When Money Isn’t Cheap, M&A Due Diligence Must Go Deeper

By Jim DeLoach, Former Andersen Partner and Founding Managing Director at Protiviti. He is the author of several books and a frequent Forbes and NACD contributor.

Copyright 2025 Forbes. This article originally appeared on Corporate Compliance Insights and can be found here. Reprinted with permission. No further reproduction is permitted without permission from Corporate Compliance Insights

Today’s dealmakers must scrutinize targets through multiple lenses to avoid costly post-acquisition surprises.

Higher interest rates have transformed mergers and acquisitions from a seller’s to a buyer’s market, allowing more thorough risk-based due diligence. Protiviti’s Jim DeLoach maps the critical questions dealmakers should ask about their targets’ primary assets, compliance histories, ESG performance and talent pipelines before signing on the dotted line.

The due diligence process relating to mergers and acquisitions has changed in recent years. The process has been enhanced with the use of digital tools and platforms, allowing for more efficient data collection and analysis. This advancement helps acquiring companies quickly gather and analyze large volumes of data, reducing human error and providing more reliable insights in a timely manner. The scope of due diligence has been expanded to include not just financials but also inquiries into culture, human resources and ESG factors to ensure that targets align with the acquirer’s values and long-term goals. This line of inquiry helps companies spot potential integration issues.

To be sure, the complexity of certain topics like environmental impacts, supply chain, cybersecurity and data privacy has increased. During the Covid-19 pandemic, dealmaking was forced to rely exclusively on videoconferencing, which is still used for efficiency purposes. Videoconferencing enables stakeholders to meet across time zones, breaking down geographical barriers. However, it doesn’t fully replace the need for physical tours of business facilities and in-person interactions in situations requiring a more personal touch or involving sensitive negotiations. Its use depends on the circumstances.

But the more important shift is due to cheap money becoming a relic of the past. Cheap money, fueled by historically low interest rates, enabled buyers to raise funding to execute deals, putting sellers in an advantageous seller’s market in which they could emphasize speed and competition by limiting the time available for buyer due diligence.

As the cost of capital rises, sellers’ influence overdue diligence wanes and the M&A space shifts toward a buyer’s market, which allows buyers to exert more control over the scope of the due diligence process. Thus, traditional due diligence has given way to a risk-based approach that considers the higher cost of capital and focuses on identifying and understanding potential issues that could frustrate the combined entity’s achievement of the value expected from the acquisition. This shift in due diligence is resulting in a deeper dive into several areas through more focused questions.

My goal here is not to add yet another list of questions to the literature; rather, it’s to suggest the most important questions the due diligence team should ask.

What are we buying?

Fundamental to the process is the “primary asset” question: What are we buying? Answers to this question influence so much of the deal preparation, due diligence and integration/separation planning and execution processes that it must be answered early and repeated often. The M&A focus is driven by the “what,” as needs can shift dramatically depending on the primary asset being acquired (i.e., technology, customer relationships, intellectual property, workforce, licenses and contracts, among others).

Key questions to ask include:

  • What is the primary asset acquired in this transaction? How does it support our strategic objectives? Are we buying capabilities or seeking cost synergies?
  • What asset-specific considerations do we need to address? How is the due diligence process affected by these considerations? Are we talking about physical or financial assets; the differentiating skills, experience and knowledge of the target’s human capital; existing contracts and agreements with customers, suppliers, partners and employees; properties or operations that could have environmental impacts; software, databases and technology infrastructure; or intangibles (intellectual property and brands)?
  • Could we develop the targeted primary asset more cost effectively if we built it ourselves?

With this context, six areas of interest are addressed here. There may be other areas.

Supply chain resilience

Since the pandemic exposed the fragility of global supply chains, third-party evaluations have become increasingly important. In this post-pandemic world, there is a need to evaluate all significant aspects of the target’s supply chain that may be utilized going forward. This means there must be a careful assessment of worst-case scenarios that consider the target’s supplier and third-party dependencies; documented, actionable response plans; and established accountabilities for their execution. The insights from this assessment should be used to structure the due diligence questions.

Examples of relevant questions to ask include:

  • Who are the target’s key suppliers, and do vulnerabilities exist within the supply chain looking all the way upstream to second- and third-tier suppliers, considering financial stability, concentration risk and potentially disruptive bottlenecks to inbound logistics?
  • What is the target’s global footprint, and how could it affect the supply chain? Where are materials handling processes being administered? Are contractor or labor sourcing relationships involved in managing or coordinating the materials supply chain, and, if so, how reliable are these relationships and how critical is their contribution?
  • Are there any sustainability or social responsibility issues in the target’s supply chain that are not aligned with our company’s values and could present post-acquisition reputational issues?
  • Are there potential value-creating synergies between the target’s supply chain and our supply chain that will facilitate growth?
  • If the transaction is an integration, can major supplier contracts be voided post-acquisition to realize expected savings and efficiencies?
  • What are the target’s other significant third-party relationships, and do the contractual relationships with them present any post-acquisition concerns?

Talent pipeline and retention

Due diligence of talent can identify risk, enhance transaction value and provide integration clarity and direction. While attrition rates have returned to historical pre-pandemic averages, companies are asking how they can best identify and retain talent during due diligence rather than after the deal is consummated. Talent retention can make or break a deal.

Relevant questions to ask include:

  • Who are the target’s top performers who harbor the experience and institutional memory needed to ensure post-acquisition success? Among them, who presents the greatest flight risk, and what steps should we take sooner than later to retain them? Are any of these performers of such value to the business that a noncompete agreement is needed before the deal is signed? If the target represents that noncompetes exist, have we validated that representation?
  • Is there sufficient bench strength to facilitate succession planning?
  • How does the target’s culture differ from ours? What are the workplace expectations (i.e., remote, hybrid, in-person)? What steps should we take to accelerate the integration process in assimilating the two cultures and enabling effective team building?
  • Do the target’s employee contracts include contractual obligations that could impact deal–pricing negotiations, e.g., change-of-control clauses, termination payments or mandatory outplacement costs? Are these costs accrued on the target’s balance sheet?

