An M&A diligence process in India can easily get bogged down by disorganized documents. The problem isn’t just the volume of files. It’s that most checklists tell you what to collect but not why it matters for specific Indian deal risks. This risk-focused checklist connects every document request to a decision, helping you spot ROC filing gaps, DPDP Act exposure, Labour Code readiness, and hidden change-of-control triggers.

Why Generic Checklists Fail in India

Generic checklists create false confidence. They tell a team to “check compliance” without specifying what evidence proves it, or what a lack of evidence signals.

The Simple Rule: Every Document Must Answer a Risk Question

Before requesting any document, ask yourself: What decision does this inform? Cap table disputes affect pricing. PF/ESI arrears affect closing conditions. Gaps in DPDP Act compliance affect successor liability. If a document doesn’t connect to a clear risk, it’s scope creep.

Using This Checklist in Your Data Room

Structure the data room before a single file is uploaded. Your folder architecture is the difference between reviewers finding what they need and flooding your inbox with questions. It’s a simple step that prevents major headaches.

Day 1 / Week 1 Requests (Find Deal-Stoppers Early)

Prioritize documents that can stop a deal early. This includes the Certificate of Incorporation, MOA/AOA, current cap table, statutory registers, recent ROC filings (AOC-4, MGT-7), loan documents, key licenses, and any pending regulatory notices. If it can create successor liability or block clearance, get it in Week 1.

Suggested Folder Architecture (Workstreams + Permissioning Logic)

Use top-level folders for workstreams like Corporate, Financials, Tax, Contracts, IP, HR, Litigation, Regulatory, Data Privacy, and ESG/Ops. Using a VDR like DCirrus allows for granular folder-level permissions, 2FA, and full audit trails to manage access and prove who saw what, when.

The 10-Part M&A Due Diligence Document Checklist for Indian Transactions

1) Corporate & ROC Hygiene

Request: Certificate of Incorporation, MOA/AOA, board/shareholder resolutions, statutory registers, ROC filings (AOC-4, MGT-7 for 3–5 years), and BEN-2 filings. Look for: Unfiled returns, unregistered charges, and discrepancies between registers and ROC records.

2) Transaction Structure Essentials (Share vs Asset vs Scheme)

For a share purchase, focus on cap table validation and pre-emption waivers. For an asset purchase, collect title deeds and consents for each asset. For a scheme of arrangement, gather NCLT filings and proof of compliance with the Companies Act, 2013.

3) Regulatory & Approvals

Request: Sector licenses (telecom, NBFC), CCI merger filings, FEMA/RBI approvals for cross-border transfers, and key environmental permits. Look for: Lapsed licenses and missing FEMA filings.

4) Financials & Accounting Records

Request: Audited financials (3–5 years), current management accounts, fixed asset register, and related-party transaction schedules. Look for: Qualified audit opinions, large unexplained RPTs, and off-balance-sheet exposures.

5) Tax (Income Tax, GST, TDS, Stamp Duty)

Request: Income tax returns (3–5 years), assessment orders, GST returns (GSTR-1, GSTR-3B), and TDS returns with Form 26AS reconciliation. Look for: Unresolved tax demands, GST turnover mismatch, and TDS defaults.

6) Material Contracts & Commercial Obligations

Request: Top customer/supplier agreements, financing agreements, and JV/shareholder agreements. Focus on: Change-of-control clauses that terminate or require third-party consent post-closing.

7) Litigation, Disputes & Contingent Liabilities

Request: A list of all pending litigation, copies of legal notices, and any pending show-cause notices from authorities. Look for: A pattern of regulatory non-compliance or claims not reflected in the accounts.

8) IP & Technology

Request: Trademark/patent/copyright registrations, IP assignment agreements from founders and employees, and third-party software license agreements. Look for: IP held in a promoter’s name or reliance on unlicensed software.

9) People, HR & Labour Codes Readiness (2025)

Request: Key employee contracts, PF/ESI registration and payment confirmations, and contract labor agreements. Labour Codes checks: Verify how the new wage definition impacts PF contributions and whether contractor classification creates social security liability.

10) Data Privacy & DPDP Act Diligence (Proof, Not Policies)

The DPDP Act 2023 creates successor liability. You need proof of compliance, not just policies. Request a data inventory, consent records, data processing agreements, cross-border transfer records, and any data breach logs. A VDR like DCirrus supports this with DRM controls, watermarking, and data localization options.

Turning Findings into Deal Protections

Translate your findings directly into deal protections. A simple rating system helps decide the next step.

A Simple Red/Amber/Green Mapping to Actions

Rating	Meaning	Deal Response
Red	Material, unresolvable risk	Walk away or demand a hard CP before signing
Amber	Quantifiable, manageable risk	Specific indemnity, escrow, or disclosure
Green	No material risk found	Standard rep/warranty coverage

This way, tax demands can be ring-fenced in indemnity baskets, and DPDP findings can inform specific representations about regulatory compliance.

---

Implementation: Who Collects What

Owners, Reviewers, and Approvers (and Where Q&A Lives)

Assign a named owner for each workstream to upload documents and answer questions. The merchant banker usually manages the master checklist. All Q&A should happen inside the data room, not in email, to maintain a clear audit trail.

Common Data Room Mistakes That Slow Indian Transactions

Avoid common errors like missing contract amendments, disorganized folder structures, and uncontrolled downloads. A VDR with AI-powered search, like the one in DCirrus, helps reviewers quickly find specific clauses in large document sets.

Summary and Next Steps

A diligence checklist is a tool for finding risk, not just a filing exercise. Prioritize deal-stoppers, connect documents to risk questions, and go deep on DPDP Act and Labour Codes readiness. Your first step is to set up the VDR folder structure before any documents arrive.

FAQ

Is an M&A due diligence checklist mandatory under Indian law? No, but it’s a best practice. For SEBI-registered merchant bankers, a structured checklist provides a defensible audit trail of their diligence process.

How do I operationalize DPDP Act checks during due diligence? Request proof of practice, such as data inventories, consent records, and vendor data processing agreements (DPAs). A privacy policy by itself is not enough.

What changes in HR diligence because of the Labour Codes (2025)? Verify the new wage definition’s impact on PF contributions and check for unrecognized social security liability from misclassified contract workers.

How should the checklist differ for a share purchase vs an asset purchase? A share purchase demands a full corporate history review, as you inherit all liabilities. An asset purchase focuses on proving title and getting consent for each specific asset.

How long does M&A due diligence typically take in India? Four to twelve weeks is typical for mid-market deals. A well-organized VDR with complete documents can significantly shorten this timeline.

Who should own the Q&A and audit trail during diligence? The merchant banker typically coordinates Q&A, but the target’s team owns the responses. The entire audit trail must be captured in the data room.

Ready to Run Due Diligence Without Email Chaos or Leakage Risk?

DCirrus VDR is built for transaction-grade diligence. It offers granular permissions, full audit trails, DRM controls, AI-powered search, and data localization options that support DPDP compliance. Book a free demo to see how it works in practice.