You're deep into a deal. Everything looks promising on the surface. The numbers seem solid, the business looks healthy, and the other party appears confident. But then you start reviewing the documents and something doesn't quite add up.
This is the moment due diligence is designed for.
Due diligence is the process of verifying what you've been told before you commit. Whether you're acquiring a company, closing an investment round, entering a major partnership, or completing a property transaction, due diligence is your chance to look under the hood. And in that process, red flags are the signals that tell you something deserves a second look.
The problem is, red flags don't always wave themselves in front of you. Some are obvious. Others are buried in financial statements, hidden in unsigned contracts, or scattered across hundreds of documents shared in a disorganized way. If you're not looking carefully, and if you don't have the right tools, they're easy to miss.
This guide walks you through what due diligence red flags actually are, what the most common ones look like, how to report them clearly, and what tools make the whole process more reliable. We'll also cover how a virtual data room like Ellty helps you run a controlled, trackable review so fewer things fall through the cracks.
What is a red flag in due diligence?
A red flag in due diligence is any piece of information, document, pattern, or behavior that raises a concern about the deal, the counterparty, or the documents being reviewed. It doesn't always mean the deal is doomed. But it does mean you need to stop, look more closely, and decide how to proceed.
Red flags come in many forms. Some are factual, like a company's financials not matching what was represented in earlier conversations. Others are behavioral, like a party being slow to provide documents, selective about what they share, or defensive when asked routine questions. Some are structural, like a business with no clear ownership records or contracts that don't cover what they should.
The important thing to understand is that a red flag is not automatically a deal-breaker. It's a signal that asks for more information. What you do with that signal depends on how serious it is, how it was explained (or not), and how it fits into the bigger picture.
That said, some red flags are serious enough that they should stop a deal entirely. The skill is knowing the difference, and that starts with knowing what to look for.
Common red flags in the due diligence process
Red flags appear across every part of a due diligence review. Here are the most important categories and what to watch out for in each.
Financial red flags
Financial information is usually the most scrutinized part of any due diligence process, and for good reason. Numbers can be adjusted, smoothed, or presented selectively to create a more favorable picture.
Inconsistent financial statements. If revenue figures in a pitch deck don't match the audited accounts, that's a problem. Even minor inconsistencies deserve an explanation. They could be a simple accounting difference, or they could suggest that numbers have been presented in a misleading way.
Unusual spikes or drops in revenue. A sudden jump in revenue right before a deal, or a sharp drop that isn't explained, should prompt questions. Sometimes there's a legitimate reason. Other times it's a sign of window dressing or a business in trouble.
Heavy reliance on a single customer or contract. If more than 30-40% of revenue comes from one source, the business is fragile. Losing that client could change the entire financial picture.
Unclear or messy debt structure. Debt that isn't clearly documented, off-balance-sheet liabilities, or personal loans from directors that haven't been properly disclosed are serious concerns.
Tax issues or pending audits. Outstanding tax obligations, ongoing tax disputes, or a history of late filings are worth investigating carefully before committing to any deal.
Legal and compliance red flags
Ongoing litigation. Any pending lawsuits, regulatory investigations, or unresolved legal disputes should be disclosed upfront. If they're buried in footnotes or mentioned only when asked, that's a red flag about transparency, not just the litigation itself.
Missing or incomplete contracts. Key supplier agreements, customer contracts, or partnership agreements that are missing, expired, or unsigned create real business risk. You need to know what agreements are actually in place and whether they're enforceable.
Intellectual property problems. Ownership disputes over key IP, unregistered trademarks, software built on improperly licensed code, or patents that haven't been properly assigned to the company are all serious issues.
Regulatory non-compliance. If a business operates in a regulated industry and hasn't kept up with licensing requirements, filings, or regulatory changes, you could be taking on significant liability.
Operational red flags
High employee turnover. Especially at the leadership level. If the CFO, COO, or other senior staff have cycled through in recent years, it's worth understanding why.
Lack of documented processes. A business that runs entirely on informal knowledge, with no documented systems or processes, is far more difficult to transition and much more dependent on specific individuals staying involved.
