Financial due diligence is the difference between buying a business and buying a problem. Here's how to do it without a team of bankers.
What financial due diligence actually is
Think of financial due diligence (FDD) as a deep investigation into a company's financial statements — its income statement, balance sheet, and cash flow reports. An audit verifies the numbers are accurate. FDD asks whether the numbers are sustainable and what hidden liabilities exist.
For example, consider a small tech startup with impressive revenue growth. Everything looks solid at first glance. Financial due diligence reveals that a single large client accounts for 60% of their sales. What happens if that client leaves? That's the kind of question FDD answers.
A typical middle-market FDD process runs 4-6 weeks and is structured around 7 workstreams. These workstreams are not merely procedural checklists; they represent distinct analytical lenses. The first workstream, quality of earnings, adjusts reported EBITDA for non-recurring items, owner compensation, and accounting policy changes to reveal the company's true normalized earning power. The second, net working capital, examines the cash conversion cycle and identifies whether the target company requires a capital injection to sustain operations post-acquisition. A third workstream, debt and debt-like items, uncovers off-balance-sheet obligations such as operating leases, earn-out liabilities, or unfunded pension commitments that could erode deal value. Regulatory compliance forms a fourth workstream, scrutinizing tax filings, intercompany transactions, and adherence to revenue recognition standards like ASC 606 — a common pitfall for SaaS companies that recognize revenue prematurely. The remaining workstreams cover fixed assets (verifying asset existence and valuation), management forecasts (stress-testing assumptions against historical performance), and transaction-specific adjustments (such as purchase price allocation or tax structuring). Each workstream feeds into a single question: does the financial story the seller tells hold up under pressure? Without this structured dissection, buyers risk inheriting liabilities that no audit would flag.
The 7 workstreams that matter
Based on analysis of 200+ middle-market buy-side FDD engagements, here's where the effort goes:
- Quality of Earnings (QoE) — 30% of total effort. This is the big one. It validates that reported EBITDA is real, recurring, and not padded with one-time gains. The QoE also normalizes owner-operator compensation and non-arm's-length transactions, which are common in private companies.
- Working Capital Analysis — 15%. Determines the net working capital target that goes into the purchase agreement. A poorly set target can shift millions at closing, so the analysis must account for seasonality, historical cycles, and any post-closing normalization adjustments.
- Cash Flow & Liquidity — 12%. Checks whether the business generates enough cash to operate without constant infusions. This workstream also stress-tests debt covenants and capex requirements, particularly for asset-heavy or rapidly growing targets.
- Balance Sheet Analysis — 12%. Identifies hidden liabilities, off-balance-sheet items, and asset quality. Key areas include contingent liabilities from litigation, pension obligations, and the collectability of receivables — all of which can materially alter the purchase price.
- Customer / Revenue Analysis — 11%. Concentration risk, churn rates, contract renewal terms. Beyond top-line review, this workstream examines revenue recognition policies, deferred revenue schedules, and the enforceability of customer contracts under change-of-control provisions.
- Tax Due Diligence — 10%. Historical tax positions, exposure, and structuring implications. This includes reviewing open tax years, transfer pricing documentation, and any nexus risks that could trigger state or international tax liabilities post-acquisition.
- Fraud Detection & Internal Controls — 10%. Red flags in accounting practices and control weaknesses. The focus is on segregation of duties, journal entry testing, and unusual transactions near period ends — areas where small teams often lack formal oversight.
The deliverables are an Adjusted EBITDA bridge, a Net Working Capital target, a debt and cash schedule, and a risk register of red-flag findings. Each workstream feeds into the purchase agreement representations and warranties, making the depth of analysis directly proportional to the buyer's post-close protection.
Buy-side vs sell-side: two different games
Buy-side FDD is what you commission when you're acquiring a company. You lead with Quality of Earnings because you need to know what you're actually paying for. The buyer's team digs into normalized EBITDA, one-time adjustments, and revenue recurrence to validate the purchase price and identify deal-breakers like customer concentration or margin erosion. Every workstream—from tax to working capital—is framed around risk mitigation: what could go wrong post-close, and how much leverage does that give us in negotiations?
