Most due diligence checklists you find online are document request lists. They tell you what to gather. They do not tell you who owns each item, whether it has been received, how critical it is, or what red flags the response contains. A list of documents is not a workflow. A workflow is what actually gets deals closed.
This guide covers what a due diligence checklist actually is (it is different from a due diligence questionnaire, which is the question set you send to the target), the five fields every checklist item needs, how checklists scale from pre-seed to enterprise M&A, real examples from the Microsoft-Activision $75.4 billion deal and the Broadcom-VMware $69 billion deal, and the failure mode that cost HP $8 billion. The template is free at the bottom of the page.
What a due diligence checklist actually is
A due diligence checklist is the buyer-side tracking tool used to manage the flow of information from the target company into the deal team's review process. It is an internal workflow coordinated by the deal team, usually with a junior banker managing the data room while senior bankers, lawyers, accountants, and management teams feed information in from different workstreams.
This is a different thing from a due diligence questionnaire (DDQ), which is the external document sent TO the target asking them to respond with narrative answers. The DDQ produces information. The checklist tracks whether the buyer team has received, reviewed, and flagged every piece of information they need. Both tools exist in the same deal. They serve different functions. Conflating them is the most common mistake in DD preparation, and we covered that distinction in depth in our due diligence questionnaire template.
Deal teams run the checklist as a living document throughout the deal. For a middle-market M&A transaction, the active checklist phase runs 30 to 45 days. Larger or cross-border deals take longer due to regulatory and data complexity. The checklist touches strategic, financial, legal, operational, technology, HR, tax, ESG, and integration workstreams, and buyers typically review thousands of documents over that window.
Types of due diligence the checklist must cover
Most deal teams organize their checklist around the four canonical types of due diligence (financial, legal, commercial, operational) with larger deals layering in tax, HR, IT and cybersecurity, ESG, and regulatory workstreams. We break down what each category covers in our due diligence questionnaire guide. What matters for the checklist is not which categories exist, but how items within each category get tracked.
The checklist is not organized by what to gather. It is organized by what to do with what you gather. That is the distinction that separates a useful checklist from a glorified receipt log.
The five fields every checklist item needs
A document request list has one field per row: the name of the document. That is not a checklist. It is a wish list.
A useful due diligence checklist has five fields for every item. Each field turns a passive list into an active workflow.
Field 1: Document. The specific item to gather. Not "financial statements" but "audited balance sheet and income statement for fiscal years 2022, 2023, and 2024." Specificity matters. Vague requests produce vague responses, which produce follow-up cycles that waste days.
Field 2: Owner. The person on the buyer deal team responsible for receiving, reviewing, and flagging this specific item. Not "legal team" but "Sarah Chen, senior associate." When every item has a named owner, nothing gets dropped between workstreams. When items have no owner, every item is simultaneously everyone's job and nobody's job.
Field 3: Status. Where this item is in the workflow. Typical statuses: Requested, Received, Under Review, Reviewed, Blocked, N/A. A status field lets the deal team answer "what is still outstanding?" in ten seconds instead of twenty minutes. That matters when you have 150 items open and a closing deadline.
Field 4: Priority. Not all items are equal. Deal-critical items (audited financials, material contracts, IP ownership, cap table) must be resolved before any close. Important items (vendor contracts, minor litigation, smaller customer agreements) matter but can be handled in parallel. Nice-to-have items add context but will not kill the deal if they come in late. A tiered priority field lets the deal team know where to escalate when the timeline compresses.
Field 5: Red flag notes. What did you find when you reviewed this item? A checklist without this field is a receipt log. A checklist with this field is a risk register. When the red flag notes column fills up with "customer concentration 28% on top account" and "missing IP assignment from co-founder," the deal team has an actionable risk picture. When it's empty, the deal team has a stack of files and no synthesis.
Most published due diligence checklist templates only include the first field. Some include the first two. The five-field structure is the tracking framework our team uses on every $997 Deep Dive engagement, and we are releasing the template free so deal teams of any size can work from the same structure.
Buy-side vs sell-side due diligence checklists
Checklists work differently depending on which side of the deal you sit on.
