Due diligence when buying a small business means independently verifying everything the seller has told you before you wire the money. You are confirming that the financials are real, the customer relationships are transferable, the legal structure is clean, and the operational dependencies are manageable. Most deals under $50M follow the same core framework: financial, legal, commercial, operational, and HR. Done right, it takes four to eight weeks and surfaces the issues that let you reprice, restructure, or walk away.
Why Does Due Diligence Matter More in Small Business Deals?
In large M&A, both sides have experienced dealmakers and the target has audited financials, institutional investors, and legal counsel who have already stress-tested the business. In SMB acquisitions, you often get the opposite: owner-prepared books, minimal documentation, and a seller who has never been through a formal sale process. The International Business Brokers Association (IBBA) consistently reports that deals collapse most often because buyers discover material discrepancies during diligence that were not disclosed upfront. The risk is not that sellers are dishonest—many simply do not know what matters to a buyer.
This is also why the Stanford GSB Search Fund Primer, the canonical reference for search fund acquirers, dedicates more space to diligence process than to any other phase of the acquisition. The value destruction in SMB deals almost always traces back to something that was knowable before close.
What Does Financial Due Diligence Cover?
Financial diligence is your first and deepest dive. The goal is to reconstruct normalized, buyer-adjusted EBITDA and verify that the revenue and cash flow you are paying for actually exists. This is not the same as reading the P&L the seller gave you.
What are the core financial documents to request?
- Three to five years of tax returns (federal business returns, not just summaries)
- Three years of P&L statements and balance sheets, preferably CPA-prepared
- Month-by-month revenue for the trailing 36 months
- Bank statements for the past 24 months (to reconcile against reported revenue)
- Accounts receivable and accounts payable aging reports
- Inventory records if product-based
- Loan and lease schedules, including any off-balance-sheet obligations
- Owner compensation, perks, and personal expenses run through the business
The HBR Guide to Buying a Small Business is direct on this point: always reconcile bank deposits to reported revenue. The gap between what shows up on the P&L and what hits the bank is where the real story lives. Unexplained discrepancies in either direction are red flags—over-reporting inflates the multiple, and under-reporting creates tax liability that may transfer to you.
What is a quality of earnings analysis?
A quality of earnings (QoE) report, prepared by a third-party accountant or diligence firm, recasts the financials to show what sustainable, normalized EBITDA actually looks like for a new owner. It adds back one-time costs, removes personal expenses, adjusts for owner compensation at market rate, and flags any revenue that is non-recurring or at risk. For deals above $1M in purchase price, a QoE is almost always worth the $8,000–$25,000 it costs. The Pepperdine Private Capital Markets Report has documented for years that lenders increasingly require QoE reports before approving SBA or conventional acquisition financing.
What Does Legal Due Diligence Cover?
Legal diligence answers one question: is there anything attached to this business that will become your problem after close? The scope is wide, and gaps here tend to be expensive.
- Corporate formation documents: articles of incorporation, operating agreement, cap table, and any shareholder agreements
- Contracts with customers: are they assignable? Do they contain change-of-control provisions that allow termination?
- Contracts with suppliers and vendors: same questions
- Lease agreements: commercial real estate, equipment, vehicles
- Intellectual property: who actually owns the trademarks, domain, software, and trade secrets? Are there assignments in place from founders and employees?
- Litigation history and pending disputes
- Regulatory compliance: licenses, permits, and certifications required to operate
- Employment matters: contractor misclassification, wage disputes, any outstanding EEOC complaints
The SBA's guidance on 7(a) acquisition loans specifies that the buyer must demonstrate clean title to the business assets and confirmation that all required licenses transfer. If you are using SBA financing, your lender will independently verify many of these items, but that verification protects the bank, not you. Hire your own M&A attorney.
What Does Commercial Due Diligence Cover?
Commercial diligence tests whether the revenue will survive the ownership change. This is often where self-funded searchers underinvest. The financials tell you what happened; commercial diligence tells you whether it will keep happening.
How do I assess customer concentration risk?
Request a revenue-by-customer report for the trailing three years. If any single customer represents more than 20% of revenue, that is a concentration risk worth pricing into your offer. If the top three customers represent more than 50%, you are underwriting a client services dependency, not a business. Talk to key customers directly if the seller permits it, or structure a portion of the purchase price as an earnout contingent on customer retention.
What else belongs in commercial diligence?
- Churn rate and net revenue retention for subscription or recurring revenue businesses
- Pipeline and backlog: is there signed future revenue, or is the seller coast on historical relationships?
- Competitive positioning: who are the alternatives, and why do customers choose this business?
- Market size and growth trajectory: is this business riding a growing market or a shrinking one?
- Pricing history and ability to raise prices without customer loss
- Customer acquisition channels: are they owner-dependent (personal relationships, referrals) or institutional (SEO, paid, partnerships)?
What Does Operational and HR Due Diligence Cover?
