Due Diligence
lower-mid-market advisory

The Operational Due Diligence Questionnaire: 75 Questions to Ask Before the Buyer Does

Client/Category
Exit Readiness
Industry
Private Equity
Function
Operations

The New Diligence Reality: Why Financials Are No Longer Enough

For decades, Private Equity due diligence was a financial engineering exercise. If the Quality of Earnings (QoE) report held up and the legal binders were thick enough, the deal closed. That era is over. In 2025, operational maturity is the primary driver of deal certainty—and the primary cause of deal failure.

Recent data indicates that up to 50% of M&A transactions fail during due diligence. The culprit is rarely a missed decimal in the EBITDA calculation. It is the "black box" operational risks that financial statements hide: technical debt, key-person dependency, undocumented processes, and cybersecurity vulnerabilities. In fact, 79% of deal teams now list cybersecurity as a top diligence factor, with 60% of buyers willing to walk away entirely if they find unmitigated risks.

The Concept of "Reverse Diligence"

As an Operating Partner, your job is not just to prepare the Data Room; it is to perform "Reverse Diligence"—auditing your portfolio company with the same ruthless scrutiny a strategic buyer will apply 12 months from now. If you find the skeleton first, you can fix it (or disclose it on your terms). If the buyer finds it, it costs you multiple turns of EBITDA.

We have compiled a diagnostic questionnaire of 75 questions across five critical domains. These are not soft "culture" questions. They are binary, evidence-based inquiries designed to expose the operational fragility that kills exits.

The 75-Point Operational Diagnostic

Use this questionnaire to audit your portfolio companies 12-18 months prior to exit. A "No" or "I don't know" answer to any question is a potential valuation haircut.

Domain 1: Commercial & Revenue Architecture (15 Questions)

Goal: Validate that revenue is repeatable, not just lucky.

  • 1. Do you have a documented customer journey map that aligns with your current sales process?
  • 2. Is your Revenue Quality supported by contractually enforced price escalators?
  • 3. What is your Gross Margin by specific product/service line (not blended)?
  • 4. Do you track CAC Payback Period by segment? (Is it <12 months?)
  • 5. Is Net Revenue Retention (NRR) calculated excluding price increases?
  • 6. Do any single customers represent >10% of revenue? (Concentration Risk)
  • 7. Are sales commissions tied to cash collections or bookings?
  • 8. Is there a documented "Deal Desk" process for discounting approval?
  • 9. Do you have a win/loss analysis based on CRM data, not anecdotal feedback?
  • 10. Is the sales forecast accuracy >85% on a rolling 90-day basis?
  • 11. Are there "phantom" opportunities in the pipeline older than 2x the average sales cycle?
  • 12. Do you have a formal partner/channel program with signed agreements?
  • 13. Is customer churn analyzed by reason code (product vs. service vs. price)?
  • 14. Are implementation fees positive margin or loss leaders?
  • 15. Do you measure "Time to Value" (TTV) for new customers?

Domain 2: Technical Maturity & Product (15 Questions)

Goal: Quantify the "Black Box" of IT and Product.

  • 16. Has a third-party Technical Debt Assessment been conducted in the last 12 months?
  • 17. Is Open Source licensing usage automatically scanned and documented?
  • 18. What is the ratio of R&D spend on "Keeping the Lights On" vs. "New Features"?
  • 19. Is there a documented Disaster Recovery (DR) plan tested annually?
  • 20. Do you have a formal Software Development Lifecycle (SDLC) policy?
  • 21. Is your cloud infrastructure codified (Infrastructure as Code)?
  • 22. Are there single points of failure in the engineering team (Bus Factor)?
  • 23. Is the product roadmap linked to specific revenue targets?
  • 24. Do you measure "Escaped Defects" impacting customers?
  • 25. Is there a documented API strategy for integrations?
  • 26. Are you compliant with the latest AI governance standards (if using GenAI)?
  • 27. Do you have a deprecated software inventory (End of Life tracking)?
  • 28. Is data architecture documented (Schema, Data Flow Diagrams)?
  • 29. Are third-party libraries updated automatically?
  • 30. Can you demonstrate the scalability of the platform to 10x current volume?

Domain 3: Operational Scalability & Human Capital (15 Questions)

Goal: Ensure the business survives the founder's exit.

