ExistBefore
IT

Corporate

How to document internal due diligence

Internal due diligence helps uncover what is truly happening inside a process, department, project, or group company. The point is to properly document the journey before someone says "this analysis is incomplete" or "that document wasn't there". Collect, organise, and lock down key versions.

5 min read

1. How it usually happens

Internal due diligence often stems from a concrete situation: a change in management, the entry of new partners, a departmental audit, an extraordinary corporate transaction, an HR review, suspected inefficiencies, supplier vetting, cost auditing, or reconstructing past decisions.

At the beginning, everything looks neat. A shared folder is opened, documents are requested, someone promises "I'll send everything by Friday", then files arrive bearing poetic names like "final_budget_ok_true.xlsx". Meanwhile, conflicting versions pop up, forwarded emails arrive with missing attachments, and contracts are signed in one place but kept as drafts in another.

The trickiest part is that internal due diligence can brush up against personal interests. Someone might find it convenient to hand over only part of the documents, delay access, produce a more accommodating version, or claim certain information was available all along. Sometimes the problem is just disorganisation; other times, disorganisation is highly beneficial to someone.

There's also an unusual viewpoint: due diligence doesn't just snapshot documents, it snapshots internal collaboration. Who replies, who stays silent, who changes their story, who attaches incomplete files. In some companies, the real discovery isn't the hidden contract, but the way that contract suddenly materialises after three reminders.

2. What you need to prove

When documenting internal due diligence, you must be able to reconstruct what was asked for, what was received, when, from whom, and in what version. You must also distinguish between available material, missing material, disputed material, and material that arrived later.

In concrete terms, it can be useful to prove:

  • the existence of a specific document version on a given date;
  • the exact content of reports, contracts, tables, communications, or presentations;
  • which documents were requested and within what scope;
  • who sent or uploaded the files;
  • when a document was received;
  • whether a file was complete, incomplete, modified, or replaced;
  • what clarifications were sought;
  • what answers were provided;
  • which areas were found lacking documentation or incoherent;
  • what conclusions were already formulated prior to later disputes.

The point is not to turn every file into a truth carved in stone. The point is to make the process of collection, analysis, and preservation verifiable.

3. What to collect

Internal due diligence must be documented like an orderly case file, not a trawling exercise in the "Shared" folder. You must bind together documents, context, and communication trails.

Neatly collect:

  • initial due diligence request or internal mandate;
  • scope of analysis;
  • list of requested documents;
  • request and reminder emails;
  • original files received;
  • contracts, agreements, purchase orders, quotes, and invoices;
  • management reports, budgets, forecasts, and actuals;
  • org charts, internal policies, and procedures;
  • relevant HR documents, in compliance with applicable rules;
  • screenshots of shared folders, portals, or corporate systems;
  • exports from ERPs, CRMs, or internal platforms;
  • relevant corporate chats, when useful and properly exported;
  • meeting notes, interviews, and received clarifications;
  • PDF versions of analysed documents;
  • log of missing or late documents;
  • final report or summary memo;
  • attachments referenced in the report.

When material is sensitive, it's wise to separate what is needed for analysis from what contains personal data or confidential information not strictly required. Due diligence should be useful, not an elegant landfill with an index.

4. How to proceed

Before starting, define the scope: area under review, timeframe, people involved, types of requested documents, and practical objective. Due diligence without a scope is like a treasure hunt organised by committee: everyone is looking for something, few know what.

Next, prep a simple matrix listing requested document, responsible party, request date, receipt date, received version, any anomalies, and status. This tiny log becomes precious when someone claims "it was all available already".

Proceed as follows:

  • create a folder dedicated to the due diligence;
  • separate requests, received documents, analysis, drafts, and conclusions;
  • assign coherent file names with date, source, and content;
  • keep original files without editing them;
  • create working copies for notes and analysis;
  • export key documents to PDF;
  • keep emails, chats, and cover messages;
  • log missing documents, inconsistencies, and replacements;
  • lock key received versions in time;
  • also lock the final report or major interim memos in time.

During analysis, avoid directly correcting the received documents. If you need to comment, use a separate copy or memo. If a file changes, save the new version with a distinct date. Should information arrive late, record when it arrived and its impact on the conclusions.

5. Mistakes to avoid

The most frequent mistakes stem from rushing and over-relying on "it's all in the shared folder". Shared folders are handy but can change without everyone realising what was added, removed, or swapped.

Above all, avoid:

  • starting without a written scope;
  • accepting documents without noting source and receipt date;
  • working directly on original files;
  • mixing drafts, final versions, and annotated copies;
  • losing emails and cover messages;
  • ignoring missing documents;
  • accepting file replacements without keeping a trace;
  • writing conclusions without linking them to attachments;
  • sharing sensitive materials with uninvolved parties;
  • collecting more personal data than necessary;
  • leaving the final report disconnected from gathered evidence.

A useful tip is preparing a document index, however simple. When debates heat up, a well-made index is worth ten "I sent it to you" messages. It also helps separate real problems from corporate folklore.

Free certification is useful because it allows you to lock down key document versions and the report before they are replaced, disputed, or conveniently reread.

6. After the documentation

Once the material is collected and ordered, prepare a clear summary: scope analysed, documents received, documents missing, anomalies found, analysis limits, and operational conclusions. The summary must allow those who haven't followed every step to understand what was vetted and what remains unresolved.

Share the file or report only with authorised parties and involve relevant internal functions: governance, finance, HR, compliance, internal audit, management control, or operations direction, depending on the topic. Should sensitive profiles emerge, consulting external experts in corporate organisation, risk management, corporate transactions, or commercial disputes may be appropriate.

If someone challenges the due diligence outcome, go back to the timeline: request, receipt, version, analysis, conclusion. Well-ordered documentation cuts through vague arguments and redirects the focus to available facts, missing documents, and decisions to be made.