Diligent
Diligent
PartnerCompanySupport
Solutions
expand_more
Products
expand_more
Industries
expand_more
Resources
expand_more
More
Virtual Summit Seriesopen_in_new
Cyber Risk Virtual Summitopen_in_new
Modern Governance 100open_in_new
Diligent Elevateopen_in_new
(formerly Modern Governance Summit)
Diligent Instituteopen_in_new
Blog
/
Compliance & Ethics
Jessica Donohue Image
Jessica Donohue
Senior Specialist

Due diligence: Definition, types and examples

May 29, 2025
0 min read
Compliance colleagues discussing due diligence

Due diligence is a relatively common term. Used in business, it broadly refers to the process of investigating and verifying information about a company or investment opportunity. Specifically for compliance teams, it comes up when you consider relationships with new vendors and third parties.

Yet it can be difficult to understand what due diligence really is and how best to incorporate it into your procedures, even as it becomes more vital. New sanctions increased 50% in 2023, pushing due diligence back into the spotlight.

The dictionary gives the term 'due diligence' a basic meaning. Depending on the context in which the term is used, it can hold other meanings, especially for corporations, nonprofits and educational institutions.

Merriam-Webster defines due diligence as the matter that pertains to business. The definition cites ‘research and analysis of a company or organization done in preparation for a business transaction (such as a corporate merger or purchase of securities).’

With that definition in mind, you can better understand due diligence. Here, we’ll discuss:

  • The definition of due diligence
  • Why organizations conduct due diligence
  • The three principles of due diligence, plus eight types of due diligence your organization can conduct
  • A process for implementing effective due diligence

What is due diligence?

Due diligence definition: The steps an organization takes to thoroughly investigate and verify an entity before initiating a business arrangement, whether that’s with a vendor, a third party or a client.

In the general business sense, due diligence means vetting issues that affect the business thoughtfully and carefully. Due diligence means being proactive, rather than reactive, in response to problems.

Traditional versus modern due diligence

Due diligence traditionally emphasized checklists, compliance, and historical performance, all of which could prove, on paper, that the organization and its relationships looked good. But today’s landscape demands more, as do rising sanctions, the prevalence of bad actors and stakeholder demands for transparency.

Modern due diligence goes beyond the basics, evaluating context, culture, long-term risks and whether the pursuit aligns with the organization’s values. This evolution has transformed due diligence into a strategic process that can reveal opportunities, uncover hidden risks and help stakeholders make more informed, future-focused decisions.

Strengthen your due diligence

Learn how to uncover hidden risks, streamline investigations and build a due diligence process that scales with your business.

Register now

What is the purpose of due diligence?

Businesses need to have written policies and procedures in place. Certain issues may be better addressed by using a checklist to ensure that groups or individuals are giving the issues adequate time and attention. In addition to having guidance in written form, due diligence calls for boards to cooperate and collaborate with others.

Under certain circumstances, due diligence may mean seeking and obtaining outside expertise from attorneys, accountants, insurance agents, financial experts, tech experts or other individuals with professional or special expertise — especially in light of moral imperatives.

Due diligence can be a powerful tool for navigating sanctions and fighting modern slavery and trafficking, but only if it’s wielded effectively.

“You can be doing business in a place and not even know what all the inputs are. If you’re in the position, you have a moral uncertainty and a practical uncertainty. You have pragmatic knock-on effects of operational disruption if you’re caught in this potential quagmire that begins with forced labor,” said Diligent Senior Manager of Due Diligence Clint Palermo on a recent episode of Innovation in Compliance.

What's more, regulations like the Corporate Sustainability Due Diligence Directive (CSDDD) and the German Supply Chain Act are setting higher standards for ethical practices in supply chains globally, which require compliance teams to stay up-to-date on regulatory trends to remain compliant.

The 3 principles of due diligence

Due diligence is an essential way for organizations to proactively identify risk. But it’s also a potential human rights issue. In 2011, the UN issued its Guiding Principles on Business and Human Rights. This document outlines three principles that organizations can follow to ensure their activities don’t compromise human rights.

While they are human rights-specific, they’re also valuable tenets of any effective due diligence program. These are:

  1. Identify and assess: Organizations are responsible for identifying if their activities might have a human rights impact and assessing the extent of that risk.
  2. Prevent and mitigate: Then organizations must act in good faith to prevent those risks and/or mitigate any existing or future impacts.
  3. Account: Organizations also need to maintain a thorough account of how they will proactively address any potential human rights risks.

How to implement due diligence

Step-by-step guidance to evaluate third-party risk effectively. Download Diligent’s expert-created guide now.