Sell-side FDD mirrors the same 7 workstreams but is prepared by the seller. The goal is to pre-empt buyer findings and support a higher valuation. Smart sellers run their own QoE report before they ever go to market. It costs money upfront. It saves multiples on the back end. The critical difference is control: a sell-side report lets you define the narrative around add-backs, normalize discretionary expenses, and flag structural issues before they become buyer objections. It also compresses the due diligence timeline, reducing the window for buyer remorse or re-trading. Regulatory scrutiny differs too—buy-side teams must verify compliance with indemnification clauses and reps & warranties insurance, while sell-side teams focus on defensibility of financial statements under potential audit conditions. The same seven workstreams apply, but the emphasis shifts: sell-side prioritizes documentation quality and sensitivity analysis, whereas buy-side zeroes in on verification and downside scenarios. We've built a side-by-side comparison of buy-side vs sell-side scope so you can see exactly where the focus shifts. Check it out on MiraReach.
The 53-item checklist that keeps you honest
You don't need to memorise the workstreams. You need a checklist you can tick through while you review documents.
We built an interactive financial due diligence checklist with 53 items across all 7 workstreams. Filter by workstream, search across all items, and your progress saves per session. It's free.
Start with Quality of Earnings. That's where 30% of your effort goes, and it's where most deals get killed or repriced. But a checklist only keeps you honest if it forces you to confront the structural weaknesses beneath the numbers. For example, when you review normalized EBITDA adjustments, the checklist should push you to ask: Are these add-backs truly non-recurring, or are they masking a chronic operating expense? The same rigor applies to working capital analysis. A standard checklist item might say "review historical DSO trends." The deeper question is whether the target's revenue recognition policy is accelerating cash flow at the expense of future collectability — a common red flag in subscription-based models that MiraReach users encounter when evaluating potential acquisition targets in the SaaS space.
Beyond the financial statements, the checklist must also interrogate regulatory exposure. Item 31 in our list, for instance, doesn't just ask for a list of pending litigation. It requires you to map each legal risk to a specific indemnification clause in the purchase agreement. This is where due diligence transitions from a passive review to an active negotiation tool. Similarly, the tax workstream items are designed to flag transfer pricing policies that could trigger retrospective adjustments under OECD Pillar Two rules — a risk that many solo operators overlook when acquiring cross-border tech assets. By structuring the checklist as a decision tree rather than a simple tick-box, you ensure that each item generates a concrete action item for the letter of intent or the SPA. That is the difference between a checklist that collects dust and one that actually protects your downside.
What we'd do next
If you're buying a business, run the checklist before you sign anything. If you're selling, run the sell-side version and fix the problems before a buyer finds them. Either way, the 53-item checklist is your starting point. But a checklist alone won't protect you from the two most common due diligence failures: missing hidden liabilities and misjudging revenue quality. On the buy side, we'd prioritize three deeper layers. First, verify revenue concentration — if more than 20% of revenue comes from a single customer or a single channel (e.g., one ad platform), that's a structural risk that no P&L adjustment can fix. Second, audit compliance with data privacy regulations like GDPR or CCPA. Even a small B2B SaaS company can face fines of 4% of annual global turnover for mishandled personal data, and buyers inherit that liability. Third, reconstruct normalized EBITDA by stripping out owner perks, one-time consulting fees, and below-market salaries for family members — sellers often inflate earnings by 15–30% this way. On the sell side, we'd run the same analysis in reverse: identify the three biggest red flags a buyer's forensic accountant will find, then fix them before listing. That might mean diversifying a top customer, updating your privacy policy, or formalizing contractor agreements. The checklist catches the obvious items; this deeper work catches the deal-breakers. Give MiraReach a try and see how it handles your next deal.
— Mira