Due Diligence for IPO: The 3-Layer Stack for 2026

Quick answer: IPO due diligence is three concurrent workstreams, not one process. Underwriter business DD (broadest scope, bring-down memos, 4-7% of gross proceeds), legal and securities DD (10b-5 negative assurance letters, $1.7-2M typical cost), and auditor comfort letter DD (SAS 72 / AICPA AS 6101 procedures, $0.5-1.2M cost, governed by the 135-day rule). Each layer has a different producer, a different legal duty, and a different deliverable. The 135-day rule forces the pricing calendar — the other workstreams reverse-engineer back from that hard wall. ServiceTitan (Nov 2024), CoreWeave (March 2025), Circle (June 2025), and Cerebras (May 2026) reset the disclosure floor for AI risk, single-customer concentration, macro-sensitivity, and IPO velocity respectively.

I have built a data room used by 4,300+ customers, including pre-IPO companies running working group coordination in the 12 months before filing. This is the structural map of how IPO DD actually works in 2025-26 — distinct from the IPO readiness checklist, which is the broader 10-step go-public process. This post is about the DD layer specifically: who produces what, who relies on what, and which constraints actually force the calendar.

What is IPO due diligence and how is it different from M&A due diligence?

IPO DD has three concurrent producers all defending the same disclosure document (the S-1) under Section 11 liability. Each producer has a different legal duty and a different deliverable. M&A DD has one buyer, one DD process, and indemnification rather than statutory liability. That is the structural difference, and it drives everything else.

The three-layer stack:

Each layer is concurrent. Each has its own evidence trail. Each gets reissued at every S-1 amendment, again at pricing, and again at closing.

The 135-day rule forces the pricing calendar

The most underappreciated constraint in IPO planning is AICPA AS 6101 (codified at AU Section 634), also known as SAS 72 — the 135-day rule.

The rule says the auditor can provide negative assurance on financial information up to and including Day 134 after the last audited or reviewed balance sheet date. The cut-off date in the body of the comfort letter is typically 5 calendar days before the letter date, so practically the securities offering must close within roughly 4 months of the last audited or reviewed balance sheet.

This forces the calendar, not the other way around. If your fiscal year ends December 31:

• Audited Dec 31 financials → must price by approximately May 14 to use those financials
• Miss the window → complete Q1 interim review (SAS 100 / AS 4105) → slide to new 135-day window starting March 31 → pricing window opens late July through approximately August 13

This is why so many IPOs cluster late Q1 / early Q2 and late Q3 — they are hugging the auditor windows. Cerebras (priced May 13, 2026) likely targeted the Dec 31, 2025 audited financials. Every other DD workstream reverse-engineers back from this hard wall.

Frame: The 135-day window forces the calendar. Your underwriter beauty contest, your SEC comment cycle, your roadshow timing, and your closing date all bend to fit a window that the auditor controls.

Layer 1: Underwriter business DD

Underwriter business DD covers commercial, customer, financial, strategic, and operational diligence — typically 3 to 5 years of historical data. The deliverable is the bring-down memo: an evidentiary record supporting the underwriters' Section 11 due diligence defense.

The bookrunner-led DD process unfolds in phases:

1. Org meeting — formal DD and drafting kickoff. All-hands working group with issuer counsel, underwriter counsel, auditor, financial printer (DFIN, Donnelley, Workiva), and bankers.
2. Documentary DD — issuer uploads board minutes, material contracts, customer concentration data, audited financials, historical KPI files, capital structure documentation.
3. Management DD sessions — bankers and counsel interview CEO, CFO, COO, key VPs. Concurrent with auditor and counsel walk-throughs.
4. Customer reference calls — bankers (with management permission) speak to top customers about retention, satisfaction, growth expectations.
5. Industry DD — outside-in market sizing, competitive positioning, regulatory environment.
6. Bring-down DD — performed at each S-1 amendment, at pricing, and at closing. Material developments must be re-verified.

Q1 2025 league table data: bulge-bracket banks dominated, with Morgan Stanley, Goldman Sachs, JPMorgan, and Bank of America as the most active 2024-25 IPO bookrunners across Reddit, ServiceTitan, CoreWeave, Circle, and Klarna. The mid-market and sector-specialist syndicate adds depth — Cerebras (May 2026) ran Morgan Stanley, Citi, Barclays, and UBS as joint leads.

Layer 2: Legal and securities DD

Legal DD is run concurrently and independently by issuer counsel and underwriter counsel. Underwriter counsel cannot rely on issuer counsel's work — their 10b-5 letter must reflect their own independent comfort.

The eight categories of legal DD:

1. Corporate organization and capitalization (charter, bylaws, equity history, voting agreements)
2. Material contracts (customer agreements, supplier MSAs, partner agreements, real estate leases)
3. Intellectual property (patents, trademarks, software licenses, open-source compliance)
4. Litigation and regulatory exposure
5. Employment and benefits (equity plans, executive comp, key-person agreements)
6. Real property and tax
7. Environmental, health, and safety
8. Data privacy and cybersecurity

The deliverable is the 10b-5 negative assurance letter — issued by both issuer counsel and underwriter counsel as closing conditions. The letter states that "nothing has come to attention" suggesting material misstatement or omission in the prospectus. It is the legal product that supports the underwriter's Section 11 due diligence defense.

The 10b-5 letter is heaviest in scope when a young company is conducting a common equity IPO to retail investors. Cross-border IPOs add overlays for Regulation S, Rule 144A, and SEC Rule 415 shelf compliance.

Cost anchor: Q1 2025 DealPointData league shows Latham, Davis Polk, Skadden, and Kirkland & Ellis took the four positions on 12 major IPO mandates. Davis Polk and Kirkland each ran approximately $1.85B in deal volume (Skadden $2.19B; volume measurement differs by issuer-side vs. underwriter-side counsel role). Legal DD cost runs $1.7M to $2M for typical mid-market IPOs; substantially higher for cross-border (FCPA + sanctions overlays) or complex regulatory (biotech, fintech, defense).

Layer 3: Auditor comfort letter DD

The auditor's product is the comfort letter under AICPA AS 6101 / SAS 72. Under these standards, the auditor provides negative assurance ("nothing has come to our attention") on:

• Audited annual financial statements
• Unaudited interim financial statements (reviewed under SAS 100 / AS 4105)
• Selected financial data
• Other financial information sourced from accounting records

Tick-and-tie (or "circle-up"): underwriter counsel circles every financial figure in the prospectus draft. The auditor assigns symbols ("ticks") corresponding to procedures performed to verify each circled item. Tick-and-tie covers all numerical information sourced from accounts plus some operational data.

Frame: The comfort letter cost-to-risk mismatch. Auditor IPO fees ($0.5M-$1.2M) are the lowest of the three DD layers despite being the only DD product where the producer faces personal and firm liability under Section 11. This is why tick-and-tie debates routinely consume 20 to 40 percent of the auditor's IPO budget — they are negotiating the scope of comfort, not the price. Founders should not treat audit fees as fixed; the level of comfort requested (and the corresponding tick depth) is the real lever.

Bring-down comfort letter: reissued at pricing and at closing to re-affirm the original comfort letter remains valid. Subsequent-events procedures must be re-performed for each bring-down.

The ServiceTitan AI risk factor reset (the 2026 floor)

ServiceTitan's November 18, 2024 S-1 included a ~1,150-word standalone AI risk factor that explicitly named Microsoft and OpenAI as third-party LLM dependencies — the first major IPO to call out specific AI vendors by name. The disclosure cited:

• LLM hallucinations and accuracy risk
• Employee data leakage through model inputs
• IP infringement risk from training data
• AI talent competition costs
• Regulatory exposure under emerging US and EU AI rules

ServiceTitan priced December 11, 2024 at $71 (above the $65-67 range), closed Day-1 at $101 (+42 percent), and raised approximately $625M.

The broader trend confirms ServiceTitan reset the floor:

• 33 percent of FY2025 10-Ks include a standalone AI risk factor vs. 1 percent three years earlier (Nasdaq, December 2025)
• 72 percent of S&P 500 disclosed material AI risk in 2025 vs. 12 percent in 2023 (Harvard Corporate Governance, October 2025)

Frame: The ServiceTitan AI risk factor pattern → 2026 IPO floor. Any 2026+ IPO that does not (a) name specific LLM providers, (b) quantify AI exposure by revenue or feature dependency, and (c) flag regulatory, talent, and data risks will draw a SEC comment within the first 21-day initial comment letter window. The disclosure floor has reset.

The CoreWeave concentration cliff

CoreWeave priced March 27, 2025 at $40 versus an initial range of $47 to $55 (the range was already revised lower before pricing). The IPO raised $1.5B on 37.5M shares with a $23B fully diluted valuation. Day-1 closed flat at $40 despite the AI tailwind.

The disclosure: Microsoft was 62 percent of 2024 revenue; top-two customers were 77 percent.

The market's verdict: 62 percent single-customer concentration was the priced-in penalty, even though Microsoft also held equity exposure as a strategic investor (partial cover).

Frame: The CoreWeave concentration cliff. Any pre-IPO with greater than 50 percent revenue from a single customer should expect a 15 to 25 percent IPO price compression unless that customer is a strategic equity holder providing partial cover. Disclosure alone is not enough — the market re-prices the risk even after compliant disclosure.

Mitigation paths depend on the underlying customer relationship: contract length and renewal terms, MFN provisions, switching costs, and structural lock-in (proprietary tooling, multi-year commitments). Underwriter business DD will probe each of these; legal DD will require quantified disclosure; comfort letter DD will tick-and-tie the specific concentration percentage to the underlying contracts.

For comparable founder-driven IPOs in the $1B-plus revenue band, the practical advice is to either diversify revenue before filing (slow but cleanest), structure an equity tie-in with the dominant customer pre-filing (CoreWeave-style), or accept the priced-in haircut and time the market for maximum tailwind (Cerebras-style — Cerebras May 2026 priced $185 above range with a similar concentration profile in a hotter market).

The Circle outlier disclosure: single-variable macro-sensitivity

Circle (CRCL) priced June 4, 2025 at $31 (above the $27-28 range), raised $1.05B on 34M shares, and closed Day-1 at $83.23 (+168 percent) with a $6.8B valuation.

The S-1 disclosed: 99-plus percent of $1.68B 2024 revenue from reserve income; a 1 percent interest rate cut would reduce revenue by approximately $441M. This is the most precisely quantified single-variable macro-sensitivity disclosure in any 2025 IPO.

Frame: The Circle outlier disclosure pattern. Quantified single-variable macro-sensitivity disclosures (interest rate, FX, commodity, counterparty) are becoming a 2026+ best practice for any IPO with concentrated revenue exposure to a single rate or counterparty. The disclosure pre-empts the SEC comment cycle on MD&A (which remains the #1 area of SEC staff comments). It also signals analytical rigor to the buy-side — Fortune later framed Circle's first-day pop (citing University of Florida IPO researcher Jay Ritter) as having left $1.72 billion on the table given the 168 percent close, the seventh largest underpricing on record since 1980. Founders who quantify macro-sensitivity in the S-1 can use that data in roadshow Q&A as evidence of pricing discipline.

The Atkins SEC = disclosure-lite IPO lane

Paul Atkins was confirmed by the Senate April 9, 2025 and sworn in April 21, 2025 as the 34th SEC Chair.

His December 2, 2025 NYSE keynote "Revitalizing America's Markets at 250" laid out a three-pillar IPO reform agenda:

1. Scale disclosure with company size — smaller companies get reduced disclosure obligations
2. Depoliticize shareholder meetings — Rule 14a-8 reform on shareholder proposals
3. Reform securities litigation — moderate Section 11 / 10(b)-5 plaintiff bar exposure

He cited the roughly 40 percent decline in listed firms since the mid-1990s as the driving rationale.

Three concrete 2025-26 changes worth tracking:

1. March 2025 SEC guidance (issued March 3 under Acting Chair Mark Uyeda just before Atkins's April 21 confirmation, and continued under Atkins) expanded confidential filing access: all issuers (not just EGCs) can submit draft registration statements nonpublicly, provided they confirm public filing at least 15 days before the roadshow or effective date (replaces the older 21-day rule).
2. Q4 2025 government shutdown created a backlog of 900-plus pending registration statements. Davis Polk's Michael Kaplan noted in November 2025 that "most pending IPOs will be 2026 because there's not a lot of time for deals where the SEC hasn't already finished their comment process."
3. EGC revenue cap is currently $1.235B (effective September 20, 2022; next inflation adjustment 2027).

Frame: The Atkins SEC = disclosure-lite IPO lane. Expect 2026 IPOs to see (a) shorter SEC comment cycles for sub-$2B IPOs, (b) wider use of confidential filings, and (c) likely an expanded EGC on-ramp period — currently 5 years, could expand to 7-10. This is the most issuer-friendly SEC since the original JOBS Act of 2012. Founders filing in 2026 should expect roughly 60 to 90 days shaved off the historical IPO cycle for sub-$2B deals.

The bring-down DD calendar: what gets re-performed at each stage

The SEC Division of Corporation Finance generally issues the first comment letter within 27 calendar days of initial filing; subsequent comments within 14 to 16 days of each amendment. Cycles typically repeat 4 to 6 times for a clean process, adding approximately 5 months to the IPO timeline.

The 135-day rule applies at each bring-down point. If the closing date pushes past Day 134 from the last audited balance sheet, a SAS 100 / AS 4105 interim review of the next quarter must be completed first.

What does this all cost? The DD cost stack

For a typical mid-market $200M-$500M IPO:

Total directly-attributable offering costs: approximately $4.2M for a typical mid-market IPO (PwC IPO Cost data 2025). 43 percent of completed-IPO CFOs in PwC's survey said accounting costs exceeded expectations; 37 percent said legal costs exceeded expectations.

Gross spread is the headline number, but the indirect costs that bookrunners control without bearing (such as the depth of comfort letter scope, which drives auditor fees) are where founders should focus negotiation.

Honest VDR comparison for IPO due diligence

Most IPO working groups end up using at least two data rooms in parallel — one for the pre-S-1 working group coordination phase (12 months before filing) and one for the active filing phase (the main data room for SEC review, beauty contests, and bring-down memos).

The honest landscape:

We make Peony, so this is honest disclosure: for the active S-1 filing main room (5,000-plus pages, SEC review, beauty contests, bring-down memos), most IPO counsel will recommend Datasite or DFIN Venue for the depth of historical IPO workflow integration. Peony is best-fit for the pre-S-1 working group coordination phase — the 12 months before filing where working group composition is fluid, where per-room cost matters because the company is running 3-6 parallel sub-rooms for different banker pitches, and where NDA gating plus dynamic watermarks matter because 4-6 banks are seeing the numbers concurrently. The two phases are not in competition; they are sequential.

For a deeper teardown of how IPO data rooms get used across the full lifecycle, see our virtual data room pricing guide and IPO readiness checklist.

Related resources

• IPO Readiness Checklist 2026: 10 Steps to Going Public — the broader go-public process; this DD post is the diligence layer within that process
• M&A Due Diligence Process Guide — for the M&A DD comparison frame
• Investment Due Diligence Checklist — buyer-side DD (7 pillars)
• Sell-Side Due Diligence — VDD for sellers (different audience than IPO DD)
• Cybersecurity Due Diligence — increasingly material for IPO disclosure (per the SEC's 2024 cyber rule)
• Third-Party Due Diligence — FCPA / sanctions / UFLPA for cross-border IPOs
• Virtual Data Room Pricing Guide — full vendor landscape including Datasite, Intralinks, Venue