What is Due Diligence and Why Does it Matter?
Due diligence is the process of verifying that what the seller claims is actually true. It's the difference between buying a profitable asset and inheriting someone else's problems.Most first-time buyers skip it β or rush through it β and regret it within 90 days. They discover hidden costs, inflated traffic numbers, or supplier agreements that don't transfer. By then, the money is gone and the escrow is released.
The average due diligence period runs 14 to 30 days after signing a Letter of Intent (LOI). That window is your last line of defense before signing an Asset Purchase Agreement (APA) and wiring funds. Use every single day. This guide gives you a systematic 4-pillar framework β Financial, Traffic, Operational, and Legal β to audit any online store before you buy. Treat it as a printable checklist. If you can't check every box, you either renegotiate or walk away.Pillar 1: Financial Due Diligence (The Numbers)
Financials are where sellers hide the most. Your job is to reconstruct the real P&L from primary sources β not from the seller's summary spreadsheet.
Verifying Profit & Loss (P&L) Statements
Request a minimum of 24 months of P&L statements. Twelve months isn't enough β you need to see at least two full seasonal cycles to spot patterns, anomalies, and whether the business is truly stable or declining.Look for:
- Month-over-month consistency. Wild swings in revenue without clear seasonal reasons are a warning.
- Year-over-year growth. Is the business growing, flat, or declining? A flat business at a high multiple is a bad deal.
- Gross margin stability. Margins that compress over time suggest rising COGS or pricing pressure.
Cross-referencing with Bank Statements and Tax Returns
Never trust seller-provided spreadsheets alone. The P&L is only as reliable as the source data behind it.
- Bank statements show actual cash in and cash out. Compare deposits to reported revenue. Discrepancies are immediate red flags.
- Tax returns (Schedule C for sole proprietors, or corporate returns) reveal what the seller actually reported to the government. If the tax return shows $80K in profit but the listing claims $150K in SDE, someone is lying β either to you or to the IRS.
- Payment processor data (Stripe, PayPal, Shopify Payments) provides a third verification point. Request read-only access to dashboards, not exported CSVs that can be edited.
Analyzing "Add-backs" and SDE accuracy
SDE (Seller's Discretionary Earnings) is the standard valuation metric for businesses under $5M. It represents total earnings available to a single owner-operator. The formula:
SDE = Revenue - COGS - Operating Expenses + Owner Salary + Owner Benefits + One-Time Expenses The danger lies in add-backs β expenses the seller claims are personal or non-recurring and therefore adds back to inflate SDE. Common legitimate add-backs include:- Owner's salary
- One-time website redesign costs
- Personal travel charged to the business
- "Marketing tests" that look like regular ad spend
- Contractor costs labeled as "one-time" but recurring every quarter
- "Inventory write-offs" that happen every year
- Personal expenses run through the business (meals, car, phone) that are actually necessary business costs
Reviewing Cost of Goods Sold (COGS) and Advertising Spend
Ad spend is the #1 hidden cost in ecommerce acquisitions. Sellers sometimes pause or reduce advertising before listing to make margins look artificially high. When you resume normal ad spend post-acquisition, the "profitable" business suddenly breaks even.- Request read-only access to ad accounts (Facebook Ads Manager, Google Ads). Not screenshots β actual platform access.
- Calculate the true ROAS (Return on Ad Spend) over 12+ months, not just the last 30 days.
- Check if ROAS is improving, stable, or declining. Declining ROAS in a paid-traffic-dependent business is a dealbreaker.
- Verify COGS with supplier invoices. Are costs rising? Are there minimum order quantities that affect margins at current volume?
