Due diligence: A checklist

8 min read

Due diligence represents the structured investigation and verification process organizations conduct before entering business relationships or completing transactions. Whether you're evaluating a merger target, onboarding a new vendor, or preparing for an IPO, due diligence serves as your systematic approach to uncovering risks, validating information, and building defensible documentation for regulators and stakeholders.

The landscape has evolved far beyond simple background checks. Today's due diligence encompasses cybersecurity assessments, supply chain analysis, environmental and social governance factors, and real-time monitoring capabilities. You'll need to navigate an increasingly complex web of data sources, regulatory requirements, and technological tools while maintaining the core objective: making informed decisions based on verified facts.

Success hinges on three critical elements: comprehensive planning that defines scope and objectives upfront, structured data collection using reliable sources and standardized processes, and thorough documentation that creates an audit trail capable of withstanding regulatory scrutiny. The investment in proper due diligence methodology pays dividends by reducing post-transaction surprises, ensuring compliance obligations are met, and providing the evidentiary foundation needed if disputes arise.

Key factors that determine success

Data quality and source reliability form your foundation. Official sources like OFAC sanctions lists, UN consolidated watchlists, and corporate registries provide the most defensible information, but you'll often need to supplement these with adverse media searches and proprietary databases. The challenge lies in managing false positives from fuzzy matching algorithms and ensuring your screening tools are properly calibrated for your specific entity types and risk tolerance. Document your matching thresholds and maintain clear escalation procedures for hits that require human review.

Regulatory compliance requirements vary significantly by jurisdiction and transaction type. The EU's Corporate Sustainability Due Diligence Directive now mandates human rights and environmental due diligence for large companies, while the U.S. beneficial ownership reporting landscape remains in flux following recent interim rule changes that exempt domestic entities but maintain requirements for foreign registrants. Anti-bribery laws like the FCPA and UK Bribery Act embed specific due diligence expectations, particularly for third-party relationships and successor liability scenarios.

Technology integration determines operational efficiency. Modern due diligence relies heavily on APIs for real-time screening, virtual data rooms for document management, and AI-assisted tools for contract review and adverse media analysis. Your technology stack needs to handle structured data from sanctions databases alongside unstructured information from news sources and legal documents. Consider how these tools integrate with your existing CRM, onboarding, and case management systems to avoid creating data silos.

Privacy and data protection constraints shape your entire process. GDPR requires lawful bases for processing personal data and imposes special restrictions on criminal offense information commonly found in adverse media. You'll need data processing impact assessments for high-risk scenarios and clear retention policies that balance compliance needs with privacy obligations. California's CCPA adds additional U.S. state-level requirements that may affect your data handling procedures.

Continuous monitoring transforms point-in-time assessments into ongoing risk management. Rather than conducting due diligence only at relationship inception, leading organizations implement continuous screening that alerts them to new sanctions listings, adverse news, or corporate structure changes. This shift requires building workflows that can handle ongoing alerts and establishing criteria for when changes trigger enhanced review or relationship termination.

Essential due diligence checklist

Pre-engagement preparation

  • Define investigation scope and objectives based on transaction type and risk assessment
  • Establish legal basis for data processing under applicable privacy laws (GDPR, CCPA)
  • Identify required data sources and ensure access to official sanctions/PEP databases
  • Configure screening tools with appropriate matching thresholds and false positive procedures
  • Set up secure document sharing environment with proper access controls and audit logging

Entity and individual screening

  • Screen all parties against OFAC SDN and consolidated non-SDN lists
  • Check UN Security Council consolidated sanctions list
  • Verify against EU and UK sanctions databases
  • Screen for politically exposed persons (PEPs) using reputable databases
  • Conduct adverse media searches in relevant languages and jurisdictions
  • Review litigation and regulatory enforcement databases
  • Document all screening results with source citations and review rationale

Corporate structure and beneficial ownership

  • Map complete ownership structure including subsidiaries and affiliates
  • Identify ultimate beneficial owners (typically 25% threshold for AML purposes)
  • Verify corporate registrations and good standing certificates
  • Check for dormant companies, shell entities, or complex ownership arrangements
  • Review board composition and key management personnel
  • Analyze related-party transactions and potential conflicts of interest