Unclear ownership structure. Beneficial ownership that isn't clearly documented, nominee shareholders, or complicated multi-layer holding structures can signal governance issues or attempts to obscure who actually controls the business.
Customer concentration and contract terms. Check whether major customer contracts are transferable. Some contracts include change-of-control clauses that allow customers to exit if the business is sold.
Behavioral red flags during the review process
These are often overlooked, but they matter a lot.
Slow or selective document sharing. If a party takes unusually long to provide standard documents, provides them only in pieces, or consistently avoids sharing certain types of records, it suggests something they don't want you to see.
Reluctance to answer follow-up questions. Standard due diligence includes a Q&A process. If responses are vague, deflecting, or surprisingly defensive, that's a signal.
Excessive pressure to close quickly. Every deal has a timeline, but if you're being rushed past proper review with urgency that doesn't seem justified, it may be because scrutiny would surface problems.
Unexplained document gaps. Documents that should exist but are said to be unavailable, "being updated," or "with legal" for an extended period deserve follow-up.
Due diligence red flags report template
Once your team has completed the review, you need a structured way to document and communicate what was found. A red flag report is that document. It's a clear summary of every concern identified, how serious it is, and what action is recommended.
Here's a simple template structure you can adapt for your own process:
Red flag report - [Deal name / Company name]
Date of review: [Date]
Prepared by: [Name / Team]
Review scope: [e.g., financial, legal, operational]
Executive summary
A short paragraph summarizing the overall findings and the level of concern. This helps senior stakeholders quickly understand the risk level without reading every line.
Red flag log
Category | Description | Severity | Status | Recommended action |
|---|---|---|---|---|
Financial | Revenue figures in pitch deck differ from audited P&L by 18% | High | Unresolved | Request reconciliation and explanation |
Legal | Three supplier contracts expired and not renewed | Medium | Unresolved | Obtain current agreements or confirm verbal extensions |
Operational | No documentation for customer onboarding process | Low | Noted | Request process documentation before close |
Severity guide
- High - could materially affect deal value, create liability, or block completion
- Medium - needs resolution before closing but may not be a deal-breaker
- Low - worth noting for post-close attention but not blocking
Outstanding document requests
List any documents that were requested but not yet received, with the date first requested.
Next steps
Clear actions, owners, and deadlines for resolving each outstanding item.
This structure keeps everything organized and makes it easy to track which concerns have been addressed and which are still open. It also creates a record for later reference if disputes arise after the deal is complete.
Start your due diligence review with Ellty. Set up a secure data room, invite your reviewers with controlled access, and track every document they open in real time. Try Ellty free - no credit card needed.
Tools and techniques for identifying red flags
Having a good template helps after the review. But during the review, the quality of your process depends on the tools you use and the habits your team follows.
Build a structured document request list
Don't start a due diligence review without a clear list of every document you need to see. Organize it by category (financial, legal, HR, operational, IP) and send it to the other party before the review begins. This creates a clear baseline of what was requested and makes gaps obvious.
If something that should be on the list never shows up, that's worth noting.
Use a version-controlled document environment
When documents are shared over email or general file sharing tools, version control becomes a problem quickly. You may receive updated financials without knowing what changed, or review a contract that has since been replaced. A dedicated document environment keeps everything organized and timestamped.
Track engagement with documents
One of the more underrated tools in due diligence is document analytics. When you can see which documents reviewers have opened, how long they spent on each one, and which sections got the most attention, you get useful signals. If a reviewer spent significant time on a particular section, it might be worth asking why. If certain documents were barely opened, you need to flag that.
Use structured Q&A
A formal question-and-answer process, rather than informal email threads, creates a clean record of what was asked, who answered, and what they said. This matters during the review and after the deal, if questions arise about what was disclosed.
Cross-reference consistently
Don't accept any single document in isolation. Cross-reference financial statements against bank records, representations in the information memorandum against actual contracts, and headcount figures against payroll. Inconsistencies between documents are often where important problems surface.
Involve specialists where needed
For complex legal, tax, or technical areas, bring in specialists. A generalist review might miss a significant IP ownership issue or an obscure regulatory compliance gap. Know when to escalate.
Virtual data rooms: the backbone of due diligence
All the best practices above assume one thing: that you have a controlled, secure environment for sharing and reviewing documents. Without that, even experienced due diligence teams struggle to stay organized.
