A data room is not a warehouse. It is an indexed proof file for the company’s legal and economic story.
CFO and legal owner
Quarterly, and before fundraising
Create an indexed request list.
Certificate and charter documents.
Investors test whether the company exists as represented, owns the assets it sells, has authority to issue securities and can reconcile revenue, cash, cap table, taxes and contracts.
Documents should be complete, current and internally consistent. The cap table must match statutory records; financial statements should match tax and bank evidence; customer metrics should match contracts and invoices.
Access should be staged. Sensitive source code, employee data, customer information and privileged legal material need limited access, watermarking, confidentiality and a record of who viewed them.
| Control | What it covers | Operating rule |
|---|---|---|
| Corporate | Incorporation, charter, registers, minutes and filings. | Confirm authorised and issued capital. |
| Financial | Statements, MIS, bank, debt and forecasts. | Reconcile historical periods. |
| Commercial | Material customers, suppliers, pricing and pipeline. | Identify concentration and termination rights. |
| Risk | Tax, litigation, privacy, IP and employment. | Explain open items and remediation. |
Run a red-team review before investor access. Ask whether a reviewer can recreate ownership, revenue, cash and liabilities from the documents without relying on founder explanation.
Use a disclosure schedule for exceptions. A clearly explained issue with a remediation plan is usually safer than a false statement that no issue exists.
Document the decision, owner, due date and evidence expected. A verbal explanation should be converted into a board note, approved working, contract amendment, portal acknowledgement or reconciliation before the item is treated as closed.
Rules, forms, thresholds and interpretations can change. The operating team should use the latest official source and the actual company facts instead of copying a control from another entity or prior year.
Ask four questions: Is the obligation or accounting treatment applicable? Has the underlying transaction been completely recorded? Does the evidence agree with the books and portal? Has an independent reviewer challenged the exception?
The review should distinguish a timing difference from an error, a judgement from a missing document, and a control failure from a one-time operational delay. Repeated small exceptions deserve root-cause action because they often become material during audit, fundraising, notice or distress.
The operating record should connect the control stages—corporate, financial, commercial, risk—to the same transaction population. If the source list, accounting ledger, tax return, board record and management dashboard use different populations, the review can appear complete while exceptions remain outside the test.
Management should define an exception threshold, but the threshold must not hide repeated failures. A small error occurring every month can signal weak master data, unclear ownership or a broken interface. The reviewer should record root cause, immediate correction and preventive action separately.
Closure requires evidence. At minimum, the file should show who prepared the work, who reviewed it, which source documents were used, what differences remained and when the next follow-up is due. Screenshots without context or spreadsheets without source references are not a durable control record.
Conflicts and judgement should be visible before approval. A founder, director or business owner with a personal interest should disclose it and follow the appropriate review route rather than approve the transaction informally.
Diligence quality improves when records are maintained during ordinary operations. Reconstructed minutes, unsigned contracts and after-the-fact explanations may answer a question temporarily but weaken trust and can create separate legal risk.