- Obtained 24+ months of P&L statements
- Cross-referenced P&L with bank statements (deposits match revenue)
- Cross-referenced P&L with tax returns (reported income matches)
- Obtained read-only access to payment processors (Stripe, PayPal, Shopify Payments)
- Verified every add-back with supporting documentation
- Confirmed total add-backs are less than 30% of SDE
- Obtained read-only access to Facebook/Google Ads accounts
- Calculated true ROAS over 12+ months
- Verified COGS with supplier invoices
- Checked for outstanding debts, liens, or tax liabilities
- Confirmed no pending chargebacks or payment processor disputes
Pillar 2: Traffic & Marketing Due Diligence (The Source)
A business is only as valuable as its ability to acquire customers. If the traffic disappears after acquisition, the revenue follows.
Google Analytics 4 (GA4) Audit: Organic vs. Paid vs. Social
Request read-only access to Google Analytics β never accept screenshots. Screenshots can be edited in 30 seconds with browser dev tools.Once inside GA4, break down traffic by source:
- Organic search: Free traffic from Google. The most valuable and defensible source.
- Paid ads: Facebook, Google, TikTok. Valuable but costs money to maintain.
- Social media: Instagram, Pinterest, YouTube. Can disappear if the seller was the face of the brand.
- Direct/branded: People typing the URL or brand name. Indicates brand strength.
- Referral: Links from other sites. Check if they're from real editorial mentions or from PBN (Private Blog Network) links that could trigger a Google penalty.
Identifying "Traffic Spikes" and Bot Traffic
Use the Wayback Machine (web.archive.org) to check the site's history. Compare the archived versions with the traffic data. Does the site's design and content match the traffic levels being claimed?Watch for:
- Sudden traffic spikes 30-60 days before listing. This is a classic manipulation β the seller runs aggressive short-term campaigns to inflate numbers right before putting the business up for sale.
- Bot traffic. Check bounce rates by source. If a traffic source shows 90%+ bounce rate with 0:01 average session duration, it's likely bots. Also check GA4 for suspicious geographic concentrations (e.g., massive traffic from countries that don't match the business's target market).
- Referral spam. Ghost referrals in analytics that inflate traffic numbers but represent zero real visitors.
SEO Health: Backlink profile audit and keyword rankings
Use Ahrefs or SEMrush to audit the backlink profile. You're looking for:- Domain Rating (DR) / Domain Authority (DA). A rough indicator of SEO strength.
- Backlink quality. Are links from real, relevant sites? Or from PBN networks, link farms, or spammy directories?
- Anchor text distribution. Over-optimized anchor text (too many exact-match keywords) suggests aggressive link building that could trigger a Google penalty.
- Manual penalties. Check Google Search Console for any manual actions. A penalized site can lose 80%+ of organic traffic overnight.
- Keyword ranking trends. Are rankings improving, stable, or declining? Use historical data in Ahrefs/SEMrush to see the trajectory over 12+ months.
Paid Ad Account History: Verifying ROAS and CAC
Beyond just checking if ads are profitable, dig into the economics:
- Customer Acquisition Cost (CAC): Total ad spend / number of new customers. Is it rising or falling?
- ROAS trend over 12+ months. A business showing 4x ROAS in the last month but averaging 2x over the year is declining, not thriving.
- Ad creative fatigue. Are they cycling through new creatives, or running the same ads for months? Fatigued creatives mean rising CAC post-acquisition.
- Audience saturation. For Facebook Ads, check frequency metrics. High frequency (>3x) on prospecting campaigns suggests the audience is tapped out.
- LTV:CAC ratio. A healthy business has LTV (Lifetime Value) at least 3x the CAC. Below 2x is unsustainable.
- Obtained read-only access to Google Analytics 4 (not screenshots)
- Verified no single traffic source exceeds 50% of total
- Checked for traffic spikes in 60 days before listing
- Verified bounce rates and session duration by source (bot detection)
- Ran Ahrefs/SEMrush backlink audit
- Checked for PBN links or spammy backlinks
- Verified no Google Search Console manual penalties
- Confirmed keyword rankings are stable or growing (12+ month trend)
- Obtained read-only access to Facebook/Google Ads accounts
- Calculated CAC trend over 12+ months
- Verified LTV:CAC ratio is above 3x
- Checked ad creative freshness and audience saturation
Pillar 3: Operational Due Diligence (The Engine)
Operations determine whether the business runs smoothly after the seller leaves β or falls apart within weeks.