ESG

Evaluating the ESG performance of M&A targets has become an integral part of the due diligence process, particularly with respect to environmental issues. The focus of the process is shifting from a qualitative perspective that considers the target’s stated values, marketing communications and other external reports to a review of its ESG quantitative performance. It should focus on identifying ESG initiatives and issues that present significant post-acquisition opportunities and risks to the combined company’s bottom line, reputation and external reporting.

Relevant questions to ask include:

  • Does the target have an ESG strategy? What ESG procedures, policies, processes and disclosure controls does it have in place?
  • Which ESG metrics does the target create and monitor?
  • What is the target’s track record related to ESG? Whether it is negative or positive, how does that record impact the deal?
  • Are there environmental legal or regulatory exposures the buyer would have to assume post-acquisition? If the answer is yes, are those exposures accrued on the target’s balance sheet? If not, how does that affect deal pricing?

Cybersecurity and data privacy

Due diligence cannot ignore cybersecurity issues. Too often, these issues lie hidden in the weeds. To illustrate, after acquiring Starwood Hotels in 2016, Marriott discovered a data breach within the Starwood guest reservation database in 2018 that had been ongoing for two years prior to the acquisition. Having exposed the personal information of approximately 500 million guests, the breach led to regulatory investigations, lawsuits and loss of customer trust. Prior to closing its acquisition of Yahoo seven years ago, Verizon discovered two massive cyber-attacks that resulted in a $350 million reduction in the acquisition price.

The target’s data management strategy and processes are also important considerations. The risks and associated penalties and fines could amount to significant unrecorded liabilities on the target’s balance sheet. For example, regarding the aforementioned Marriott breach, the UK levied a fine of £99 million for violating British citizens’ privacy rights under the GDPR, citing the company’s failure to exercise sufficient due diligence on Starwood’s IT infrastructure.

Relevant questions to ask pertaining to cybersecurity and data privacy due diligence include:

  • Does the target have a strategy for identifying and mitigating cyber breaches? Has it invested sufficiently to execute that strategy successfully?
  • If cybersecurity risks are present in the target’s systems and infrastructure, are our decisions regarding the impact of these risks on the deal being made at the right levels? Given the timeframes and resource constraints, how are we avoiding poor decisions leading up to the closing of the deal?
  • Given our assessment of the target’s threat landscape and cybersecurity capabilities, have we established a post-acquisition strategy for addressing identified and potentially unidentified risks? What measures do we have in place to prevent any risks in the acquired environment from contaminating our company’s existing environment?
  • Do we have appropriate insurance underwriting for the transaction that will cover risks that weren’t disclosed or identified?
  • What is the target’s policy for collecting, processing, storing, using, sharing, archiving, monetizing and destroying personal data and its compliance with applicable data privacy laws and regulations in all jurisdictions in which it operates?

Compliance with laws and regulations

While this topic is implicit in areas discussed above, it merits separate mention because companies acquiring a business ordinarily assume its unrecorded liabilities. Accordingly, a due diligence review of the compliance function is in order.

Relevant questions to ask include:

  • What is the target’s history of compliance with applicable laws and regulatory requirements, including its regulatory strategy, internal policies, results of internal and external audits and regulatory reviews and overall compliance culture?
  • What are the company’s protocols and processes for remediating control deficiencies and addressing new regulatory requirements?
  • Are there aspects of the target’s operations that expose it to corporate misconduct, e.g., the nature of its operations, where it operates or unrealistic performance incentives? Have there been instances of corporate misconduct in the past?
  • Do we have legal advisers who can provide input on compliance, antitrust, securities and other issues germane to the transaction?

Integration effectiveness

After a decade-low level of activity in 2023, M&A activity shows optimistic signs of growth in 2025. With anticipation of more favorable macroeconomic conditions and reduced regulatory scrutiny from the new US presidential administration, is the company’s readiness sufficient to engage in the process? Realizing the true value of a deal relies upon successful integration and utilization of the target acquired. This reality places a premium on Day One preparation and readiness.

Relevant questions to ask include:

  • Have we evaluated prior acquisitions and assessed the effectiveness and efficiency of our integration process? What lessons have we learned? If this is our first time executing a deal, do we have the right knowledge and advisers in place to complete the integration successfully?
  • Are there aspects of the target’s operations (e.g., the workforce, key processes and systems and sources of supply) to be integrated into our operations that warrant planning and preparations before the deal is consummated so that the integration process hits the ground running post-acquisition?
  • Do we have the appropriate resources in place to execute an integration? Are these resources dedicated full-time to the integration, or will they still be responsible for their “day jobs” and thus experience potential bandwidth challenges? If yes, do we need external support to execute the integration successfully?
  • Is our leadership team for executing the integration and each functional workstream defined? Is it accountable for results?
  • What synergies and dis-synergies are planned? Were these appropriately considered in the purchase price? Do our integration plans enable synergy capture?
  • What are the costs to integrate the target, and do they drive any front-end or pricing impacts?
  • What major changes are we expecting, and what change management plans are in place?

In addressing the above areas, it is important to keep in mind the sustainability of the target’s governance plumbing. In this age of disruptive change, sudden and unexpected surprises are the norm. Over the past two to three years, how has management reacted to speed bumps occurring without warning? How did they manage a crisis event?

Penetrating questions addressing the resilience of the organization in responding to challenging problems can offer transparency regarding the target’s leaders and their values and behavior under fire.

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management.