The document checklist every business needs before external scrutiny arrives

By /

Ninety percent of businesses that enter a due diligence process are not ready. Not because they lack good documents — but because those documents are scattered, outdated, inconsistently named, and owned by no one in particular.

The result is a two-week scramble that could have been a two-hour retrieval. In the best case, that delay is just inefficient. In the worst case, the disorganisation itself becomes a signal that undermines trust in the business.

This document checklist is built for real external scrutiny: investor due diligence, audit requests, enterprise customer security reviews, bank relationships, and M&A processes. Use it to close gaps before anyone is watching — not while they are.

Before the checklist: two principles that make it work

Principle 1: Completeness beats perfection. Reviewers understand that some documents are in progress or under negotiation. What they cannot forgive is unexplained gaps. A document that says “in review — expected completion 2026-07-01” with a named owner is better than a blank space.

Principle 2: Currency matters as much as existence. A financial model from eighteen months ago is not a current financial model. An information security policy from 2022 that has never been reviewed signals a business that files things and forgets them. Every document on this checklist should be dated and reviewed on a schedule.

The six document sets that reviewers always ask for

1) Corporate and governance documents

These establish that the business is legitimate, properly structured, and governed consistently.

  • Certificate/articles of incorporation and all amendments
  • Shareholder register and cap table (including options, warrants, and convertibles)
  • Shareholder agreement and any side letters
  • Board minutes and written resolutions (last 2 to 3 years)
  • Entity structure chart (especially if operating across UK, US, and Canada)
  • Any regulatory licences or authorisations relevant to the business

Common gap: Board minutes exist but are inconsistent, unsigned, or missing resolutions for material decisions.

2) Financial and tax records

These prove that the financial story you tell verbally matches what is actually happening.

  • Last 2 to 3 years of financial statements (audited where available)
  • Current management accounts (no more than 45 days old)
  • Budget for the current year and assumptions document
  • Three-year financial model with sensitivity analysis
  • Bank account documentation and any debt instruments
  • Tax returns and any material correspondence with tax authorities

Common gap: Financial model and management accounts use different revenue definitions, creating contradictions when reviewers compare them.

3) Commercial contracts and customer relationships

These demonstrate the quality and durability of the revenue base.

  • Top 10 to 20 customer contracts (with start dates, renewal terms, and termination clauses highlighted)
  • Standard sales terms and order forms
  • Any material pricing exceptions or side agreements
  • Top 5 to 10 supplier and vendor contracts
  • Material partnership, reseller, or distribution agreements
  • Churn and retention analysis or summary

Common gap: Contracts have been amended verbally or via email, but the VDR contains only the original signed document.

4) Security, privacy, and compliance

These are becoming a standard requirement for enterprise customers and regulated industries — not just formal M&A processes.

  • Information security policy (with date and owner)
  • Data privacy notices and records of processing activities (GDPR/CCPA as applicable)
  • Incident response plan
  • Any past security incidents and resolution summaries
  • SOC 2 or ISO 27001 report (if applicable)
  • Vendor risk management summary

Common gap: Policies exist but have not been reviewed in over a year. Reviewers will notice the stale dates.

5) People and employment

These are often requested late in a process but can stall completion if they are disorganised.

  • Organisation chart and current headcount
  • Key employee contracts (founders, C-suite, and any employees with restrictive covenants)
  • Standard employment agreement template
  • Contractor/consultant agreements
  • Employee handbook and core policies
  • Benefits summary

Common gap: Contractor agreements are missing or do not include adequate IP assignment clauses — a deal-stopper in technology businesses.

6) Technology and intellectual property

This category is critical for technology businesses and increasingly important for any company with a software component.

  • IP assignment agreements (covering founders and key early employees)
  • Patent, trademark, and copyright registrations (if applicable)
  • Architecture overview and key technical dependencies
  • Third-party software licences and open-source usage register
  • Any agreements that affect IP ownership (development agreements, white-labelling, licences out)

Common gap: Early employees or contractors were not required to sign IP assignment agreements. This surfaces in almost every technology company’s diligence.

How to package documents so reviewers trust what they see

Organisation is itself a signal. A clearly structured, consistently named folder set communicates that the business has thought carefully about its operations. A folder dump communicates the opposite.

The packaging standard:

  1. Use a consistent folder structure that mirrors a standard diligence index (the six categories above work well).
  2. Name files using a predictable format: [DocType] [Subject] [YYYY-MM-DD] [Status]
  3. Include a one-page “read me” for any category where context is needed (for example: “Our revenue recognition policy changed in Q3 2025 — notes are included in the Finance folder”).
  4. Mark draft documents clearly, and do not include them unless specifically requested.
  5. Confirm that every document included is the authoritative, current version.

Why a virtual data room is the right sharing method

Once your documents are organised, how you share them matters as much as what you share. Email attachments create uncontrolled copies, cannot be revoked, and produce no access log.

A virtual data room provides:

  • Role-based access so different reviewer groups see only what is relevant to them
  • View-only permissions that prevent uncontrolled downloading
  • Audit trails showing which documents were accessed and when
  • Structured indexing that matches the folder logic above
  • A controlled, professional presentation that reinforces trust

If you are building your readiness framework from scratch, Business Readiness provides the full ownership and process structure.

Your readiness quick-score

Before your next external review, run through these five questions:

  1. Can you produce any document on this checklist within 24 hours?
  2. Is every document dated and associated with a named owner?
  3. Can you confirm that the version you share is the approved, current version?
  4. Is there an access log for sensitive documents shared in the past 12 months?
  5. Has anyone tested this by actually simulating a request?

If you cannot answer yes to all five, you have work to do — and now is the right time to do it.

FAQ

How far back do financial documents need to go?

Typically two to three years of full financial statements, plus current management accounts. For early-stage businesses, this may mean prepared-but-unaudited accounts — which is acceptable as long as they are clearly labelled and consistently prepared.

Do we need to include every contract?

No. Focus on material contracts: your largest customers by revenue, your most critical vendors, and any contracts with unusual terms, termination rights, or change-of-control provisions.

What should we redact?

Redact third-party personal data, bank account details, and any information subject to confidentiality obligations that has not been waived. Always redact before publishing, not after the fact.

Build the process behind your checklist — see Business Readiness →

Scroll to Top