A buy-side due diligence checklist is the version described above. The buyer's deal team uses it to track information flowing in from the target. It is adversarial in tone (assume nothing, verify everything), heavy on risk flagging, and lives in the buyer's systems. The goal is to surface issues before signing.
A sell-side due diligence checklist (also called vendor due diligence) is prepared by the seller before going to market. A sell-side checklist is used to identify every issue the buyer's team is likely to find, so the seller can either fix it or prepare a clean explanation before a buyer's red flag list gets out of control. The seller often hires a third-party advisor to produce a Vendor Due Diligence Report that gets shared with multiple potential buyers, saving time in parallel negotiations.
One disambiguation worth flagging: in M&A, "vendor due diligence" means seller-side DD on the company being sold. In procurement and supplier management, "vendor due diligence" means a buyer reviewing its suppliers for risk. Same phrase, completely different process. If you see the term in a finance context, it is almost always the M&A meaning.
Due diligence checklists by deal size
The number of items on a checklist scales with the size and complexity of the deal. A pre-seed VC round and a $69 billion enterprise acquisition do not need the same tool.
Pre-seed checklists run 30 to 40 items. Focus is on corporate hygiene: formation documents, cap table, IP ownership, founder agreements, and employment contracts. There is usually no revenue history worth auditing, no material legal exposure, and no operational complexity. The checklist exists to make sure nothing basic is broken.
Series A checklists add 20 to 40 items covering burn rate, unit economics, customer data, key employee contracts, go-to-market systems, and customer acquisition cost analysis. By Series A, the company has enough operating history to make financial due diligence meaningful, and the checklist grows accordingly.
Middle-market M&A checklists typically run 80 to 120 items across all four canonical categories plus tax and HR. The 30-to-45-day active diligence window becomes a real constraint here, which is why priority tiering matters more than item count.
Enterprise M&A checklists can run 150 items or more, spanning audited financials across multiple fiscal years, multi-jurisdiction tax compliance, change-of-control provisions in hundreds of material contracts, employee classification audits, regulatory approvals in every operating geography, and integration planning. At this scale, the checklist is managed in a virtual data room with multiple parallel workstreams, not a spreadsheet.
Priority tiering: the risk-based approach
Not every checklist item carries equal weight, and treating them that way wastes investigation energy on items that will not move the deal. Risk-based tiering fixes that.
Tier 1: Critical. Items that must be resolved before any close. If any Tier 1 item is incomplete, unclear, or reveals a material issue, the deal stops. Examples: audited financials, material customer contracts, IP ownership and assignment agreements, cap table, pending litigation, change-of-control provisions. The full checklist rigor applies here. Deal teams track Tier 1 items daily and escalate any blocker to senior leadership immediately.
Tier 2: Important. Items that materially affect the deal but can be worked in parallel with Tier 1 and do not necessarily block closing. Examples: operational benchmarks, secondary vendor contracts, employee classification reviews, IT infrastructure audits, tax compliance in secondary jurisdictions. These get a lighter review but still need a named owner and status tracking.
Tier 3: Nice-to-have. Items that add context but would not materially change the deal if they came in late or incomplete. Examples: historical board meeting minutes, non-material vendor relationships, minor regulatory filings, nice-to-have market intelligence. Tier 3 items exist to round out the picture, not to decide whether to close.
The tiering is typically done at the start of the diligence phase based on deal size, industry, and specific risk areas flagged in the initial commercial review. A healthcare acquisition will tier regulatory compliance as Tier 1 where a SaaS acquisition might tier it as Tier 2. The specific items change; the methodology stays the same.
Real example: Microsoft and Activision Blizzard
Most articles about due diligence cite small, clean examples. Real deals at scale look very different.
Data sources: Microsoft investor relations, CNBC closing coverage (October 2023), Yahoo Finance timeline, public regulatory filings from FTC, UK CMA, and EU.
Microsoft announced its acquisition of Activision Blizzard on January 18, 2022 for $68.7 billion (the total cost including debt and fees ultimately reached approximately $75.4 billion). The deal closed on October 13, 2023, 21 months after announcement. The extended timeline was not a result of weak due diligence. It was a result of regulatory complexity: the deal required approvals from more than 40 regulatory bodies worldwide.