Financial and operational assessment

  • Review audited financial statements for specified periods
  • Analyze cash flow, debt structure, and liquidity positions
  • Assess revenue concentration, customer dependencies, and market position
  • Evaluate material contracts, licensing agreements, and intellectual property
  • Review insurance coverage and claims history
  • Examine operational licenses and regulatory compliance status

Risk and compliance evaluation

  • Assess anti-bribery and corruption policies and training programs
  • Review AML/KYC procedures and suspicious activity reporting
  • Evaluate data privacy and cybersecurity controls using frameworks like NIST CSF 2.0
  • Analyze ESG policies and human rights due diligence procedures (especially for EU CSDDD compliance)
  • Check export control and trade compliance programs
  • Review third-party risk management and vendor screening processes

Legal and regulatory compliance

  • Conduct comprehensive litigation search across relevant jurisdictions
  • Review regulatory investigations, enforcement actions, and settlement agreements
  • Assess compliance with industry-specific regulations and licensing requirements
  • Evaluate tax compliance and transfer pricing arrangements
  • Review employment law compliance and labor relations
  • Analyze environmental permits and compliance history

Documentation and reporting

  • Compile comprehensive due diligence report with executive summary and detailed findings
  • Document methodology, sources used, and limitations encountered
  • Create risk rating matrix with clear escalation criteria
  • Establish ongoing monitoring procedures and alert thresholds
  • Archive all documentation with proper retention schedules and access controls
  • Prepare management presentation highlighting material risks and mitigation strategies

FAQs

Q: What exactly is due diligence and how does it benefit organizations?

A: Due diligence is the structured investigation and verification process organizations conduct before entering business relationships or completing transactions like vendor onboarding, or IPOs. It works by systematically uncovering risks through comprehensive data collection, screening against sanctions and watchlists, mapping corporate structures, and documenting findings. The benefits include reducing fraud, corruption, and money-laundering risks, ensuring regulatory compliance, providing defensible documentation for auditors and regulators, and minimizing post-transaction surprises that could impact business value.

Q: How does modern due diligence save time through automation?

A: Due diligence automation eliminates manual tasks through real-time API screening against OFAC sanctions lists and UN watchlists, AI-powered adverse media analysis that can process news articles across multiple languages, automated beneficial ownership mapping through corporate registries, and continuous monitoring that alerts organizations to new sanctions listings or corporate structure changes. For example, automated screening can process thousands of entities against global watchlists in minutes rather than days, while AI-assisted contract review can identify key clauses and risks across hundreds of legal documents, transforming weeks of manual review into hours of focused analysis.

Q: How does due diligence integrate with existing business systems and handle data?

A: Modern due diligence platforms integrate through APIs that connect to existing CRM, onboarding, and case management systems, ensuring seamless data flow without creating silos. Virtual data rooms provide secure document sharing with granular access controls and audit logging, while screening tools pull from official sources like OFAC databases and corporate registries. The systems handle both structured data from sanctions databases and unstructured information from news sources and legal documents, with proper data lineage and source citations maintained throughout the process to ensure compliance with privacy regulations like GDPR and CCPA.

Q: What are the limitations of automated due diligence and where is human judgment still required?

A: Automated screening tools generate false positives from fuzzy matching algorithms, especially with common names and transliteration variants, requiring human analysts to review and validate hits against sanctions lists. Complex ownership structures, politically exposed person (PEP) determinations, and adverse media interpretation need experienced professionals to assess actual risk levels versus algorithmic flagging. Human oversight is also critical for calibrating matching thresholds based on specific entity types and risk tolerance, escalating unusual findings, and making final relationship decisions based on overall risk assessment rather than individual data points.

Q: What should organizations consider when evaluating due diligence solutions?

A: Key evaluation criteria include data quality and source reliability, with preference for solutions that use official sanctions lists (OFAC, UN, EU) and provide transparent data provenance and update frequencies. Consider integration capabilities with your existing technology stack, privacy and security controls that meet GDPR and other regulatory requirements, and the vendor's ability to handle your specific entity types and jurisdictions. Evaluate the balance between automation and human oversight capabilities, continuous monitoring features for ongoing risk management, and the comprehensiveness of coverage including sanctions screening, beneficial ownership discovery, adverse media analysis, and regulatory compliance checks across your required jurisdictions.