Download now

Types of due diligence

While all due diligence typically takes place at the start of a new business arrangement, what that due diligence requires can vary. A coffee chain considering partnering with a new coffee bean grower will need to take very different steps than a financial institution considering a new vendor for their online banking program.

Depending on the type of organization you work for and the size of its value chain, you might undertake any of the following eight types of due diligence:

  • Vendor due diligence: Investigating the current or potential risk of new or existing vendors
  • Third-party due diligence: Third-party due diligence assesses the risk level of potential third-party partners, including any vendors (or fourth parties) in your potential partner’s ecosystem.
  • Enhanced due diligence: Enhanced due diligence (EDD) uses a risk-based approach to evaluate specific clients or companies
  • Technology due diligence: Auditing your IT infrastructure for any potential risks. This is also a common part of M&A due diligence
  • Cyber due diligence: Cyber due diligence assesses, monitors and mitigates risks within a network, particularly those tied to third-party vendors.
  • Supply chain due diligence: Addressing possible environmental and human rights risks by assessing the impact of your entire supply chain
  • Financial due diligence: Analyzing the organization’s financial performance before completing a merger or acquisition
  • Regulatory due diligence: Reviewing an organization’s policies, processes and procedures to verify whether they’re compliant with all relevant regulations
  • ESG due diligence: ESG due diligence determines the impact an organization may have on environmental, social and governance issues and actively takes steps to mitigate that impact
  • Legal due diligence: This requires a thorough review of legal risks and obligations, such as contracts, compliance and litigation history, to ensure the business or asset is legally sound before finalizing a deal.
  • Real estate due diligence: Real estate due diligence is an investigation into a property’s physical condition, title, zoning, leases, environmental status and legal compliance to identify potential liabilities and confirm that it meets the buyer’s goals.
  • IT due diligence: During IT due diligence, a company assesses technology systems, cybersecurity protocols, software licenses, data management practices and IT infrastructure to determine scalability, security and integration risks.
  • Commercial due diligence: This process analyzes market position, competitive landscape, business model and revenue drivers to validate the commercial viability of a company or product.
  • Customer due diligence: Customer due diligence is the process of verifying a client’s identity, understanding their risk profile, and monitoring ongoing activity, which is often required for compliance with anti-money laundering (AML) and Know Your Customer (KYC) regulations.

Due diligence in ERM frameworks

It’s easy to consider due diligence in a vacuum. Many boards use due diligence simply to verify the risks and validate the opportunities associated with a service, product, partner or venture. However, the most effective due diligence should be part and parcel with enterprise risk management (ERM).

Due diligence seeks to uncover financial, legal, operational and reputational risks. In doing so, it feeds directly into your ERM program. Due diligence also fuels ERM through:

  • Risk assessments: Due diligence provides qualitative and quantitative insights that power ERM’s risk scoring and prioritization.
  • Third-party risk management: It also informs the lens through which ERM will evaluate vendors, partners and acquisition targets.
  • Compliance monitoring: Legal and regulatory checks conducted during due diligence support ERM’s compliance tracking function.
  • Strategic decision-making: Both due diligence and ERM guide leadership on risk-informed growth, investments and partnerships.
  • Internal controls evaluation: Due diligence often includes assessing the strength of internal systems, a priority that aligns with ERM’s control environment.
  • Continuous monitoring: Modern due diligence increasingly includes ongoing checks, complementing ERM’s dynamic monitoring of emerging risks.
  • Scenario planning and stress testing: The risks or opportunities you discover during due diligence can be channeled into ERM scenario planning and stress testing, giving the board and other risk leaders a clearer picture of the future.
  • Cultural and ethical alignment: Assessing values and culture during due diligence supports ERM’s broader goal of fostering a risk-aware and ethical organization.

How to conduct the due diligence process

How you conduct due diligence depends on the type of due diligence your situation calls for. Financial due diligence may require a deeper focus on financials, whereas IT due diligence will dive into company systems.