The UK's Competition and Markets Authority initially blocked the deal in April 2023, forcing Microsoft to restructure the transaction by divesting cloud streaming rights to Ubisoft before the CMA would approve. The European Union approved after Microsoft committed to royalty-free cloud streaming licenses for ten years. The US Federal Trade Commission sought a preliminary injunction to block the deal, which a federal court denied in July 2023. Every one of these regulatory workstreams ran in parallel, each with its own checklist of document requests, analyses, and responses.
For a deal with 40-plus regulators, the buyer-side checklist becomes a coordination layer across dozens of simultaneous workstreams. The five-field structure (Document, Owner, Status, Priority, Red Flag Notes) stops being a best practice at this scale and becomes the only way to keep track of regulatory, financial, legal, and commercial review happening in parallel.
Real example: Broadcom and VMware
Data sources: Broadcom investor relations, Data Center Dynamics closing coverage (November 2023), public filings from UK CMA and European Commission.
Broadcom announced its $61 billion cash-and-stock acquisition of VMware (approximately $69 billion including assumed debt) in May 2022. The deal closed on November 22, 2023, 18 months after announcement, with days to spare under the merger agreement deadline. The timeline pressure was real. The deal required Phase II investigations by the UK Competition and Markets Authority and the European Commission, plus a second request from the US Federal Trade Commission. Additional approvals were needed in Australia, Brazil, Canada, China, the European Union, Israel, Japan, South Africa, South Korea, Taiwan, and the United Kingdom.
Broadcom-VMware illustrates a different checklist lesson than Microsoft-Activision. When a deal is time-constrained against an expiration date, the deal team's checklist management becomes the difference between closing and walking away. Priority tiering, named ownership, and daily status tracking are not best practices at that point. They are the operational requirement for the deal to happen at all. A checklist managed loosely would not have closed this deal.
The cautionary tale: HP and Autonomy
The M&A failure rate is sobering. Harvard Business Review has reported that between 70 and 90 percent of acquisitions fail to deliver their projected value, with inadequate due diligence consistently cited as a top-three cause. A rigorous checklist does not guarantee a good deal, but its absence nearly guarantees a bad one. HP-Autonomy is the case that proves it.
HP acquired Autonomy for $11 billion in 2011. One year later, HP took an $8 billion writedown after accounting irregularities surfaced at Autonomy. The specific allegations involved revenue recognition practices that had inflated Autonomy's reported growth and margins. HP's due diligence process had not caught them.
HP-Autonomy remains the most-cited cautionary tale in M&A due diligence for one reason: it demonstrates that a checklist with incomplete review produces the same outcome as no checklist at all. HP's team had access to Autonomy's financial information. The issue was not access. It was the depth and skepticism of the review. Checklists that track receipt without tracking interpretation are receipt logs, not risk management tools. The fifth field (red flag notes) is the field that would have made the difference, assuming the reviewers had the skills to use it.
Common checklist management mistakes
A handful of failure patterns show up across industries and deal types.
Treating DDQ responses as audited fact. The target's answers to your questions are marketing materials until you verify them. A checklist item should be marked "received" when the document arrives and "reviewed" only after independent verification.
Siloed workstreams. The legal team finds a customer concentration issue in a change-of-control provision. That finding never reaches the financial workstream, which would have flagged customer concentration as a separate risk. Both teams worked their checklists in isolation, and the deal team missed the compound risk. A checklist system that is shared across workstreams catches these. A set of parallel spreadsheets does not.
Rushing to close. When the deal is under timeline pressure, teams skip the red flag notes field on lower-priority items and treat "received" as "reviewed." This is how material issues survive to closing.
Accepting incomplete data. A vague or missing response to a Tier 1 checklist item is not a scheduling inconvenience. It is a signal. Experienced deal teams treat refusal or inability to answer critical questions as evidence of the answer itself.
