Marketing Agency Due Diligence Checklist

Digital Family Office Marketing • Due Diligence & Partner Selection

Marketing Agency Due Diligence Checklist

Use a Marketing Agency Due Diligence Checklist to verify strategy, governance, privacy, measurement, and execution quality before you grant access to budgets, data, and reputation.

Serious buyers treat marketing as an operating system, not as a set of tactics. Therefore, they vet agencies the same way they vet any high-impact vendor: they confirm claims, they test process, and they audit risk before they sign.

This page gives you a practical, step-by-step checklist you can run in a single procurement cycle. Additionally, it includes decision rules, red flags, and a simple scoring model so you can compare candidates without relying on charisma or "case study theater."

If you manage a private enterprise, a family office-adjacent brand, or any organization that values discretion, this framework helps you protect confidentiality while still demanding measurable performance.

Table Of Contents

  1. What This Checklist Does
  2. Before You Interview Agencies
  3. The Four Proof Tests
  4. Governance, Privacy, And Risk Controls
  5. Measurement, Attribution, And "Truth"
  6. Execution Capability: Who Does The Work
  7. Commercial Terms And Contract Checklist
  8. A Simple Scoring Model You Can Use Today
  9. Red Flags That Disqualify An Agency Fast
  10. How To Run A 90-Day Pilot Without Leaking Risk
  11. FAQs
  12. Hub & Spoke Architecture
  13. Related IMR Resources
  14. Outbound Authority Links

What This Checklist Does

Direct Answer: This checklist forces clarity on outcomes, proves capability with verifiable evidence, and reduces privacy and reputation risk before you grant an agency access to budgets and data.

Most agency failures start with ambiguity. For example, buyers say "we need growth," agencies say "we do growth," and then nobody defines what growth means, how the team measures it, or how the team protects sensitive information. Therefore, you end up paying for motion instead of outcomes.

This framework fixes that pattern by using three ideas:

  • Define the decision: You decide whether the agency can deliver a specific outcome under specific constraints.
  • Prove capability: You require evidence that you can verify, not stories that you cannot validate.
  • Control risk: You limit access until trust earns expansion, and you codify controls in writing.

Additionally, this checklist respects a reality that sophisticated organizations face: marketing touches identity. It touches public perception, regulatory exposure, platform policy, and business development relationships. Consequently, you must treat partner selection as governance, not as shopping.

Before You Interview Agencies

Direct Answer: Start with internal alignment on goals, constraints, decision rights, and data boundaries so you can evaluate agencies against the same standard.

1) Write a one-page "Outcome Brief"

Keep it short, however make it precise. If you cannot express the outcome clearly, then you cannot hire correctly.

  • Primary outcome: pipeline quality, revenue, booked calls, qualified leads, or retention.
  • Time horizon: 90 days, 6 months, 12 months.
  • Constraints: privacy, brand voice, compliance, market positioning, geographic limits.
  • Non-negotiables: no certain channels, no certain claims, no public association, or no influencer tactics.

2) Define "qualified" with sales, not with marketing

Marketing can generate volume, therefore you must define quality. Align with sales on disqualifiers, deal size thresholds, and decision-maker criteria. Then you can audit lead quality without debating opinions.

3) Set your access boundaries up front

Privacy-first buyers do not start with "here are all our systems." Instead, they start with staged access.

  • Stage 1 (Discovery): read-only analytics, anonymized CRM snapshots, and a limited brand guide.
  • Stage 2 (Pilot): role-based ad access, limited audiences, and pre-approved creative rails.
  • Stage 3 (Scale): expanded access after the agency proves operational maturity.

4) Choose your evaluation method

Pick one of these methods before interviews so you avoid moving goalposts:

  • Best-fit selection: you prioritize governance, process, and long-term compounding.
  • Competitive test: you run two agencies on a tight pilot with clean separation.
  • Specialist + integrator: you hire a specialist for a channel and a coordinator for the system.

The Four Proof Tests

Direct Answer: You should test evidence, method, execution, and integrity because each failure mode breaks results in a different way.

