Deal
Due diligence

Due diligence checklist in a company acquisition: review areas, data room and red flags

Due diligence checklist in a company acquisition: review purpose, key workstreams, data room, red flags and transfer of findings into the SPA.

BRANDAUER Rechtsanwälte
Your law firm

BRANDAUER Rechtsanwälte

Salzburg law firm for corporate, company and transaction law

Every transaction is handled by a coordinated team of lawyers, legal staff and specialists. In company acquisition matters we look at structure, contract, tax and liability together.

15 June 2026 · Mag. Bernhard Brandauer, Rechtsanwalt

Due diligence is the heart of every company transaction. In it the buyer reviews the target company before committing in a binding way. Whoever works superficially here buys risks that become expensive later. Whoever reviews in a structured way secures the factual basis for the purchase price, the warranties and the indemnities.

This post explains the purpose of due diligence, which review areas have to be worked through and how an ordered data room carries the process. The focus is on the typical red flags, the significance of change-of-control clauses and the question of how the findings flow into the purchase contract.

From a lawyer perspective due diligence is not a mere comparison of files but the bridge between the review and the contract. Every identified weakness can be translated into a negotiating position. An initial orientation on the start of the deal is given in the post on LOI and NDA.

Classify your review process

Is your due diligence robustly set up?

Answer one or two questions on the data room and the review areas. You receive an initial classification of whether your review holds or whether gaps loom.

Already know you want to get in touch? Go straight to the enquiry form.

01 Question 1

Is a structured data room with a clear index available for the review?

An ordered data room with a table of contents is the basis of any robust due diligence. Only it makes completeness and gaps visible.

All paths at a glance

Overview of all answers.

01

Without an ordered data room the completeness of the review cannot be judged.

If the documents arrive unsorted, due diligence lacks its foundation. Insist on a structured data room with an index, clear folder levels and a governed question-and-answer process. Only this makes visible which documents are missing and where the seller must disclose. Our focus page on due diligence offers more depth.

Record every question asked and every answer given. This documentation later carries the warranty catalogue and the indemnities in the purchase contract.

02

The review is well set up, now the use of the findings matters.

If the data room and the review areas are cleanly organised, the due diligence is solidly set up. Make sure now that the findings of the individual advisers come together in a joint report and are weighted by materiality. Decisive is that red flags are clearly named and translated into the negotiation.

Identified risks belong in the purchase price, the warranty catalogue or an indemnity. How this translation succeeds is shown in the post on the warranty catalogue in the purchase contract.

03

Without clear responsibilities, risks remain open between the review areas.

A selective or uncoordinated review regularly overlooks the risks that lie at the interfaces: such as a change-of-control clause in an important supply contract or a data protection legacy issue. Assign every review area to a responsible adviser and reconcile the findings with one another.

Have the scope of review fixed before the start. An incomplete due diligence weakens your position when negotiating warranties and the purchase price.

The purpose of due diligence

Due diligence pursues three aims. It is meant to clarify the economic and legal situation of the target company, to make hidden risks visible and to create the basis for valuation. The buyer checks whether the company delivers what the seller holds out and whether the offered price is justified.

At the same time due diligence shifts the evidentiary and negotiating position. What the buyer identifies in the review and the seller discloses cannot later be asserted as a concealed defect. This disclosure limits the warranty catalogue and determines which risks remain with the buyer.

For this reason the review is never an end in itself. It supplies the material for the negotiation of the purchase price, the warranties and the indemnities. Without careful due diligence the acquirer buys blind, and the seller remains uncertain which assurances it can give in good conscience.

The review areas at a glance

A complete due diligence covers several areas. Legal due diligence examines articles of association, material contracts, permits and pending proceedings. Financial and tax due diligence scrutinise annual accounts, liquidity, liabilities and tax risks. Commercial due diligence looks at the market, customers and competition.

In addition come the people and protection related areas. The HR and employment law review captures employment contracts, pension commitments and questions of the transfer of business under the AVRAG. The IP review secures trademarks, patents and licences, the IT review the technical infrastructure. Data protection, environment including legacy contamination and compliance round off the catalogue. The individual areas are deepened in the posts on data protection due diligence and on vendor due diligence.