Supplier Agreements & Lead Times
- Are contracts written or verbal? Verbal agreements have zero enforceability. If the supplier relationship is based on a handshake, it can vanish the moment the business changes hands.
- Are contracts transferable? Some supplier agreements include non-transferability clauses. If the supplier won't work with a new owner, you've lost your supply chain on day one.
- What are the lead times? If the supplier is in China with 60-day lead times, you need enough inventory to cover the transition period plus a safety buffer.
- Are there exclusivity agreements? Exclusive supplier deals are valuable β but verify they transfer with the business.
Inventory Management & Storage Costs
- Current inventory value. Is it included in the sale price or separate? How was it valued (cost, retail, or liquidation)?
- Dead stock. What percentage of inventory hasn't sold in 6+ months? Dead stock ties up capital and may need to be written off.
- Obsolescence risk. Is the product category trending down? Check Google Trends for the main product keywords.
- Storage costs. Warehouse fees, Amazon FBA storage fees, or 3PL costs. These can eat margins if inventory turns slowly.
- Seasonal inventory risk. Does the business need to place large seasonal orders in advance? This creates cash flow pressure.
Customer Service Load & Refund Rates
- Refund rate above 5% is a warning sign. Industry average for ecommerce is 2-3%. Anything above 5% suggests product quality issues, misleading listings, or shipping problems.
- Chargeback rate. This is the hidden profit killer. Chargebacks not only cost you the sale amount but also incur fees ($15-25 per chargeback). A chargeback rate above 1% can get your payment processor account terminated.
- Customer service volume. How many tickets per day/week? What's the average resolution time? Will you need to hire someone, or can you handle it yourself?
- Customer satisfaction metrics. Check product reviews (Amazon, Trustpilot, Google Reviews). A pattern of negative reviews indicates systemic issues that won't disappear after acquisition.
- Reviewed all supplier contracts (written, not verbal)
- Confirmed supplier agreements are transferable to new owner
- Verified lead times and minimum order quantities
- Assessed current inventory value and condition
- Identified dead stock percentage (>20% = concern)
- Checked Google Trends for product category trajectory
- Calculated storage costs as percentage of revenue
- Verified refund rate is below 5%
- Checked chargeback rate is below 1%
- Assessed customer service volume and staffing needs
- Reviewed customer reviews across all platforms
- Documented all SOPs (Standard Operating Procedures)
- Identified key employees/contractors and their willingness to stay
Pillar 4: Legal & Technical Due Diligence (The Protection)
Legal and technical issues are the most expensive to fix post-acquisition. A trademark dispute or a critical software dependency can destroy a deal.
Trademarks, Patents, and Intellectual Property
- Verify trademark registration. Search the USPTO (US), EUIPO (EU), or relevant national databases. An unregistered trademark is far weaker and harder to defend.
- Check for active disputes. Search TTAB (Trademark Trial and Appeal Board) for any opposition or cancellation proceedings.
- Patent protection. If the product is patented, verify the patent is active and owned by the seller (not a third party).
- Content and brand assets. Who owns the photography, copy, and design files? Ensure all IP transfers with the sale.
Domain Ownership and Transferability
- WHOIS check. Verify the seller is the actual domain registrant. Domains registered through privacy services need extra verification.
- Expiration dates. A domain expiring in 30 days during a transition is a risk. Ensure it's renewed for at least 2 years.
- Domain history. Use the Wayback Machine to check if the domain was previously used for spam, adult content, or other activities that might carry SEO penalties.
- Email infrastructure. If the business uses domain-based email (e.g., support@store.com), ensure email accounts and any associated mailing lists transfer with the domain.
Software Stack & App Subscription Costs
Monthly SaaS costs can silently eat margins. A Shopify store might look profitable until you realize it runs on $500/month in apps.
- List every paid tool and subscription. Shopify apps, email marketing (Klaviyo, Mailchimp), analytics tools, inventory management, customer service tools, etc.