Proof Test 1: Evidence You Can Verify

Ask for proof that you can validate without trusting the agency's narrative. Therefore, request artifacts, not claims.

  • Redacted dashboards: show trend lines, definitions, and filters that confirm the story.
  • Change logs: show what the team changed and when, so you can connect actions to outcomes.
  • Creative and landing pages: show the assets, not just the results.
  • Measurement map: show event definitions, conversions, and attribution model choices.

Additionally, ask the agency to explain what failed and what the team learned. Strong operators speak clearly about tradeoffs. Weak operators hide behind highlight reels.

Proof Test 2: Method That Matches Your Business Model

Many agencies reuse a single playbook. However, your business may require a different method. Therefore, you must test fit.

  • Demand type: urgent intent vs. latent demand.
  • Sales cycle: short e-commerce vs. long consultative deals.
  • Buyer psychology: privacy-seeking executives avoid "hype funnels."
  • Regulatory exposure: financial and healthcare categories demand tighter claims control.

Ask a direct question: "Which parts of your method do you refuse to change, and why?" Then evaluate the answer. If they cannot adapt, then you should not hire them for a bespoke brand.

Proof Test 3: Execution Capacity Under Constraints

Constraints create the real test. For example, you may require limited branding, quiet landing pages, and discrete creative. Therefore, ask how they execute without shortcuts.

  • Creative pipeline: briefs, drafts, approvals, versioning, and testing cadence.
  • Landing page system: speed, clarity, accessibility, and tracking discipline.
  • Operational rhythm: weekly decisions, monthly strategy, quarterly resets.

Proof Test 4: Integrity And Policy Discipline

Platform policies shape what works. Therefore, you must confirm that the agency builds trust with platforms and users rather than gaming systems.

  • Claims discipline: they avoid misleading promises and they document substantiation.
  • Disclosure discipline: they follow endorsement and disclosure expectations when they use testimonials or influencers.
  • Data discipline: they reduce unnecessary data collection and they protect what they touch.

When agencies treat policy as optional, they create account risk, reputation risk, and legal risk. Consequently, you must treat integrity as a performance factor.

Governance, Privacy, And Risk Controls

Direct Answer: Require role-based access, written data handling rules, vendor risk controls, and staged permissions so the agency cannot create irreversible risk early.

1) Demand role-based access and separation of duties

Start with least privilege. Then expand. Additionally, separate responsibilities so a single contractor cannot hold your systems hostage.

  • Business Manager / ad accounts: grant partner access, not personal logins.
  • Analytics: start with read-only access.
  • Tag management: require review and documented changes.
  • Creative assets: store source files in your controlled environment.

2) Put privacy rules in writing

Privacy-first brands must control data movement. Therefore, include a clear data handling appendix in the contract.

  • Data minimization: the agency collects only what the outcome requires.
  • Data boundaries: the agency cannot export raw customer data without written permission.
  • Retention: the agency deletes data after a defined period.
  • Subprocessors: the agency lists tools and subcontractors that touch your data.

Additionally, require documented incident response steps. You do not need drama. You need clarity.

3) Apply vendor risk thinking, not "marketing vendor" thinking

Marketing agencies touch supply chains: tools, tracking, media, and creative vendors. Therefore, you should evaluate them like any other supplier risk. NIST publishes detailed guidance for cybersecurity supply chain risk management, and you can adapt the concepts to agency selection. :contentReference[oaicite:0]

Use these practical controls:

  • Tool inventory: list every platform and tool the agency plans to use.
  • Access model: define who gets access, how they authenticate, and how you revoke access.
  • Change control: require a log for tracking and site changes.
  • Audit rights: keep the right to review access and configurations.

4) Protect your identity and your executives

Private enterprises often need quiet operations. Therefore, define what the agency can disclose publicly.

  • Public association: prohibit logo use and public case studies without written permission.
  • Staff privacy: restrict executive targeting language that feels invasive.
  • Comms discipline: route sensitive approvals through a single owner on your side.

As a result, you keep control while still enabling performance work.