Static tracking. A checklist that never gets updated as new risk categories emerge (data privacy compliance, AI governance, ESG disclosure requirements) misses the categories that matter for current deals. Templates from three years ago may lack entire workstreams that now matter.
No cross-reference to the questionnaire. The checklist and the questionnaire should be linked. Every DDQ question should have a corresponding checklist entry tracking whether the target's answer has been received, reviewed, and flagged. When the two tools are disconnected, the deal team has information without workflow.
Virtual data room tools for checklist management
For deals large enough to justify paid software, several virtual data room platforms offer integrated checklist management.
| Tool | Strength | Users | Pricing |
|---|---|---|---|
| Datasite | Diligence trackers, automated redaction, Q&A workflows, 17+ language support | Goldman Sachs, Blackstone, Johnson & Johnson | Custom enterprise pricing |
| Intralinks | IRM post-download control, dynamic indexing, 20+ years in market | Large M&A and IPO teams | Custom enterprise pricing |
| Ansarada | Splits buy-side and sell-side, AI-Sort auto-categorization, AI-Predict bidder engagement | M&A advisors, sell-side teams | Custom pricing |
| Our template | Five-field structure, free, works in Google Sheets or Excel | Deal teams of any size | Free download below |
One note on enterprise VDR pricing: final invoices often land well above the initial quote once per-page fees, user seat overages, and storage tier upgrades are factored in. Budget with headroom, or use the simpler template for smaller deals where a full VDR is overkill.
How long checklist work actually takes
Deal size and complexity drive the timeline. A pre-seed VC round's checklist phase runs one to two weeks and fits in a single spreadsheet. A Series A checklist phase runs two to four weeks. A middle-market M&A transaction runs 30 to 45 days of active diligence, which is the window most checklist work happens in. A large enterprise acquisition like Microsoft-Activision or Broadcom-VMware can run 18 to 32 months when regulatory review is involved, with the checklist evolving continuously as new findings trigger new questions.
If you are running a commercial due diligence process and do not have the internal bandwidth to run a proper checklist, that is specifically what our $997 Deep Dive delivers. Six-pillar commercial DD with current data, risk flagging, and actionable recommendations, delivered in 7 to 10 business days.
Download the Due Diligence Checklist template
The template includes all four canonical due diligence categories, the five-field tracking structure, priority tiering built in, a separate red flag register, and version control for multi-party collaboration.
Free Due Diligence Checklist Template
Google Sheets and Excel format. Five-field tracking structure, four-category framework, priority tiering, red flag register, version control.
- Five-field workflow tracking
- Four-category DD framework
- Built-in priority tiering
- Red flag register
Frequently asked questions
What is the difference between a due diligence checklist and a questionnaire?
A checklist is the buyer's internal tracking tool for managing information flow and red flag review. A questionnaire is the formal document sent to the target asking them to answer questions with narrative responses and supporting evidence. The checklist tracks what you have received and flagged. The questionnaire produces what you are tracking. Both tools exist in the same deal.
How many items should a due diligence checklist include?
Scale matches deal size. Pre-seed checklists run 30 to 40 items. Series A runs 50 to 80. Middle-market M&A runs 80 to 120. Enterprise M&A deals can run 150 items or more across 15 parallel workstreams. The right count is whatever covers the four canonical due diligence categories at the depth the deal requires, not a fixed number.
What should I do if the target cannot provide a critical checklist item?
Treat it as a red flag, not a scheduling issue. Refusal or inability to answer a Tier 1 checklist item (audited financials, material contracts, IP ownership, cap table) is evidence in itself. Document the gap in the red flag notes field, escalate to senior leadership, and do not proceed to close without resolution. Some of the biggest M&A failures trace back to critical items that were never actually resolved before signing.
Do I need a virtual data room for a due diligence checklist?
Not for smaller deals. A Google Sheet with the five-field structure works for pre-seed through middle-market deals. Virtual data rooms like Datasite, Intralinks, and Ansarada become useful at the enterprise level where you need multi-user access, document redaction, audit trails, and integrated Q&A workflows. Budget accordingly: enterprise VDR pricing often runs 2 to 10 times the initial quote once overages are factored in.