- Calculate total monthly SaaS cost. Compare this to the P&L. If SaaS costs aren't fully reflected in expenses, the profit is overstated.
- Identify essential vs. nice-to-have apps. Which apps are critical to operations and which can be cut? This helps you estimate true operating costs.
- Check for annual contracts. Are you inheriting annual commitments that can't be cancelled?
- Platform lock-in. How difficult would it be to migrate away from the current platform (Shopify, WooCommerce, BigCommerce)? Is there custom code that only works on one platform?
- Verified trademark registration and ownership
- Searched for active trademark disputes or oppositions
- Confirmed patent ownership (if applicable)
- Verified all brand assets (photos, designs, copy) transfer with sale
- Performed WHOIS check on domain β seller is registrant
- Confirmed domain expiration is 2+ years out
- Checked domain history via Wayback Machine
- Verified email infrastructure transfers with domain
- Listed all paid SaaS tools and monthly costs
- Confirmed SaaS costs match P&L expenses
- Identified essential vs. optional subscriptions
- Checked for non-cancellable annual contracts
- Verified GDPR/privacy policy compliance
- Confirmed no pending or historical legal disputes
"Normal Data" vs. "Red Flag Data" β Comparison Table
Use this table as a quick-reference during your audit:
| Metric | Healthy | Red Flag |
|---|---|---|
| Traffic sources | 3+ channels, none >50% | Single source >70% |
| Revenue trend | Stable or growing 12+ months | Declining 3+ consecutive months |
| Refund rate | Below 3% | Above 5% |
| Chargeback rate | Below 0.5% | Above 1% |
| ROAS trend | Stable or improving | Declining quarter over quarter |
| LTV:CAC ratio | Above 3x | Below 2x |
| Add-backs as % of SDE | Below 15% | Above 30% |
| Supplier contracts | Written and transferable | Verbal or non-transferable |
| Dead stock | Below 10% of inventory | Above 20% of inventory |
| SOPs documented | Complete operations manual | No documentation exists |
| Trademark | Registered and active | Unregistered or disputed |
| Domain expiration | 2+ years | Less than 6 months |
5 Major Red Flags to Watch Out For
If you encounter any of these during due diligence, proceed with extreme caution β or walk away entirely.
1. Seller refuses analytics or ad account access. This is non-negotiable. If a seller won't give you read-only access to Google Analytics, Facebook Ads, or Google Ads, they're hiding something. No legitimate seller has a reason to refuse. Walk away. 2. Revenue concentrated in one product or one traffic source. A business that makes 80% of its revenue from one SKU or gets 70%+ of its traffic from one channel is a single point of failure. One supplier issue, one algorithm change, and the business collapses. 3. Declining niche. Check Google Trends for the main product keywords. If the niche has been declining for 12+ months, you're buying a melting ice cube. No amount of optimization will reverse a structural market decline. 4. Seller stopped running ads before listing. This is a classic manipulation. By pausing ads, the seller eliminates a major expense, making the last 2-3 months of P&L look artificially profitable. When you resume ads post-acquisition, margins drop significantly. Always request 24+ months of ad spend data. 5. No SOPs or documentation. If the business only works because of the seller's personal knowledge, relationships, or daily involvement, you're not buying a business β you're buying a job. And the moment the seller leaves, critical knowledge walks out the door.The "Go/No-Go" Decision
After completing all four pillars of due diligence, it's time to make the call. Here's a simple decision framework:
Green light (proceed with confidence):- All checklists completed with no major concerns
- Financials verified from 3+ independent sources
- Traffic diversified and stable/growing
- Operations documented and transferable
- No legal issues
- 1-2 minor concerns that can be addressed with price adjustments
- Some documentation gaps that the seller can fill during the DD period
- Moderate concentration risk that you have a plan to mitigate
- 3 or more red flags from the table above
- Seller is evasive or refuses access to key data
- Financials don't reconcile across sources
- Declining trend with no clear turnaround path