The Clean Report Is Often the Warning

A diligence report with no material uncertainty may reflect shallow evidence, narrow scope or deal pressure. Read the cleanliness as a signal.

The answer

A perfectly clean diligence report should not automatically reassure the investment committee. Every operating company contains exceptions, undocumented dependencies, stale access and evidence gaps.

A perfectly clean diligence report should not automatically reassure the investment committee. Every operating company contains exceptions, undocumented dependencies, stale access and evidence gaps. A report with no material uncertainty may describe an exceptional institution. More often, it describes a narrow scope, compliant answers or a team unwilling to disturb the transaction. The absence of findings is itself a finding about the diligence method.

Cleanliness can be manufactured

  • The scope excludes systems or entities management considers non-core.
  • Evidence is limited to policy and interview.
  • Samples are selected by the target.
  • Testing stops when the first acceptable artefact appears.
  • Risks are averaged into a maturity score.
  • Unavailable evidence is treated as no issue observed.
  • Deal pressure converts uncertainty into reassuring language.

None requires bad faith. They are natural consequences of time, access and incentives.

Value object — The Report Credibility Test

For every decisive conclusion, ask:

  • What investment-thesis assumption does it support?
  • What evidence level supports it: assertion, document, system record, observed workflow or adverse test?
  • Who selected the sample?
  • What could not be examined?
  • Which exceptions or contradictory evidence were found?
  • What would falsify the conclusion?
  • What action changes if the conclusion is wrong?

If the report cannot answer, the headline should not carry decision weight.

Look for useful discomfort

A strong report contains boundaries. It states what is known, what is inferred, what was unavailable and how the uncertainty affects the deal. It may be concise, but it should show that the team tried to break important claims. Findings should connect to price, structure, integration or the first hundred days.

Challenge the green rating

A green control can hide one catastrophic dependency. An amber collection can be economically immaterial. Read the failure scenario and thesis collision, not the colour. Ask whether the conclusion changes under growth, separation, federation, automation or a key-person departure.

Unavailable is not clean

When logs, inventories or recovery tests are unavailable, the report should record an evidence gap. The gap may be acceptable. It is not evidence of a positive state. Price and structure can absorb uncertainty only when it is visible.

Preserve the dissent

Technical specialists may hold reservations that disappear during executive editing. Include material dissent and the evidence requested but not obtained. An investment committee should understand where the conclusion depended on judgment rather than repeatable proof.

The report is a transaction instrument

Its purpose is not to certify that the target is good. It is to improve a capital and control decision. A report that exposes the few conditions capable of breaking the thesis is more valuable than a polished catalogue of controls. If nothing in the report makes the deal team uncomfortable, inspect the report before trusting the target.

Sources

  1. NIST: Cybersecurity Framework 2.0NIST: Cybersecurity Framework 2.0

    Primary authority

  2. NIST SP 1305: Cybersecurity Supply Chain Risk ManagementNIST SP 1305: Cybersecurity Supply Chain Risk Management

    Primary authority

  3. FINMA: Risk Monitor 2025FINMA: Risk Monitor 2025

    Primary authority

Ross BelhommePartner, Svperior / Legal

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry