Before you wire funds on an EHS or OSHA compliance practice, use this checklist to verify revenue quality, credential portability, client stickiness, and regulatory clean hands.
Acquiring a safety and compliance consulting firm offers access to recession-resistant, recurring revenue driven by non-negotiable regulatory obligations. But the same characteristics that make these businesses attractive — founder expertise, long-tenured client relationships, and credentialed staff — also concentrate risk in ways that can destroy value post-close. This checklist walks buyers through the five critical due diligence domains: financial quality and revenue composition, client contract integrity, staff credentials and key-person dependency, regulatory and liability exposure, and operational scalability. Each item is tied directly to the risk profile of EHS and OSHA compliance practices in the $1M–$5M revenue range.
Verify that reported earnings are clean, recurring, and not inflated by owner add-backs or one-time project windfalls.
Request 3 years of accrual-basis P&L statements and tax returns for reconciliation.
Cash-basis books in consulting firms frequently mask timing distortions and understate true revenue.
Red flag: Tax returns show materially lower revenue than internal P&Ls with no clear reconciliation provided.
Calculate the retainer-to-project revenue split across all three years.
Retainer revenue from ongoing compliance programs is sticky; one-off project revenue evaporates post-close.
Red flag: More than 50% of billings come from non-recurring project engagements with no conversion pipeline.
Identify and normalize all owner add-backs including personal vehicle, insurance, and travel.
Inflated add-backs artificially raise EBITDA and the resulting purchase price.
Red flag: Add-backs exceed 25% of reported EBITDA without clear documentation for each line item.
Review accounts receivable aging and identify any clients 90+ days past due.
Slow-paying clients in safety consulting often signal a disputed invoice or dissatisfied relationship.
Red flag: More than 15% of AR is over 90 days with no written collection plan or client communication on file.
Assess whether client relationships are contractually protected, transferable, and diversified enough to survive ownership change.
Map revenue by client and flag any single client exceeding 20% of total billings.
Losing one large client post-close can wipe out a year of EBITDA and trigger earnout clawbacks.
Red flag: One client represents more than 25% of revenue with no long-term contract locking in the relationship.
Review all retainer agreements for auto-renewal terms, cancellation notice periods, and assignability clauses.
Contracts that require client consent to assign can be voided at close without proactive renegotiation.
Red flag: Majority of retainer contracts contain change-of-control clauses allowing immediate termination without penalty.
Identify which staff member — not just the founder — owns each client relationship day-to-day.
Clients who interact only with the owner present departure risk; staff-anchored relationships transfer more cleanly.
Red flag: Founder is the sole point of contact on more than 60% of active client accounts.
Request client retention data for the past three years including voluntary cancellations.
High historical retention validates the stickiness of compliance retainer programs and client satisfaction.
Red flag: Annual client attrition exceeds 15% or the seller cannot produce documented retention metrics.
Confirm that certifications are independently held by staff and that the business can operate without the founding principal.
Verify all active credentials including CSP, CIH, CHST, and OSHA Outreach Trainer authorizations.
Credentials held only by the departing owner cannot be transferred and leave clients unserviceable.
Red flag: Fewer than two staff hold independent CSP or CIH credentials outside the founding owner.
Confirm OSHA Outreach Trainer authorizations are individually issued and currently active.
Training revenue depends on authorized trainers; lapsed cards suspend the firm's ability to issue OSHA cards.
Red flag: One or more trainers have expired authorizations that were not disclosed in the offering materials.
Review employment agreements for non-compete, non-solicitation, and confidentiality provisions for all key staff.
A credentialed consultant who leaves post-close and solicits clients is a direct revenue threat.
Red flag: Key credentialed employees have no non-solicitation agreements or existing agreements are unenforceable in-state.
Assess staff tenure and turnover rate among credentialed consultants over the past three years.
High turnover among certified safety professionals signals cultural or compensation issues that compress margins.
Red flag: More than one CSP or CIH departed in the past 24 months and the seller cannot explain why.