  • 31. Is the Founder involved in closing >20% of deals?
  • 32. Are there Standard Operating Procedures (SOPs) for key delivery functions?
  • 33. Is the org chart documented with clear "Definition of Done" for roles?
  • 34. Do you track Founder Dependency metrics?
  • 35. Is employee utilization tracked weekly against billable targets?
  • 36. What is the voluntary turnover rate by department?
  • 37. Are there non-compete/non-solicit agreements for all key staff?
  • 38. Is there a succession plan for the top 3 executives?
  • 39. Are operational KPIs reviewed in a weekly formal meeting?
  • 40. Do you have a vendor management process (procurement, renewal)?
  • 41. Is there a formal onboarding process for new hires (<30 days to ramp)?
  • 42. Are functional leaders compensated on EBITDA contribution?
  • 43. Is the company reliant on "heroics" to meet delivery deadlines?
  • 44. Are there defined SLAs for internal support functions?
  • 45. Is cultural engagement measured (eNPS) regularly?

Domain 4: Legal, Compliance & Cyber (15 Questions)

Goal: Identify the "Deal Killers."

  • 46. Do you have a SOC 2 Type II or ISO 27001 certification?
  • 47. Has a penetration test been performed in the last 6 months?
  • 48. Are all employees trained on Phishing/Security awareness?
  • 49. Is there a documented Incident Response Plan?
  • 50. Are you compliant with GDPR/CCPA data privacy regulations?
  • 51. Are all IP assignments signed by employees and contractors?
  • 52. Is there any pending or threatened litigation?
  • 53. Are there "Change of Control" clauses in key customer contracts?
  • 54. Is there a comprehensive insurance policy (Cyber, D&O, E&O)?
  • 55. Are phantom stock or option grants fully documented and capped?
  • 56. Is there a formal whistleblower policy?
  • 57. Are independent contractor classifications legally defensible?
  • 58. Do you audit supplier compliance (especially for data handling)?
  • 59. Is all software fully licensed (no pirated/untracked seats)?
  • 60. Are there environmental liabilities (if applicable)?

Domain 5: Financial Infrastructure (15 Questions)

Goal: Bridge the gap between Operations and Finance.

  • 61. are financials audited by a reputable firm (not just compiled)?
  • 62. Is the "Close Process" completed within 10 days of month-end?
  • 63. Is there a 13-week cash flow forecast updated weekly?
  • 64. Are EBITDA add-backs fully documented and defensible?
  • 65. Is revenue recognition fully ASC 606 compliant?
  • 66. Do you track "Billing vs. Revenue" reconciliation monthly?
  • 67. Are there aged receivables >90 days (DSO health)?
  • 68. Is the budget vs. actual variance <10% consistently?
  • 69. Are unit economics (LTV/CAC) calculated on a cash basis?
  • 70. Is there a tax nexus study for all operating jurisdictions?
  • 71. Are intercompany transactions fully documented (Transfer Pricing)?
  • 72. Is there a formal CapEx vs. OpEx policy for software capitalization?
  • 73. Are board decks standardized and automated?
  • 74. Is there a "Quality of Earnings" (QoE) prep file ready?
  • 75. Can you produce a "Customer Profitability" report instantly?
If you find the skeleton first, you can fix it. If the buyer finds it, it costs you multiple turns of EBITDA.
Justin Leader
CEO, Human Renaissance

Scoring and Remediation: The "Red Flag" Threshold

Completing this questionnaire is only the first step. The value lies in the scoring. We recommend a simple binary scoring system: 1 point for "Yes" (with evidence), 0 points for "No" or "Partial."

  • Score > 65: Exit Ready. This company will command a premium multiple. The data room will be clean, and buyer confidence will be high.
  • Score 45 - 65: Operational Yellow Zone. You have 6-9 months of work. Prioritize the "Deal Killers" (Cyber, IP, Revenue Recognition). Expect a protracted diligence process if you go to market now.
  • Score < 45: Distressed / Not Ready. Do not go to market. The risk of a failed process or a massive re-trade is near 100%. Focus on Operational Engineering immediately.

The 100-Day Sprint to Readiness

If your portfolio company scores in the Yellow Zone, you need a "Get Well" plan. Start with Technical Debt and Cybersecurity—these take the longest to fix and scare buyers the most. Next, attack Revenue Quality; move customers to standard contracts and clean up the pipeline. Finally, document the SOPs. A buyer pays for a machine, not a magician. If the processes live in the founder's head, you are selling a magician.

Operational Due Diligence is no longer a checkbox. It is the defensive moat that protects your multiple. Ask these questions now, or prepare to answer them when the price is being renegotiated.

50%
Deals that fail during Due Diligence
79%
Deal teams citing Cyber as top risk
Let's improve what matters.
Justin is here to guide you every step of the way.
Book a call
Citations

We're ready to respond to your doubts

Understanding your habits and bringing future possibilities into the present.
Get Started
Our Services
Operator-led turnaround & performance improvement for the lower-middle market.

$500M+ in value delivered.
© 2026 Human Renaissance