Operations and HR diligence answers: can this business run without the seller, and what does it actually take to run it? These two workstreams are tightly linked because in small businesses, process knowledge lives in people, not in documentation.
- Org chart and employee roles: who does what, and who would leave if the seller left?
- Key person dependencies: is there a single employee (besides the owner) whose departure would materially impair operations?
- Employee compensation benchmarking against market rates
- Benefits, PTO liabilities, and any deferred compensation arrangements
- Operational processes: are they documented, or does the business run on institutional knowledge?
- Technology stack: what software does the business depend on, and are licenses transferable?
- Supplier relationships: are they with the business entity or with the owner personally?
Seller transition period is a direct output of this analysis. If the business has strong documentation, clear SOPs, and an experienced management team, a 30-day transition may be sufficient. If the seller is the relationship, the brand, and the operator, you need 90–180 days and a meaningful consulting arrangement written into the purchase agreement.
What Is the Full Due Diligence Checklist by Category?
Comparison
- Diligence Area: Financial | What to Check: Tax returns, bank statements, P&L, QoE, A/R aging | Common Red Flags: Revenue not reconciling to bank deposits; large unexplained year-over-year swings; high receivables from related parties
- Diligence Area: Legal | What to Check: Corporate docs, contracts, IP ownership, leases, litigation | Common Red Flags: Non-assignable customer contracts; IP not formally assigned from founders; pending lawsuits not disclosed
- Diligence Area: Commercial | What to Check: Customer concentration, churn, pipeline, competitive moat | Common Red Flags: Top customer >20% of revenue; revenue declining >5% YoY; all new business comes from owner relationships
- Diligence Area: Operational | What to Check: SOPs, technology, supplier contracts, key processes | Common Red Flags: No documented processes; critical software not licensed to the entity; single vendor dependency
- Diligence Area: HR & People | What to Check: Org chart, comp benchmarking, contractor classification, benefits | Common Red Flags: Key employees are 1099 contractors who should be W-2; compensation significantly below market; recent unexplained departures
- Diligence Area: Tax & Compliance | What to Check: Federal/state tax filings, sales tax, payroll tax, permits | Common Red Flags: Unfiled returns; sales tax not collected in nexus states; professional licenses in owner's name, not entity's
- Diligence Area: Environmental | What to Check: Lease terms, prior use of property, any hazardous materials | Common Red Flags: Prior industrial use of leased space; seller unable to produce environmental clearances
- Diligence Area: IT & Cybersecurity | What to Check: Data handling, software licenses, customer data storage | Common Red Flags: Customer PII stored without adequate controls; unlicensed software in production; no backup or DR procedures
How Do I Organize the Due Diligence Process?
The mechanics of diligence matter as much as the checklist. Most buyers underestimate the document management burden. You will receive hundreds of files across multiple requests, and tracking what you have, what you are missing, and what requires follow-up becomes a job in itself.
- Issue a formal document request list within 48 hours of signing the LOI. Organize it by workstream and prioritize the financial and legal items first.
- Set up a structured data room. Do not rely on a shared Google Drive folder with no organization. You need version control, access logs, and the ability to search across documents.
- Assign workstream owners. If you have outside counsel and an accountant, each owns their lane. If you are doing it solo, block dedicated time for each workstream rather than jumping between them.
- Use a diligence tracker. A simple spreadsheet with document name, status (requested / received / reviewed / resolved), and findings is sufficient. Update it daily during active diligence.
- Maintain a running issues log. Every red flag, open question, and follow-up item goes into one document that both your team and your advisors can see.
- Schedule a midpoint call with the seller. At roughly the halfway point, surface open items and pending requests. Sellers who are well-organized will appreciate it; sellers who are slow to respond will feel appropriate pressure.
- Prepare a diligence findings memo before closing. This becomes the record of what was discovered, what was resolved, and what risks you accepted with eyes open.
AI-assisted platforms like DEALPRINT now automate much of the document review burden—flagging missing items from your request list, extracting key data points from financial statements, and surfacing red flags across categories like customer concentration, IP ownership, and contract assignability—which can compress a four-week diligence cycle by a meaningful amount.
How Do I Handle Red Flags Without Killing the Deal?
Not every red flag is a deal-killer. The goal of diligence is not to find a perfect business—those do not exist at prices acquirers can afford—but to know exactly what you are buying. The question for each finding is: is this a risk I can price, a risk I can mitigate, or a risk I cannot underwrite?
- Priceable risks: customer concentration, aging receivables, deferred maintenance. These reduce the multiple you are willing to pay or justify a price reduction.
- Mitigable risks: key person dependency, undocumented processes, informal supplier relationships. These go into the purchase agreement as representations, warranties, transition obligations, or earnout conditions.
- Walk-away risks: fraud indicators (revenue that cannot be reconciled to bank deposits), undisclosed litigation, environmental liability, and any situation where the seller cannot or will not provide documentation you need to verify the basics.
