Due diligence explained: business checklist
A practical guide to due diligence for businesses: what it covers, legal requirements in Australia, and a complete checklist across legal, financial
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokDue diligence is the structured process of investigating a counterparty, acquisition target, or business partner before committing to a transaction or relationship. In Australia, due diligence obligations arise from multiple sources: the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), the Criminal Code Act 1995 (including foreign bribery provisions), the Modern Slavery Act 2018, and the Privacy Act 1988.
This article is for compliance officers, finance directors, and legal teams who need to structure their due diligence process. It is informational only and does not constitute legal, financial, or regulatory advice.
What is due diligence and why does it matter?
Due diligence is a risk assessment carried out before a business decision. It confirms a counterparty's identity, ownership structure, financial health, regulatory standing, and reputation. In financial services and other regulated sectors, it is not optional -- it is a legal requirement.
AUSTRAC's AML/CTF program guidance requires reporting entities to apply customer due diligence (CDD) measures before providing designated services, under the AML/CTF Act 2006. Entities that fail to comply face civil penalty provisions: AUSTRAC has imposed penalties exceeding AUD 1.3 billion in the past five years for AML/CTF non-compliance (AUSTRAC enforcement actions).
The scope of due diligence has expanded significantly. The Modern Slavery Act 2018 (Cth) requires entities with annual consolidated revenue of AUD 100 million or more to publish a modern slavery statement. The proposed reforms to the AML/CTF Act will further expand reporting entity obligations.
The 5 types of due diligence
Due diligence is not a single exercise. The scope depends on the context: M&A transactions, new client onboarding in regulated sectors, vendor qualification, or investment appraisal.
| Type | Primary focus | Key documents |
|---|---|---|
| Legal | Corporate structure, litigation, IP, contracts | ASIC filings, constitution, shareholder agreements |
| Financial | Profitability, cash flow, liabilities | 3-5 years P&L, balance sheets, management accounts |
| Tax | ATO compliance, hidden tax liabilities | Tax returns 5 years, BAS, transfer pricing docs |
| Regulatory/AML | Sanctions, PEP status, beneficial ownership | KYC documents, source of funds, screening results |
| ESG | Human rights, environment, anti-bribery | Modern Slavery statement, ESG reports, ISO certifications |
The complete due diligence checklist
Legal due diligence
Legal due diligence confirms that a business exists, operates lawfully, and carries no undisclosed liabilities.
Documents to collect:
- ASIC company extract: registered name, ACN/ABN, status, registered office, directors, and beneficial ownership (ASIC company register)
- Constitution and shareholder agreements
- Material contracts -- customer, supplier, and employment -- including change-of-control clauses
- Schedule of current and threatened litigation
- Intellectual property ownership: registered trademarks, patents, domain names
The Corporations Act 2001 requires companies to maintain an accurate register of members and notify ASIC of changes to officeholders and share structure (Corporations Act 2001). Failure to maintain accurate records is an offence.
Financial and tax due diligence
Financial due diligence validates the valuation and uncovers hidden liabilities. Australian M&A practice requires a minimum three-year financial review for SME transactions and five years for larger deals.
Priority checks:
- Adjusted EBITDA and normalised free cash flow analysis
- ATO compliance: income tax, GST, PAYG, and FBT obligations. Check for open audits via the company's tax advisers
- Superannuation fund obligations and compliance
- Accounts receivable ageing schedule -- DSO trends reveal underlying revenue quality
- Directors' loan accounts and related-party transactions
ASIC company filings are publicly available but financial statements may be limited for proprietary companies -- always request management accounts for the current period directly from the target.
AML/KYC due diligence for reporting entities
For businesses classified as reporting entities under the AML/CTF Act (banks, financial advisers, remittance dealers, gambling providers, and others), customer due diligence is a statutory requirement.
Three tiers of due diligence apply under the AML/CTF Act risk-based approach:
- Simplified CDD: applies to low-risk customers. Duration of records retention: minimum 7 years from end of relationship.
- Standard CDD: the baseline for most business relationships. Verify identity, beneficial ownership, and purpose of the relationship.
- Enhanced CDD (ECDD): mandatory for Politically Exposed Persons (PEPs), customers in high-risk jurisdictions, and complex or unusual transactions.
Automated document verification reduces KYC processing time by 60-80% compared to manual review. CheckFile automates identity document verification, ASIC cross-checks, and address verification in line with AUSTRAC CDD requirements.
For more context on AML obligations, see our anti-money laundering compliance guide.
ESG and supply chain due diligence
ESG due diligence is increasingly mandated. The Modern Slavery Act 2018 requires entities with annual consolidated revenue of AUD 100 million or more to report on modern slavery risks in their operations and supply chains.
Checklist:
- Modern Slavery statement (required annually for entities above the AUD 100m threshold)
- Supplier code of conduct and audit programme
- Carbon footprint disclosure (Scope 1, 2, and 3 emissions under TCFD/ISSB framework)
- Anti-bribery procedures under the Criminal Code Act 1995 (foreign bribery provisions) -- documented policies and training records
- Privacy compliance: Privacy Impact Assessments for high-risk processing
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesDue diligence by transaction type
| Transaction | Due diligence level | Recommended timeline | Key specialists |
|---|---|---|---|
| New regulated client (AFSL holder) | Standard to Enhanced | 2-5 business days | Compliance, front office |
| SME acquisition | Comprehensive | 4-8 weeks | Solicitors, accountants, tax advisers |
| Strategic supplier (critical) | Standard | 1-2 weeks | Procurement, legal, compliance |
| Minority investment | Comprehensive | 3-6 weeks | M&A advisers, finance |
| Standard vendor onboarding | Simplified | 24-48 hours | Procurement, compliance |
How to automate your due diligence process
The most common question from compliance teams is: How do we scale due diligence without adding headcount?
The answer lies in combining secure virtual data rooms with automated document verification. CheckFile verifies document authenticity (fraud detection, intelligent OCR, cross-document consistency checks) and integrates with existing workflows via API.
An internal benchmark across 150 due diligence files processed via CheckFile showed an average 72% reduction in document collection and verification time compared to a standard manual process. Our data from over 180,000 documents processed monthly confirms a fraud detection rate of 94.8% and an average verification time of 4.2 seconds per document.
For a comprehensive overview, see our document compliance complete guide.
Go further
To dive deeper into this topic, explore our complete guide on document verification.
FAQ
What is the difference between due diligence and an audit?
Due diligence is a pre-transaction investigation carried out by the acquiring party to inform a decision. An audit is a periodic, independent review of accounts or processes. The two complement each other: a recent clean audit shortens the financial due diligence phase but does not replace it.
Is due diligence a legal requirement for all Australian businesses?
Not universally. For AML/CTF reporting entities, CDD is a statutory obligation under the AML/CTF Act 2006. For businesses above the Modern Slavery Act threshold (AUD 100m revenue), supply chain due diligence reporting is required annually. For all businesses, general duties of care and the Criminal Code foreign bribery provisions create practical due diligence obligations regardless of sector.
How long does due diligence take in Australia?
SME acquisitions typically complete due diligence in 4-8 weeks. Complex transactions involving multiple entities or regulated activities can extend to 12 weeks. Reporting entity new client onboarding should complete standard CDD within 2-5 business days; ECDD typically requires 5-10 business days.
What documents does ASIC provide for due diligence?
ASIC provides: certificate of registration, company extract (including directors, shareholders, registered address), annual financial reports (where lodged), charge register, and external administration history. Most are accessible via ASIC Connect. The Australian Business Register (ABR) provides ABN details and GST registration status.
How should due diligence findings be documented?
Document findings in a written report with a risk matrix classifying each issue by probability and financial impact. Include a clear summary for decision-makers, specific items for price adjustment or warranty/indemnity protection, and conditions precedent to completion. Retain all working papers for a minimum of 7 years for ATO purposes and 7 years under AML/CTF Act.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For jurisdiction-specific guidance, consult a qualified solicitor, accountant, or compliance specialist. CheckFile supports compliance teams with automated document verification -- visit our pricing page or contact us to learn more.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.