Measurement, Attribution, And "Truth"

Direct Answer: You must define conversion events, insist on clean tracking, and align attribution rules so the agency cannot "win" by changing definitions.

1) Require a measurement map before launch

Agencies can inflate performance by changing what counts. Therefore, require a signed measurement map that includes:

  • Primary conversions: what you optimize and report as the main success metric.
  • Secondary conversions: indicators that support decisions but do not define success.
  • Event definitions: exact triggers, deduplication rules, and naming conventions.
  • Data sources: analytics, CRM, call tracking, and server logs when needed.

2) Ask how they prevent misrepresentation and misleading claims

Platforms enforce truth standards because they want user trust. For example, Google explicitly addresses "misrepresentation" and expects clarity and honesty in ads and destinations. :contentReference[oaicite:1]

Therefore, vet your agency's claim discipline:

  • Substantiation: they document proof for strong claims.
  • Disclosure: they disclose material connections when endorsements appear.
  • Offer clarity: they present pricing, terms, and eligibility without tricks.

3) Require lead quality feedback loops

Most agencies optimize to the easiest measurable action. However, private enterprises care about qualified conversations. Therefore, you need a feedback loop:

  • Lead grading: sales assigns outcomes (qualified, unqualified, closed-won, closed-lost).
  • Reason codes: sales labels why a lead failed (budget, timing, fit, authority).
  • Optimization cadence: the agency reviews feedback weekly and adjusts targeting, creative, and landing pages.

4) Audit what they report vs. what the business experiences

Ask for a "metrics reconciliation" once per month. Then compare:

  • Platform conversions vs. analytics conversions
  • Analytics conversions vs. CRM opportunities
  • Opportunities vs. revenue

Consequently, you prevent reporting drift and you keep incentives aligned.

Execution Capability: Who Does The Work

Direct Answer: You should confirm the exact team, the exact workflow, and the exact accountability model because execution quality drives outcomes more than "strategy decks."

1) Confirm the delivery team, not the sales team

Ask for names, roles, and weekly time allocations. Additionally, ask what happens when a key person leaves. If the agency cannot answer clearly, then you face operational risk.

2) Demand a documented workflow

Workflow creates consistency. Therefore, require clarity on these stages:

  • Research: audience, competitive landscape, and offer clarity.
  • Planning: hypotheses, tests, and a prioritization framework.
  • Build: creative, pages, tracking, and QA.
  • Launch: controlled rollout, monitoring, and quick corrections.
  • Optimize: weekly learning loop and iteration.

3) Ask how they handle creative testing without brand damage

Testing drives performance. However, private brands require restraint. Therefore, the agency should explain how they test while preserving tone and discretion.

  • Pre-approved messaging rails: what language the team can use without re-approval.
  • Creative review gates: who signs off and how quickly.
  • Version control: how they track what changed across iterations.

4) Confirm platform expertise without "platform worship"

Strong agencies respect platforms and still think independently. Consequently, they use policy and best practices to guide decisions, not to excuse weak performance.

Commercial Terms And Contract Checklist

Direct Answer: Align scope to outcomes, define ownership, define access, and define exit conditions so you avoid lock-in and hidden risk.

1) Ownership and access

  • Accounts: you own ad accounts and analytics properties.
  • Pixels and events: you control event definitions and documentation.
  • Creative source files: you receive editable originals.
  • Landing pages: you own code and content, or you receive exportable versions.

2) Scope and deliverables

Define deliverables in operational terms. For example:

  • Creative: number of concepts per month, number of variants, and refresh cadence.
  • Optimization: weekly change log and decision notes.
  • Reporting: definitions, cadence, and reconciliation method.
  • Strategy: quarterly roadmap and hypothesis backlog.

3) Privacy, confidentiality, and publicity

  • Confidentiality: strict non-disclosure for client identity and results.
  • Publicity: no logo use, no public portfolio mention without approval.
  • Subprocessors: disclose tools and contractors who touch data.