This is where a virtual data room (VDR) becomes essential.
A VDR is a secure online environment where documents can be shared with specific parties, access can be controlled at a granular level, and all activity is tracked. It's designed specifically for sensitive document review processes like due diligence, fundraising, property transactions, and M&A.
The difference between running due diligence through a VDR versus email or general cloud storage is significant. With email, you lose control the moment you hit send. With a VDR, you decide who sees what, you can revoke access at any time, and you have a complete record of who looked at which document and when.
How Ellty is built for this
Ellty is a secure document sharing and analytics platform with full VDR functionality. It's designed for anyone running a deal, a fundraise, or any process that requires sharing sensitive documents in a controlled way. And unlike legacy VDR platforms, it's priced in a way that makes it accessible without a lengthy procurement process.
Here's what makes Ellty well suited to due diligence:
Granular access controls. You can set specific permissions for each reviewer or group. One party might have view-only access to financial documents. Another might be able to download certain files but not others. You control what each person can do with every document.
NDA gating. Before a reviewer can access the data room, they can be required to sign an NDA directly inside the platform. This removes the friction of handling NDAs outside the review process and ensures nothing is accessed without the right agreements in place.
Real-time activity tracking. You can see exactly who opened which document, when they opened it, and how long they spent. This gives you a live picture of where reviewers are in the process and surfaces any concerns about documents being accessed outside their agreed scope.
Dynamic watermarking. Documents can be watermarked with the viewer's identity, making it clear who would be responsible if a document was shared outside the data room.
Full audit logs. Every action in the data room is logged. This creates a clean, timestamped record that's useful both during the deal and afterward.
Restricted visitor access and group permissions. For multi-party deals with different stakeholder groups, Ellty Room Plus plan supports group-level permissions and up to 4,000 assets per data room, keeping large, complex reviews organized.
Pricing that makes sense
Legacy VDR platforms often charge per user, per page, and require custom quotes that take weeks to negotiate. That model doesn't work for most deals.
Ellty uses flat, transparent pricing:
- Free ($0/month) - document tracking, real-time analytics, secure sharing. A good starting point for early conversations.
- Standard ($69/month) - unlimited documents, advanced analytics, eSignatures, custom branding, and data room features.
- Room ($149/month) - granular permissions, NDA gating, dynamic watermarking, and restricted visitor access. Built for controlled document review.
- Room Plus ($349/month) - group visitor permissions, full audit logs, support for up to 4,000 assets. Built for heavier, multi-party deals.
No per-user fees. No per-page fees. No surprise overages. You pick a plan and you know exactly what you're paying, whether you're sharing documents with three people or thirty.
Due diligence best practices
Spotting red flags is important. But the bigger goal is running a due diligence process that's thorough, organized, and well-documented from the start. Here are the practices that make the biggest difference.
Start with a scope definition. Before you request a single document, agree on what the review will cover. What areas matter most for this particular deal? What's the timeline? Who on your team is responsible for each section? A clear scope prevents important areas from being skipped and keeps the process on track.
Standardize your document request list. Use a consistent template for every deal rather than building a new list each time. This saves time, reduces the chance of missing something, and makes it easier to compare what was received against what was asked for.
Set clear timelines for document delivery. Tell the other party upfront when you need documents by. This creates accountability and makes it clear when delays are significant. A party that consistently misses document delivery deadlines is telling you something about how organized they are.
Assign clear ownership within your review team. Each section of the due diligence review should have a named person responsible for it. This prevents duplication, ensures coverage, and makes it easy to track progress.
Document everything. Keep records of what you requested, what you received, when you received it, what questions you asked, and what answers you got. This protects you if disputes arise later and creates a useful reference if the deal takes longer to close than expected.
Keep communication through the data room. If possible, run all Q&A through the VDR rather than email. This keeps everything in one place and creates a clean audit trail.
Don't rush past yellow flags. Not every concern rises to the level of a red flag immediately. But if something doesn't feel right and you can't explain it, keep pulling at it. Yellow flags that go unaddressed often turn red.