Which areas are reviewed and how deeply depends on the sector and the transaction size. A production business calls for a precise environmental review, a technology company for a careful IP and IT review. The concept of due diligence we explain in the glossary.

Data room, red flags and change of control

Today the review usually takes place in a virtual data room. It bundles the documents according to an index, governs access rights and documents the question-and-answer process. An ordered data room first makes visible which documents are missing and where follow-up is needed. Every question and every answer should be recorded in an audit-proof way.

In the course of the review red flags emerge, that is findings that endanger the value or the completion. These include unclear ownership, looming litigation or missing permits. Particular attention is required by change-of-control clauses in material contracts. They give a contractual partner a right of termination when the ownership of the company changes.

Such clauses can endanger important customer or financing contracts and must be handled before completion, for example by obtaining consents. Which conditions have to be met by closing is shown by our M&A transaction risk profile.

The central review areas

What due diligence watches in each area

Each review area brings its own risks. This overview shows what to watch for and which finding has consequences for the contract.

Review areas of due diligence with central subject of review and typical red flag
Review area Central subject of review Typical red flag
Legal Contracts and proceedings Articles of association, permits, litigation Change-of-control clause in a key contract
Financial and tax Figures and taxes Accounts, liquidity, tax risks Hidden burdens or an open tax assessment
HR and employment Workforce and transfer of business Employment contracts, pensions, AVRAG Unclear transfer of employment relationships
IP and IT Rights and systems Trademarks, patents, licences, IT infrastructure Missing rights in central software
Data protection and environment Compliance and legacy issues GDPR processes, environmental risks, contamination A documented data breach or legacy contamination

Which areas are reviewed and how deeply depends on the sector and the transaction size. There is no uniform scheme, but there is a minimum standard of care.

Caution with a shortened review: Whoever, under time pressure, omits individual review areas or fails to translate red flags into the contract bears the risk alone later. An identified and disclosed weakness can no longer be asserted as a defect after completion. Have the scope and findings accompanied by a lawyer. Booking an initial consultation (72 euro) can quickly bring clarity.

How findings flow into the purchase contract

Due diligence does not end with the review report. Only the translation of the findings into the purchase contract creates value. A quantifiable risk, such as a looming tax claim, can lead to a reduction of the purchase price or to a targeted indemnity borne by the seller.

Non-quantifiable risks are caught through the warranty catalogue. The seller assures certain features of the company, such as the accuracy of the accounts or the existence of material contracts. If an assurance turns out to be incorrect, it is liable according to the agreed rules. How this catalogue is built is shown in the post on the warranty catalogue.

The due diligence report itself documents the review and the disclosure. It forms the basis for the negotiation and protects both sides: the buyer through transparency about the risks, the seller through the limitation of its liability to what was not disclosed.

Frequent questions

Due diligence in a company acquisition.

How long does a due diligence take? +

The duration depends on the size and complexity of the target company. For a mid-sized business a few weeks is common, for larger transactions the review can stretch over months. Decisive is not the duration but the completeness and quality of the findings. A well-prepared data room noticeably shortens the process.

Who bears the costs of due diligence? +

As a rule each side bears its own costs. The buyer pays its advisers for the review, the seller the preparation of the data room and, where applicable, a vendor due diligence. How the costs are allocated in case of a break-off of the negotiation should already be governed in the letter of intent.

What happens to risks that surface in the review? +

Identified risks are translated into the purchase contract. Quantifiable risks lead to a purchase price adjustment or an indemnity, non-quantifiable ones are caught through warranties. A disclosed risk can no longer be asserted as a concealed defect after completion, which is why the documentation of the disclosure is important.

Topics
Due diligenceData roomRed flagsChange of controlReview areas

Structuring a deal, reviewing a contract, securing the risks?

When buying a company, structure, review and contract decide. Call us directly or send an email, callback within one business day.

Contact

A direct line to the firm.

Address

BRANDAUER Rechtsanwälte GmbH Giselakai 51 5020 Salzburg