That said, most forms of due diligence have some steps in common. To perform due diligence, you should:

  • Define goals for the relationship: Why are you engaging a new third-party partner, vendor or other business relationship? Understanding how the relationship can benefit your organization will help you define the due diligence process because you can also identify what risks might prevent you from achieving that goal.
  • Set roles & responsibilities: Due diligence can be long and complex. Define who is responsible for what — both within your organization and the organization you’re assessing — to ensure everyone understands how they’re expected to contribute.
  • Develop a questionnaire: Due diligence questionnaires (DDQ) help you ascertain how compliant a third party is with industry standards, laws and regulations, as well as cybersecurity best practices and anything else vital to your organization’s safety. “Look at what you’re trying to achieve. What specific regulations do you want to comply with, and what do you need to know from that third party to help you comply? And what would you need to know from them for your risk model and what you do from there,” said Diligent Director of Operations Optimizations Group Stephanie Font on a recent podcast episode. Assembling a DDQ can make it easier to assess a third party’s risk exposure and collect the data to manage that risk effectively.
  • Audit company documents and/or processes: The documents you audit can vary. Depending on the organization you're auditing and the type of business arrangement you're pursuing, you might look at financial documents, the IT infrastructure, internal controls, compliance procedures and more.
  • Assess risk management: How does your potential partner or vendor already approach risk management? Organizations without a risk management policy might be riskier to partner with than those with a well-documented approach. This also gives you insight into how you may need to combine your respective approaches to risk.
  • Report on due diligence: The report should reflect everything you’ve uncovered during the due diligence process. You’ll typically deliver this to the board or the C-Suite so they can make a decision on whether or not to follow through with that business relationship.
  • Monitor and mitigate risk: Due diligence doesn’t end after the relationship begins or the merger or acquisition is complete. It’s important that you adopt an always-on approach to monitoring your new third party or vendor’s activities to ensure they’re compliant, and so you can mitigate any risks that may arise.

Real-world examples of due diligence

Due diligence can be vast, especially for large, global companies with sprawling value chains. Here are some examples of due diligence to help you understand just how varied the due diligence landscape can be:

IT due diligence example

A global marketing agency considering a new project management software would assess pricing, reviews from current and past customers, how secure the software is and whether or not it would be compatible with the agency’s infrastructure.

As part of due diligence, the agency might request and review security certifications, check for role-based access controls, evaluate incident response and data breach policies and review any service level agreements (SLA). Before signing up for the solution, the agency would also identify potential implementation risks and forecast their impact, ultimately baking that into their ERM framework.

Legal due diligence example

A company acquiring a smaller, competing company would review employment agreements, compensation plans, any labor disputes, its anti-bribery and corruption standards, compliance with relevant regulations and so on.

Legal counsel will also want to know if the target company complies with labor laws, health and safety regulations and industry-specific regulations. They may also review key business contracts that could affect employment, evaluate the company’s reputation in the market and highlight risks that could affect either the deal or the integration.

Cybersecurity due diligence example

A nonprofit partnering with a third-party technology provider would assess the third party’s cybersecurity infrastructure to uncover any potential risks or compliance issues. They would evaluate whether the provider’s technology meets their needs, is compatible with existing tools and is easy enough for staff and stakeholders to use.

Depending on the nonprofit’s regulatory landscape, they will assess compliance with HIPAA or GDPR and review the provider’s privacy policy and terms of service. They might also implement contractual safeguards for data ownership, security, compliance and more, as well as a plan for regular reviews and audits.

ESG due diligence example

A mid-sized U.S.-based investment firm is considering acquiring a stake in a textile manufacturer in Southeast Asia. The deal looks promising on paper, but before finalizing, the firm reviewed the manufacturer’s ESG profiles in line with its responsible investment policy.

This ESG due diligence process would include reviewing the manufacturer’s environmental footprint, auditing water usage, carbon emissions, and waste management. The firm might also assess labor practices, workplace safety and community engagement. To complete due diligence, they could also focus on leadership structure, ethical standards and transparency, including anti-corruption policies or compliance history.

Based on the findings, the firm could negotiate several ESG-related terms to protect the transaction, such as implementing a formal ESG policy and conducting annual third-party audits and milestones for improving labor practices and environmental compliance.

Key components of an effective due diligence program

Effective due diligence programs are strategic and risk-aware, ultimately enabling better decision-making. These components are foundational to reach that aim:

  1. Clear objectives and scope: Define what you need to know, why it matters and how the findings will influence your decision. Tailor your scope to the nature of the transaction. For example, financials for an acquisition or cybersecurity for a tech partnership.
  2. Cross-functional expertise: Involve stakeholders across departments — legal, finance, HR, IT and compliance — to cultivate a holistic view of risk. Each area brings its own lens and can identify different types of risk or opportunity.
  3. Structured processes and checklists: Use repeatable frameworks to promote consistency and thoroughness. Categorize focus areas (e.g., legal, financial, operational and reputational) and set clear workflows for collecting and analyzing information.
  4. Integration of technology and automation: Technology is a vital enabler of modern due diligence. Artificial intelligence and automation tools can rapidly analyze contracts and flag anomalies, detect potential compliance conflicts in large datasets, monitor news and regulatory databases for red flags and streamline document collection, storage and collaboration.
  5. Risk assessment and scenario planning: Organize findings by risk level — low, moderate and high — and assess both likelihood and impact. Consider how different risks might play out under various scenarios, like regulatory changes or the CEO leaving.
  6. Documentation and reporting: Keep a clear audit trail — document who reviewed what, who led each workstream, key findings and any unresolved questions. Summarize insights in a final report that informs go/no-go decisions and post-deal action plans.
  7. Ongoing monitoring: Due diligence shouldn’t stop once the deal is done. Establish mechanisms for ongoing monitoring, especially with vendors or tech platforms, to ensure compliance, performance and alignment with your values and goals.

Due diligence made easy

Get the complete checklist for finding the best due diligence software for your team.

Read now

Due diligence red flags and pitfalls

Even the most thorough due diligence process can be derailed if you overlook warning signs to make a misstep. Knowing what to watch out for — and what to avoid — can make the difference between a well-informed decision and an expensive mistake.

Common red flags

  • Inconsistent or missing documentation: If key documents — financial statements, contracts, compliance reports and more — are incomplete, outdated or withheld, that’s a signal that something may be amiss, and you should dig deeper.
  • Unclear ownership or legal structure: Complex or opaque business structures may hide liabilities, conflicts of interest or regulatory risks.
  • Unresolved legal or regulatory issues: Active litigation, past fines, or ongoing investigations can expose you to significant risk.
  • Rapid employee turnover or low morale: High attrition, negative reviews on platforms like Glassdoor or inconsistent HR policies may indicate culture problems or leadership challenges.
  • Cybersecurity weaknesses: A lack of documented security protocols, outdated infrastructure or failure to comply with relevant data protection laws (like GDPR or HIPAA) could expose your organization to breaches and reputational damage.
  • Poor ESG performance or lack of transparency: ESG concerns are material risks in today’s business environment. Greenwashing or weak labor practices may harm both your reputation and long-term value. Look for strong ESG metrics or a tangible connection between ESG proclamations and programs.

Common pitfalls to avoid

  • Relying too heavily on surface-level data: A clean executive summary doesn’t guarantee a healthy operation. Ask for underlying data and probe assumptions to reduce the risk of missing critical information that could impact your business significantly. “Create a tiered approach to how much due diligence is applied based on the risk presented by the third party. The larger the risk, the larger or heavier the list of required steps,” says Kristy Grant-Hart, head of advisory services at Spark Compliance, a Diligent Brand.
  • Skipping cross-functional input: Engaging a lean due diligence support team can be enticing, but resist the temptation. Leaving IT, HR or compliance out of the process can create blind spots, especially in complex deals or partnerships.
  • Leaving your program unoptimized: Due diligence isn’t done after the first screening. “Many companies review third parties only at the initial contracting phase. That’s a problem because good companies go bad. What’s worse? Sanctions change daily, and a company or person who was clear yesterday may have massive red flags today. The one-and-done approach isn’t defensible,” says Grant-Hart. Using a risk-based approach for continuous monitoring means you’ll catch more red flags over time and better protect your business.
  • Letting bias cloud judgment: When excitement about a deal outweighs objective analysis, red flags can get rationalized away. A good due diligence process creates space for pause, skepticism and second opinions. “The business already wants to use the third party with a red flag – the fox shouldn’t be watching the hen house,” says Grant-Hart. “Ensure that someone in the compliance team is assigned to the final evaluation of red flag clearing. Allow the business to gather information and participate in remediation recommendations, but make sure the final decision is compliance to make.”
  • Failing to update your approach: Due diligence tools and best practices evolve. Ignoring new technologies like AI-powered document review or automated red flag detection can slow you down, limit insight, and ultimately lead to missed opportunities.

The role of the board and its committees in effective due diligence

Due diligence doesn’t begin and end with management. Rather, it’s a critical governance function — one that the board of directors and its committees are responsible for upholding. It falls to the board to ensure due diligence is rigorous and aligns with the organization’s long-term strategy, values and risk appetite.