Uncover any OSHA citations, E&O claims, or compliance failures that create successor liability or reputational damage.
Request a full E&O claims history for the past five years including closed and pending matters.
An EHS firm that failed to prevent a client's workplace fatality faces catastrophic liability and reputational damage.
Red flag: Any open E&O claim or lawsuit where a client suffered a serious injury after following firm recommendations.
Confirm the firm has maintained continuous professional liability insurance with adequate per-occurrence limits.
Coverage gaps create windows where prior incidents could result in uninsured successor liability.
Red flag: Policy lapses of more than 30 days or limits below $1M per occurrence for a firm of this revenue size.
Search OSHA inspection records for any citations issued to the firm itself or its client sites under the firm's supervision.
OSHA citations under the firm's watch signal inadequate service delivery and can deter future clients.
Red flag: Multiple willful or repeat OSHA citations at client worksites managed by the consulting firm.
Confirm the firm holds no outstanding EPA, state environmental agency, or DOT violations.
Multi-jurisdictional compliance practices carry regulatory exposure beyond OSHA that must be verified independently.
Red flag: Undisclosed state environmental agency enforcement action or pending regulatory investigation.
Evaluate whether service delivery is documented, systemized, and scalable beyond the current owner and team.
Request SOPs for all core service lines: site audits, training delivery, compliance program onboarding, and reporting.
Undocumented processes live in the founder's head and cannot be replicated or scaled post-acquisition.
Red flag: No written SOPs exist and the owner describes all service delivery as relationship-dependent and situational.
Assess any proprietary training curricula, e-learning platforms, or compliance management tools owned by the firm.
Proprietary IP differentiates the firm from commodity consultants and increases defensibility and valuation.
Red flag: Training content is entirely licensed from third parties with no owned curriculum or branded deliverables.
Review the firm's CRM or client management system and assess data completeness for all active accounts.
Fragmented client data in spreadsheets or email creates operational disruption and relationship risk at close.
Red flag: No formal CRM in use and client contact, contract, and service history data are stored informally.
Evaluate subcontractor relationships, including agreements, credentials, and volume of subcontracted revenue.
Heavy reliance on unvetted subcontractors to deliver compliance services creates quality and liability exposure.
Red flag: More than 30% of billable hours delivered by subcontractors who lack independent credentials or written agreements.
Find Safety & Compliance Consulting Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
EHS consulting firms in the $1M–$5M revenue range typically trade at 3.5x–6x EBITDA. Firms with high recurring retainer revenue, multiple credentialed staff, and no client concentration above 20% command the upper end of that range. Founder-dependent practices with mostly project revenue will price at 3.5x–4.5x, and buyers should factor in meaningful transition risk and earnout structures to bridge the valuation gap.
Start by reading every retainer agreement for change-of-control, assignability, and cancellation clauses. Then go beyond the paper — interview key staff who manage each account day-to-day to understand how much of the relationship belongs to the firm versus the founder. Require a structured client introduction process during the transition period, and consider an earnout tied to 12–18 month retention as protection against post-close attrition.
At minimum, confirm that Certified Safety Professional (CSP), Certified Industrial Hygienist (CIH), Construction Health and Safety Technician (CHST), and OSHA Outreach Trainer authorizations are independently held by staff — not just the departing owner. Request wallet cards, BCSP registry verification, and OSHA trainer status letters. Any credentials that live solely with the seller and cannot be transferred represent a service delivery gap that must be addressed before close.
Yes. Safety and compliance consulting firms are SBA-eligible, and the 7(a) program is commonly used in this sector for acquisitions under $5M in purchase price. A typical structure involves 10–20% buyer equity, an SBA 7(a) loan covering the majority of the purchase price, and a seller note of 5–10% that is subordinated to the SBA debt. Lenders will scrutinize revenue quality and key-person risk closely — firms with documented SOPs, multiple credentialed staff, and strong retainer ratios will qualify more easily and at better terms.
More Safety & Compliance Consulting Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored Safety & Compliance Consulting targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers