7 Types of Due Diligence in M&A: Financial, Tax, Legal and More

When a business owner sits down with their adviser and hears the words "due diligence" for the first time, the mental image is usually the same: a team of consultants reviewing spreadsheets for weeks. The reality is more layered and, when managed well, considerably more useful. A [due diligence](/en/corporate/due-diligence) process is not a uniform exercise — it is a collection of specialised disciplines, each with its own methodology, its own team and its own risk focus. Understanding what each type covers, who carries it out and how much weight it carries in the overall cost is the difference between commissioning the right process for your transaction and paying for analyses you do not need — or, worse, not commissioning the ones you do.

This guide breaks down the seven main types of due diligence in M&A transactions in Spain, with the specific scope of each, their characteristic red flags and their approximate share of the budget in a standard process.

Why understanding the types matters before you start

The most common mistake made in the early stages of a transaction is not technical — it is conceptual. Both buyers and sellers talk about “doing the due diligence” as though it were a uniform service, as though there were only one way to do it. There is not.

A logistics company with its own fleet, facilities across three regions and a hundred employees under a sector-wide collective agreement needs a radically different due diligence profile from a ten-person SaaS company with recurring dollar revenues and 80% of its value in intellectual property. In the first case, labour and environmental due diligence may be decisive. In the second, technology and legal (software ownership, client contracts) may matter more than the financial workstream.

Defining the right scope at the outset saves money, time and — most importantly — concentrates the analysis on the risks that can genuinely change the price or destroy value in the transaction.

The 7 types of due diligence

1. Financial due diligence (30-40% of total cost)

This is the core of any transactional process and is normally the first to be carried out, because its findings condition all the other workstreams.

Who carries it out: Transactional financial advisers (corporate finance), typically distinct from standard auditors. Transactional experience — not just accounting knowledge — is critical here.

What it covers:

• Quality of earnings (QoE): Adjustment of reported EBITDA for non-recurring items, owner-management costs that will disappear post-acquisition and non-sustainable revenues. Adjusted EBITDA is the basis of the price.
• Normalised working capital analysis: Determines how much cash the business needs to operate under normal conditions — which is different from working capital at the point of closing.
• Net financial debt: Includes not only explicit bank debt, but also off-balance-sheet liabilities — operating leases under IFRS 16, pension obligations, guarantees, shareholder loans, earn-out payments outstanding from other transactions.
• Off-balance-sheet contingencies: Guarantees provided, sureties granted to third parties, investment commitments or contracts with penalties that do not appear in the balance sheet but are inherited with the acquisition.

Principal red flags: Divergence between EBITDA and free cash flow generation; revenues concentrated in a single customer or contract approaching expiry; deterioration of gross margin over the past twelve months without a convincing operational explanation; debt with related parties not classified as financial debt.

---

2. Tax due diligence (20-25% of total cost)

This is where the most expensive surprises tend to hide. Tax contingencies are the most frequent source of significant price adjustments because, unlike labour or legal issues, they are usually quantifiable with precision and directly affect future cash flow.

Who carries it out: Tax advisers with M&A experience, distinct from the company’s regular tax adviser (who may have a conflict of interest).

What it covers:

• Corporate Income Tax (IS — Impuesto sobre Sociedades): Review of tax returns for the last four financial years (the statute of limitations under Article 66 of the General Tax Law, LGT), extra-accounting adjustments, deductions applied, unused tax losses (BINs) and their documentation.
• VAT: Deductions applied, exempt transactions incorrectly treated as taxable or vice versa, pro-rata deduction in mixed-activity businesses, imports.
• Withholdings: Income tax (IRPF) withheld on salaries, investment income, rentals and professional fees. Benefits in kind — insurance, vehicles, share options — are a frequent source of contingencies.
• Transfer pricing: If there are related-party transactions between group companies or between the business and its shareholders, Article 18 of the Corporate Tax Law (LIS) requires specific documentation. Its absence is a real contingency.
• Assessments and inspections: Ongoing limited verification or full inspection procedures by the AEAT (the Spanish Tax Authority — Agencia Estatal de Administración Tributaria), advance pricing agreements (APAs), pending appeals against tax assessments.

Principal red flags: Tax losses from very old years without supporting documentation; related-party transactions without a transfer pricing report; significant divergences between accounting profit and taxable base without clear justification; recent tax inspection reports that have been appealed.

For a detailed guide on this workstream, see tax due diligence in Spain.

---

3. Legal due diligence (20-25% of total cost)

The legal analysis covers the structure that underpins the company and the obligations the buyer will inherit. It is inseparable from the financial workstream because legal findings — litigation, change-of-control clauses, title defects — are the ones most likely to become conditions precedent to closing.

Who carries it out: A law firm with M&A practice, independent of the company’s regular legal adviser.

What it covers:

• Corporate structure: Share capital, shareholders’ agreements, pre-emption rights, restrictions on the transfer of shares, current powers of attorney, up-to-date entries in the Registro Mercantil (Companies Register).
• Client and supplier contracts: Termination conditions, change-of-control clauses (which may automatically terminate a contract upon a share transfer), exclusivities, penalties.
• Intellectual and industrial property: Registered trade marks (OEPM, EUIPO), patents, utility models, software copyrights, web domains, documented know-how. Verification that ownership stands in the company’s name — not in the name of the shareholder or founder.
• Litigation: Current court and arbitration proceedings, known extrajudicial claims, latent contingencies arising from past acts or omissions.
• Change-of-control clauses: Particularly in bank finance agreements (which may accelerate upon a change of control), contracts with institutional clients, or administrative concessions that require prior authorisation for transfer.

Principal red flags: Pre-emption rights held by shareholders who have not been notified or have not waived them; contracts with relevant clients that terminate automatically on a change of control; intellectual property owned personally by the founder rather than by the company; litigation with material amounts at appeal stage.

---

4. Labour due diligence (10-15% of total cost)

Labour contingencies are the hardest to quantify precisely because they depend on interpretation of the applicable collective agreement and future action by the Labour Inspectorate. However, in businesses with more than 25 employees, they are frequently the ones with the greatest impact on the final price.

Who carries it out: Employment law specialists, normally working in coordination with the legal due diligence team.

What it covers:

• Collective agreements: Identification of the applicable agreement (sector-wide, company-level, inapplication agreement), verification that salary conditions comply.
• Job classification: Verification that the employment categories in payroll match the functions actually performed. Retrospective claims for salary differences are one of the most frequent labour liabilities.
• Temporary lay-off schemes (ERTEs) and redundancy procedures (EREs): Documentation, social security contributions, pending claims from affected workers, reinstatement commitments.
• Equality plans: Obligation by headcount (from 50 employees), current registration, pay audit.
• Labour litigation: Proceedings before the SMAC (mediation service), Social Courts, and the Superior Court of Justice. Quantification of outstanding contingencies.
• Bogus self-employment: Freelance contractors whose working conditions bear the characteristics of a disguised employment relationship, with the risk of reclassification by the Labour Inspectorate.
• Social Security: Account status with the TGSS (General Treasury of the Social Security — Tesorería General de la Seguridad Social), active deferrals, unrecognised debts not reflected in the accounts.

Principal red flags: Significant increase in absenteeism rate over the past twelve months; collective litigation or claims for retrospective salary differences; freelancers working exclusively for the company for more than two years; equality plans absent in companies with a legal obligation.

---

5. Environmental due diligence (5-10% of total cost)

Largely irrelevant for most service businesses, but potentially decisive for industrial, transport, food, pharmaceutical or mining companies, and businesses with industrial real estate.

Who carries it out: Specialist environmental engineering consultancies — not law firms or general financial advisers.

What it covers:

• Environmental licences and permits: Integrated Environmental Authorisation (AAI), licensed activity permits, discharge licences.
• Contaminated land: Phase I analysis (desk review and visual inspection) and, where there are indications of contamination, Phase II (sampling and laboratory analysis). Spain’s Waste and Contaminated Land Act (Ley 22/2011) establishes obligations to declare and remediate contamination.
• Waste management: Waste producer registration, contracts with authorised waste managers, compliance with transfer obligations.
• Historic environmental liabilities: Past activities of the company or previous owners of the facilities that may have generated undeclared contamination.
• Sector regulatory compliance: Industrial Emissions Directive (IED), hazardous substances regulations, environmental reporting obligations.

Principal red flags: Facilities on sites with an industrial history (former factories, garages, petrol stations); absence of an environmental licence in businesses carrying on classified activities; hazardous waste without compliant management documentation.

The cost of a Phase I environmental audit ranges from €3,000 to €8,000 per site. Contaminated land requiring remediation can cost between €50,000 and several million euros — which is why this preliminary investment always pays for itself in transactions with environmental exposure.

---

6. Technology and IT due diligence (5-10% of total cost)

Ten years ago, it was exceptional to include this in transactions involving non-technology companies. Today it is advisable in virtually any mid-sized business, because dependence on information systems, customer data as an asset and exposure to cyber attacks are cross-cutting risk factors.

Who carries it out: Cybersecurity and systems architecture consultancies, generally independent of the rest of the due diligence team.

What it covers:

• Technology infrastructure: Critical systems (ERP, CRM, production systems), their age, obsolescence, accumulated technical debt, and dependence on legacy systems without vendor support.
• Cybersecurity: Incident history, security controls in place, access management, backups, business continuity plans. The NIS2 Directive has expanded the perimeter of companies with specific cybersecurity obligations.
• GDPR and data protection: Record of processing activities, legal basis for each processing activity, data protection officer (where mandatory), impact assessments, international data transfers.
• Software licences: Licence inventory, compliance with terms of use, licences with restrictions upon a change of control of the licensee.
• Vendor lock-in: Critical dependence on a single technology supplier whose contracts may not be transferable or whose pricing may increase significantly after a change of ownership.
• Source code ownership: In software companies, verification that code is developed entirely with in-house resources or under properly executed assignment agreements with external contractors.

Principal red flags: Significant security incidents in the past three years that were not notified to the Spanish Data Protection Authority (AEPD) when notification was required; software licences not compliant with terms of use; source code with contributions from external contractors without assignment agreements.

---

7. Commercial due diligence

This is the least standardised of the seven types and, in many mid-market transactions, the one that gets omitted under pressure of time or budget. That is a mistake: commercial due diligence is the one that answers the most important question in any business acquisition — not “what does the company have?” but “how much will it continue to be worth in the buyer’s hands?”

Who carries it out: Strategy consultancies or corporate finance teams with market analysis capability. In mid-market private equity transactions, it is standard practice.

What it covers:

• Market and sector: Total addressable market, growth trends, macroeconomic factors, relevant sector regulation.
• Competitive positioning: Market share, sustainable competitive advantages (differentiated value proposition, unique assets, economies of scale, network effects), barriers to entry.
• Customer analysis: Concentration (risk if any single customer accounts for more than 20-30% of turnover), relationship tenure, revenue recurrence, satisfaction and churn risk, expansion potential with existing customers.
• Supplier analysis: Single-source supplier dependence, procurement conditions, supply chain disruption risk.
• Sector trends: Technological disruption, anticipated regulatory changes, consolidation dynamics, new entrant activity.

Principal red flags: More than 30% of turnover concentrated in a single client or group; revenues dependent on a contract approaching expiry with no clear signs of renewal; a sector with a structural trend towards margin commoditisation.

---

Vendor due diligence: when the seller does the homework first

A vendor due diligence (VDD) is a due diligence report commissioned and paid for by the seller, then made available to interested buyers. It is standard practice in competitive sale processes with several bidders running in parallel, and its use is progressively extending to mid-market transactions.

The three advantages for the seller are as follows:

First, control of the narrative. The seller knows what is there before the buyer discovers it, can decide how to present findings, and can correct — before the data room opens — whatever is correctable.

Second, acceleration of the process. A quality VDD allows buyers to build their own analysis on top of it, reducing the buyer’s due diligence from six to eight weeks to three or four. In competitive processes, time is money.

Third, a common base for all buyers. In a process with three or four potential buyers running simultaneously, the alternative to a VDD is managing three or four due diligence teams simultaneously with access to the organisation — which creates significant operational disruption and a risk of confidential information leaking.

The cost of a full VDD ranges from €15,000 to €60,000, depending on the size and complexity of the business. The return is direct: in well-executed competitive processes, a VDD consistently translates into better offers and faster closings.

---

Red flag due diligence: diagnosis before committing to the full process

Before committing to the full cost of a standard due diligence, some buyers carry out a very limited-scope process called a red flag due diligence. Its purpose is not to quantify contingencies but to identify whether there are reasons to stop the process altogether.

A red flag due diligence takes one to two weeks, requires limited access to documentation, and costs 25-40% of the full process. It is particularly useful in two situations: when the buyer is simultaneously evaluating several acquisition targets and wants to prioritise which one merits investment in a full due diligence; and when the available information about the target is scarce or unreliable, and there is genuine uncertainty about whether it is worth proceeding further.

A red flag due diligence does not replace the full process before closing. It is a first-phase filter, not a guarantee.

---

How to define the right scope for your transaction

Defining the due diligence scope should be the first joint exercise between the buyer and their principal adviser, before any formal contact is initiated with the seller. Four parameters determine the scope:

The target’s sector. An industrial company in a regulated environment requires environmental and regulatory legal due diligence. A software company requires IT and legal (intellectual property). A professional services business requires financial, tax and customer concentration analysis.

Deal size. Below €2 million, a full seven-type due diligence is rarely proportionate. Above €20 million, omitting any of the standard types is a risk that cannot be justified by the saving.

The buyer’s risk profile. A private equity fund has internal due diligence policies that are non-negotiable. A strategic industrial buyer who already knows the sector can narrow certain workstreams. An individual entrepreneur investing personal wealth should cover every relevant type without exception, because the relative risk is highest.

Findings from the preliminary phase. The first few weeks of analysis — reviewing public information, profit and loss history, corporate structure — may reveal specific risk areas that justify extending scope in some areas and reducing it in others.

A due diligence well-calibrated to the transaction type and the buyer’s risk profile is always more efficient — in cost and in time — than a generic maximum-scope process. At BMC, we work with the buyer to define that scope from day one. For transactions that also require forensic accounting — for example, where there are indications of accounting irregularities in the target — the forensic team and the due diligence team work in a coordinated fashion to maximise findings within the available timeframe.

Once the scope is defined, the natural next step is to understand how the process unfolds from planning through to contract negotiation. The full due diligence process and its five phases is covered in a separate guide, alongside a DD cost guide for Spain with updated pricing ranges for 2026.

Request a no-obligation proposal for your transaction. Within 48 hours, BMC will propose the appropriate scope and corresponding fees.