advisor or deal manager then consolidates findings into the final report. For smaller transactions, a single qualified analyst using a structured template can produce a serviceable report, with specialist input on specific high-risk areas.
A due diligence checklist is a pre-investigation inventory of documents and information to request from the target. A due diligence report is the analytical output produced after reviewing those documents β it interprets findings, assigns risk ratings, estimates financial exposure, and recommends deal actions. The checklist organizes the process; the report communicates the conclusions.
At minimum: three to five years of audited or reviewed financial statements, interim management accounts for the current year, tax returns for the same period, accounts receivable and payable aging schedules, a debt schedule with repayment terms, and a working capital bridge from the most recent balance sheet to the expected close date. Quality-of-earnings analysis should normalize EBITDA by removing one-time items and owner-specific expenses.
The most frequently cited deal-affecting findings are: revenue concentration in one or two customers, undisclosed litigation or regulatory investigations, EBITDA inflation through deferred expenses or accelerated revenue recognition, key-person dependency with no employment or non-solicitation agreements, unlicensed software or IP ownership gaps, and change-of-control clauses in material customer or supplier contracts that could terminate relationships at close.
The legal section of the report should be prepared or reviewed by qualified legal counsel familiar with the transaction's jurisdiction. The financial and operational sections can be prepared by qualified analysts or advisors without mandatory legal review. However, the final report's recommendations β particularly conditions precedent, indemnification provisions, and representations-and-warranties requirements β benefit from legal input to ensure they translate correctly into the purchase agreement.
A due diligence checklist is a pre-investigation request list that organizes what documents and data to gather from the target. A due diligence report is the analytical output produced after reviewing those materials β it interprets findings, rates risks, and recommends deal actions. Use the checklist to structure the data room request; use the report to communicate conclusions to decision-makers.
A business valuation report determines what a company is worth using DCF, comparable transaction, or EBITDA multiple methods. A due diligence report identifies risks that affect whether that valuation is reliable and what deal-term adjustments are warranted. Valuation and due diligence are complementary workstreams β findings in the due diligence report typically trigger valuation adjustments.
A letter of intent sets out the proposed terms of a transaction before due diligence begins. The due diligence report is produced after the LOI is signed, using data room access to verify the assumptions behind those terms. Material findings in the report routinely result in price adjustments or revised conditions that require the LOI to be amended before a purchase agreement is signed.
An investment memo is an internal document that makes the case for pursuing a deal β it synthesizes market opportunity, strategic rationale, and return expectations for a decision-making committee. A due diligence report is an evidence-based risk document that verifies or challenges the assumptions behind that thesis. The investment memo drives the deal decision; the due diligence report governs the deal terms.
IP ownership verification, software license audit, recurring revenue quality (MRR churn, contract lengths), and cybersecurity vulnerability assessment are the highest-priority workstreams.
Environmental contamination and remediation liability, equipment condition and capex backlog, customer and supplier concentration, and union agreement terms drive the most material findings.
Regulatory approvals (FDA clearance, state licenses), HIPAA compliance, reimbursement code accuracy, and medical malpractice or product liability exposure require specialist review beyond a standard template.
Client concentration and contract transferability on change of control, key-person retention risk, billable utilization trends, and professional indemnity claims history are the central diligence concerns.
Inventory valuation and obsolescence, lease obligations and breakpoints, customer data privacy compliance (CCPA, GDPR), and seasonal revenue normalization are the most deal-sensitive areas.
Regulatory licensing status, capital adequacy, open enforcement actions, AML and KYC program adequacy, and loan portfolio quality require specialized compliance and credit review expertise.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Buyers and investors evaluating small business acquisitions under $2M where a structured self-directed review is sufficient | Free | 2β4 weeks (self-directed) |
| Template + professional review | Mid-market deals $2Mβ$20M where a structured template is used but specialist advisors review the financial and legal sections | $5,000β$25,000 for financial and legal advisor review | 3β6 weeks |
| Custom drafted | Transactions above $20M, regulated industries, cross-border deals, or situations with complex IP, environmental, or litigation exposure | $25,000β$150,000+ for a full advisory team | 6β16 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