  • Strategic oversight: Like in many areas, the board sets the tone for due diligence. They define the risk tolerance and approve policies that guide due diligence processes. The board will also review proposed transactions or partnerships to ensure they align with the organization’s mission, vision and strategic goals. An effective board will also challenge assumptions by asking questions and pushing for clarity.
  • Committee-level accountability: Board committees often lead or oversee specific aspects of due diligence. The audit committee reviews financial statements and internal controls; the nominating and governance committee ensures potential partners meet ethical, reputation and compliance standards; and the risk committee evaluates potential risks and whether they fit within the broader ERM framework.
  • Review and approval processes: Boards and committees should read due diligence findings and recommendations before making key decisions. This includes ensuring any post-deal action items are tracked and executed lest they fall through the cracks and lead to bigger threats down the road.
  • Continuous improvement: An engaged board helps evolve the due diligence process. The board staying informed about emerging risks can foster more thorough due diligence. Supporting investment in technology can also enhance the speed and accuracy of due diligence over time.

Build a credible due diligence program

Due diligence intelligence matters. Having an effective due diligence program can make the difference between remaining compliant and secure and — even inadvertently — introducing costly risks into your organization’s infrastructure.

The key is creating a comprehensive program that can provide critical insights to support the types of due diligence you need to complete. Diligent’s global team of analysts and investigators can help you do that by providing the on-screen research and boots-on-the-ground intelligence you need to build a stronger due diligence program. Learn more and request a demo.

FAQs

What is a good example of due diligence?

A strong example of due diligence is a company acquiring another business and reviewing its financial records, legal contracts, intellectual property, employee agreements and customer data to assess risks and ensure alignment before finalizing the deal. This process helps prevent surprises post-acquisition and supports sound decision-making.

What are the 3 P’s of due diligence?

The “3 P’s” of due diligence are people, processes and performance.

  • People: Assess leadership, key employees and organizational structure.
  • Processes: Review operational workflows, compliance procedures and internal controls.
  • Performance: Analyze financial results, KPIs and overall business health. Together, these help evaluate a transaction or partnership's overall viability and risk.

What is a due diligence period?

The due diligence period is a defined timeframe, typically before a deal closes, during which a buyer investigates the target company or asset. This phase allows time to verify information, uncover risks and decide whether to move forward, renegotiate or walk away from the transaction.

What are the four customer due diligence requirements?

The four core requirements of customer due diligence (CDD) are:

  1. Identify the customer and verify their identity.
  2. Identify beneficial owners (if the customer is a legal entity).
  3. Understand the nature and purpose of the customer relationship.
  4. Conduct ongoing monitoring for suspicious activity and maintain up-to-date records. These steps help prevent fraud, money laundering, and financial crime.

Due diligence questions to ask when buying a business

When buying a business, ask questions like:

  • What do the financial statements reveal about revenue and profitability?
  • Are there any outstanding legal disputes or regulatory issues?
  • What contracts and liabilities are being assumed?
  • Who are the key employees and customers?
  • What are the company’s operational risks and competitive advantages?

These questions help you identify red flags and make an informed investment.

What are the key steps in the due diligence process?

The due diligence process typically includes:

  1. Defining objectives and scope
  2. Collecting and reviewing documents (financials, legal, HR, etc.)
  3. Conducting interviews or site visits
  4. Assessing risk and compliance
  5. Summarizing findings and recommendations
  6. Developing a post-deal action plan

Each step helps reduce uncertainty and supports better decision-making.

Who is responsible for due diligence in a company?

Responsibility for due diligence is shared across departments, but executive leadership and functional leads (legal, finance, IT, HR, compliance) typically conduct the work. The board of directors and relevant committees oversee high-stakes decisions like mergers or strategic partnerships.

What types of due diligence should be conducted for mergers and acquisitions?

A thorough review helps buyers assess value, risk and integration challenges. M&A due diligence usually covers multiple areas, including:

  • Financial due diligence (income, assets, liabilities)
  • Legal due diligence (contracts, disputes, intellectual property)
  • Operational due diligence (supply chain, systems, scalability)
  • HR due diligence (talent, compensation, culture)
  • IT and cybersecurity due diligence
  • Regulatory and ESG due diligence

What tools or software can support due diligence?

Popular due diligence tools empower businesses to mitigate compliance risks, uncover hidden concerns such as reputation issues and ensure regulatory alignment at every stage. Look for tools or software with features like:

  • AI due diligence reports provide an immediate snapshot of key risks with a summary of key information to help you make decisions quickly.
  • Core integrity and compliance checks powered by Open Source Investigations (OSI), a focused, analyst-led business intelligence report.
  • Enhanced due diligence with extensive field research conducted in local languages by a field investigator and in-depth online research.
  • Targeted risk assessments for your most complex legal, regulatory and compliance questions.

Learn more about Diligent Due Diligence Services >

Diligent
security

Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.
© 2025 Diligent Corporation. All rights reserved.