Skip to content


What is a Due Diligence Review? Plus: How to Prepare

By Matt Kelly (Updated )

One of the most important exercises in corporate compliance is due diligence: how to perform it on other businesses, and how to prepare for other businesses performing it on you. So we can all benefit from a review of what a due diligence review actually is, and how to prepare for one.

Let’s start with the fundamentals. A due diligence review is a process that one business undertakes to confirm how reliable another business is before that first business does some transaction with the second. 

Reliable in what way? That depends on the transaction the first business wants to conduct. In a merger, the acquiring company will perform due diligence on the target company to confirm that, say, the target has all the customer contracts it claims to have. In a technology purchase, a company might perform due diligence to confirm that a vendor has sufficient operations to provide follow-up services for the life of the contract.

And, of course, in the compliance world, a company will perform due diligence on business partners to confirm they pose no threat of corruption or misconduct that could bring liability back to your own business. 

In all cases, due diligence is about gaining assurance in another party, to reduce the potential for harm to some acceptable level. A due diligence review is just the collection of steps you take to gain that assurance. 

Why Due Diligence Reviews Are Necessary

Because if you don’t do them, that risk of harm might come to pass and cause your business all sorts of trouble. That’s it, really.

For example, if you don’t perform a due diligence review on that tech vendor, you might discover four months later that the vendor has gone bankrupt and its software no longer works — perhaps leaving your business unable to perform mission-critical tasks. Then come lawsuits from shareholders or your own customers, seeking damages because your company should have done better at reducing the risk of harm.

Likewise, regulators expect businesses to take prudent steps to reduce the risk of violating the law. They expect due diligence as part of that effort. Those due diligence reviews don’t need to be perfect — because no due diligence program can be — but regulators do expect companies to make a sincere, thoughtful effort at due diligence

Moreover, even if the regulatory climate shifts over time, or differs from one country to another, that doesn’t devalue the need for strong due diligence capability generally. Companies still have countless other business risks (such as our unreliable tech vendor above) that exist regardless of the regulatory climate. 

Due diligence reviews are just an indispensable part of corporate life generally, and that’s never going to change.

How to Prepare for a Due Diligence Review

As a practical matter, due diligence can be done in any number of ways. The most important point is that the company needing due diligence plan its due diligence review wisely. So two questions immediately come to the fore.

First, is the due diligence review scoped correctly? That is, do you know the right facts and assurances you want to get from the target, to address the risks and questions you have?

For example, in an anti-corruption review, due diligence should always include identifying the true owners and controllers of the target business, to see whether they are “politically exposed persons” (PEPs) or fall into some other high-risk category. The review should also try to find any prior brushes with corruption the target might have had. Meanwhile, a due diligence review for sanctions right might inquire about the products that target makes (say, nuclear materials) and other customers the target has (any in Iran or North Korea). 

Sanctions risk and corruption risk are different, so the scope of due diligence will be different. Setting the wrong scope can be disastrous.

Second, is the due diligence review thorough and objective? This drives the question of who actually performs a due diligence review. It can be your own company, an outside due diligence firm, or (most likely) some mixture of both. 

Tedious, repetitive due diligence tasks—such as checking for adverse media reports and prior litigation, or identifying corporate owners—are best left to outside firms. The work is dull, and not the best use of your own employees’ time. Much of that work can also be automated, which produces more reliable, data-driven results. 

So a big part of performing due diligence is simply building the capability to embed and automate those tasks, usually with a blend of in-house and outside technology. When you need to perform thousands of due diligence reviews, year after year, this approach is paramount.

That said, some crucial parts of due diligence shouldn’t be automated. If you’re dealing with a third party that’s high value but also high risk, the human touch might be better to ask sensitive questions or to push for important disclosures. For major transactions (say, a joint venture with a state-owned entity), your company may even hire a professional services firm for some due diligence tasks.

All of that is in pursuit of a thorough, objective due diligence report, that provides the assurance you need for the risks your business has.

On the Receiving End

Those points about scoping a due diligence review and striving for thorough, objective evidence are just as useful for third parties on the receiving end of due diligence, too. After all, the vast majority of businesses want to be good business partners — so clearing a path for good due diligence is very much in their interests. 

For example, as a third party, you should understand the scope of due diligence that your customer is likely to set. You should anticipate the customer’s wants, and prepare your own business to provide them.

Take anti-corruption training as a specific example. Many compliance due diligence reviews will ask what anti-corruption training you’ve provided to your employees or your own third parties. Compile that documentation: the training materials, completion rates from employees, certifications from your third parties, and so forth. 

Also, understand what your client’s anti-corruption training expectations might be. They could try to push that you provide their training to your employees. Maybe you’ll allow that, or maybe you’ll only certify that parts of your training are identical to theirs, and allow their training for issues yours doesn’t address. 

Those choices are yours to make. A good third party will simply prepare to make them as quickly and efficiently as possible.

third party risk rating

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution

View platform

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.