- Use an indemnification escrow for risks that fall between mitigable and walk-away. A portion of the purchase price held in escrow for 12–24 months protects you against post-close discoveries tied to pre-close conduct.
How Long Does Due Diligence Take for a Small Business?
For a deal under $5M, a focused buyer with good advisors can complete diligence in 30–45 days from LOI. Deals in the $5M–$50M range typically run 45–90 days, with more extensive QoE work and legal review. The biggest variable is seller responsiveness. Sellers who have organized their records before going to market—what sophisticated brokers call a sell-side diligence package—can cut the timeline significantly. Sellers who are disorganized or evasive will drag it out and create additional risk in the process.
Your LOI should specify a diligence period with a hard deadline and an exclusivity clause that protects you from the seller shopping the deal during your review. Do not start significant diligence spend—QoE, environmental, IT assessments—without confirmed exclusivity in writing.
What Advisors Do I Need for Small Business Due Diligence?
At minimum: a transaction attorney experienced in SMB acquisitions and a CPA or diligence firm capable of preparing or reviewing a quality of earnings. Beyond those two, the deal size and complexity determine what else you need.
- M&A attorney: handles legal diligence, purchase agreement drafting, and closing
- QoE accountant or diligence firm: financial and tax workstreams
- Commercial banker or SBA lender: required for financing; will run their own diligence that you should leverage
- Industry expert or operating advisor: valuable for commercial diligence if you lack domain expertise in the target's sector
- Environmental consultant: required if the business involves real property, manufacturing, or hazardous materials
- IT/cybersecurity assessor: increasingly common for software-dependent businesses or those handling sensitive customer data
The temptation to cut corners on advisors is understandable—diligence costs for a $2M deal can run $25,000–$60,000 before you close. But as the HBR Guide to Buying a Small Business notes, the acquirers who skip advisors to save fees are the same ones who discover post-close that they bought a business with an undisclosed lien, a customer relationship that left with the seller, or a lease that cannot be assigned. The economics do not favor the shortcut.
DEALPRINT
Running diligence on a deal?
DEALPRINT automates document review, flags red flags, and organises your data room — so you can focus on the conversations that close.
Apply for Limited ReleaseFrequently Asked Questions
Common Questions
- How much does due diligence cost when buying a small business?
- For deals under $5M, expect to spend $15,000–$50,000 on diligence costs including legal fees, a quality of earnings report, and any specialist assessments. Larger deals in the $5M–$50M range typically run $40,000–$150,000. These costs are paid by the buyer and are not refundable if you walk away, which is why most buyers wait until after signing an LOI with exclusivity before engaging paid advisors.
- What is the most important thing to check in due diligence?
- Financial verification is the highest-stakes workstream for most SMB acquisitions. Specifically, reconciling reported revenue to bank deposits is the single check most likely to surface material misrepresentation. Beyond financials, customer concentration and contract assignability are the issues that most frequently cause deals to reprice or collapse after diligence begins.
- Can I do due diligence on a small business without a lawyer?
- Technically yes, but it is not advisable for any deal above $250,000. The legal workstream—reviewing contract assignability, IP ownership, employment matters, and the purchase agreement itself—requires expertise that most buyers do not have. More importantly, the purchase agreement is where your protections live: representations, warranties, indemnification, and escrow terms. A poorly drafted agreement is often worse than no agreement because it creates a false sense of protection.
- How long is a typical due diligence period for buying a small business?
- Most LOIs for SMB acquisitions specify a 30–60 day diligence period. Thirty days is aggressive but achievable if the seller has organized records and responds promptly. Sixty days is more common and allows time for a proper QoE, legal review, and any third-party assessments. The diligence period clock starts when you receive the first substantive document production, not when the LOI is signed.
- What financial documents should I ask for when buying a business?
- At minimum: three to five years of federal business tax returns, three years of CPA-prepared P&L statements and balance sheets, 24 months of bank statements, accounts receivable and payable aging reports, and a complete list of owner add-backs and personal expenses. For product businesses, also request inventory records and cost-of-goods history. For service businesses, request revenue by customer for the trailing three years.
- What are the biggest red flags in small business due diligence?
- The highest-severity red flags are revenue that cannot be reconciled to bank deposits, undisclosed litigation or regulatory investigations, customer contracts with non-assignment clauses, and intellectual property that is not legally owned by the business entity. Secondary red flags worth pricing into your offer include heavy customer concentration (any single customer over 20% of revenue), key person dependency on the seller, and significant deferred maintenance on equipment or technology. Any seller who resists providing standard financial documentation should be treated as a walk-away risk.
Sebastian Krappe
CEO
Sebastian is the CEO and co-founder of DEALPRINT. He is a former investment banker and private equity investor who conducted far too many manual, painful diligence processes. He is passionate about making sure no investors, advisors, or brokers have to struggle with due diligence again. Sebastian holds a B.A. from Columbia University and is an MBA Candidate at the UC Berkeley Haas School of Business.