Get external specialists involved early. If you know you'll need a tax specialist, an employment lawyer, or a technical reviewer, bring them in at the start, not at the last minute. Last-minute specialist reviews are rushed and more likely to miss things.
Agree on a closing conditions checklist. Before completing the deal, make sure all conditions have been met and all outstanding items from the red flag log have been resolved or formally accepted. Never close with open high-severity items unless you've made an explicit, documented decision about how to handle them.
Ellty makes it easy to keep your due diligence organized from the first document to the final sign-off. Invite your team, set permissions, and track every step of the review in one place.
Frequently asked questions
What is the difference between a red flag and a deal-breaker in due diligence?
A red flag is a warning sign that requires more investigation. It means something deserves closer attention, not necessarily that the deal should stop. A deal-breaker is a finding that, after investigation, is serious enough to make the deal unviable or unacceptable, either because the risk is too high, the liability is too significant, or the information provided turns out to have been materially inaccurate. Many red flags get resolved through explanation or documentation. Some escalate to deal-breakers. That distinction usually becomes clear once you dig deeper.
How many red flags is too many?
There's no fixed number. A single high-severity red flag, like evidence of fraud or a major undisclosed legal liability, can be enough to walk away. On the other hand, a deal with several low-severity flags might still be entirely viable once each issue is explained and documented. What matters is the nature of the flags, whether they've been satisfactorily resolved, and whether they change the value or risk profile of the deal in a meaningful way.
Can red flags come from how documents are shared, not just what's in them?
Yes. How the other party manages the document sharing process tells you a lot. If documents are disorganized, shared in pieces, frequently updated without explanation, or if access is selective and slow, those are behavioral red flags. A party that runs a clean, well-organized data room is signaling that they're prepared and transparent. A party that shares documents over email in inconsistent formats, misses delivery timelines, and is hard to pin down on outstanding requests is signaling something else.
What should I do if I find a red flag during due diligence?
Log it in your red flag report, categorize its severity, and prepare specific questions for the other party. Don't raise concerns informally. Ask for written responses through the agreed Q&A process so you have a record. Depending on the severity, you may also want to involve legal counsel or a specialist before proceeding. If the response to a red flag is unsatisfying or raises more questions than it answers, that itself becomes a more serious concern.
Do I need a VDR for every due diligence process?
Not every situation requires a full branded data room, but any process that involves sharing multiple sensitive documents with multiple parties benefits significantly from one. If you're running a review with more than two or three parties, covering more than one document category, or managing a deal where confidentiality and audit trail matter, a VDR is worth using. Platforms like Ellty make this accessible at a price point that doesn't require an enterprise budget.
How long does a typical due diligence process take?
The time depends on the type and complexity of the deal. A straightforward small business acquisition might take two to four weeks. A large M&A transaction or a complex property deal could take several months. The timeline is typically set at the start of the process, with agreed milestones for document delivery, Q&A, and sign-off. Delays in document sharing are one of the most common reasons due diligence runs longer than planned.
What's the most commonly missed red flag in due diligence?
Behavioral and process-related red flags tend to be underweighted compared to financial and legal ones. Reviewers naturally focus on numbers and documents, but some of the most important signals come from how the other party behaves throughout the process. Slow document delivery, vague answers to specific questions, resistance to standard requests, and inconsistent messaging are all patterns that deserve attention, even if no single document shows an obvious problem.
Final thoughts
Due diligence is not just a formality. It's the process that protects you from making a costly decision based on incomplete or misleading information. Red flags are the signals that tell you to slow down, ask more questions, and look more carefully before you commit.
The good news is that with the right process and the right tools, most red flags are catchable. A structured document request list, a clear Q&A process, a well-maintained red flag report, and a secure environment for sharing and reviewing documents all contribute to a review that's thorough rather than superficial.
A virtual data room isn't just a storage tool. It's where document control, access management, and activity tracking come together. And when those elements are in place, you're not just better at spotting red flags. You're running a process that's harder to manipulate and easier to defend.
Ellty is built for exactly this kind of work. Whether you're running a small deal or a complex multi-party transaction, the platform gives you the controls you need without the complexity and cost of legacy VDR systems. Flat pricing, quick setup, and the features that actually matter for due diligence.