4) Compliance and disclosure expectations

If endorsements, testimonials, or influencer content enter the plan, then require compliance with disclosure expectations. The FTC publishes updated Endorsement Guides guidance, and you can use it as a baseline for disclosure discipline. :contentReference[oaicite:2]

5) Exit plan

Every serious contract includes an orderly exit. Therefore, define:

  • Offboarding timeline: 14–30 days for handoff.
  • Deliverable handoff: accounts, creative, documentation, and access revocation.
  • Knowledge transfer: final report, learning summary, and next steps.

A Simple Scoring Model You Can Use Today

Direct Answer: Score agencies across strategy fit, proof quality, governance, measurement integrity, execution capacity, and commercial fairness, then disqualify anyone who fails risk controls.

Use a 100-point model. Then apply "gate" rules that disqualify candidates who fail privacy or integrity requirements.

Category scores (100 points total)

  • Strategy fit (20): method matches your market, buyer, and constraints.
  • Proof quality (20): verifiable evidence, clear causal thinking, honest failures.
  • Governance & privacy (20): access discipline, written controls, vendor hygiene.
  • Measurement integrity (15): definitions, reconciliation, lead quality loop.
  • Execution capacity (15): team clarity, workflow maturity, creative system.
  • Commercial terms (10): ownership, exit clarity, and fair scope-to-fee fit.

Disqualifying gate rules

  • Gate 1: They request personal logins or refuse role-based access.
  • Gate 2: They refuse to document measurement definitions before launch.
  • Gate 3: They cannot explain data handling, retention, and subprocessors.
  • Gate 4: They push misleading claims or dismiss platform policy risk.

Therefore, you combine quantitative scoring with hard risk controls. As a result, you avoid "best talker wins" outcomes.

Red Flags That Disqualify An Agency Fast

Direct Answer: Disqualify agencies that hide execution, dodge measurement definitions, demand excessive access, or promise outcomes they cannot control.

  • They promise guaranteed rankings or guaranteed ROAS without constraints. They cannot control markets, platforms, or competitors.
  • They avoid specifics about who works on the account. You cannot manage accountability without clarity.
  • They treat measurement as "we will figure it out later." That approach invites reporting manipulation.
  • They request full admin access immediately. Mature teams earn access in stages.
  • They refuse to share a change log. Without logs, you cannot connect actions to outcomes.
  • They rely on vanity metrics. Impressions and clicks do not equal business value.
  • They dismiss policy and disclosure requirements. That behavior creates suspension risk and legal exposure.

Additionally, watch for "tool worship." Some agencies sell dashboards, then they forget the buyer journey. Therefore, require clarity on decisions, not just on charts.

How To Run A 90-Day Pilot Without Leaking Risk

Direct Answer: Run a 90-day pilot with staged access, a signed measurement map, weekly decision reviews, and a tight scope that tests learning speed and governance.

Step 1: Start with a narrow, high-signal scope

Choose one offer, one audience hypothesis, and one primary conversion. Therefore, the pilot tests execution and learning speed, not breadth.

Step 2: Lock measurement definitions on day one

Define events, deduplication, and CRM outcomes immediately. Then you prevent redefinition drift.

Step 3: Use staged permissions

Grant only what the pilot needs. Next, expand access only after the agency demonstrates control and documentation.

Step 4: Require weekly decision memos

Ask the agency to write a short weekly memo:

  • What the team tested
  • What changed
  • What the results indicate
  • What the team will do next

Step 5: End with a learnings dossier

At day 90, the agency should deliver a dossier that includes creative learnings, audience learnings, landing page learnings, and a prioritized roadmap. Therefore, even a "no hire" decision produces value.

FAQs

What should I ask first when vetting an agency?

Direct Answer: Ask how the agency defines success, how it measures success, and how it protects your data while it pursues that success.

Start with definitions. Then move to process. Finally, validate evidence. This order prevents persuasion from replacing proof.

How do I verify an agency's results without exposing my business?

Direct Answer: Require redacted dashboards, change logs, and asset examples, then verify logic and consistency instead of asking for client names.

Additionally, you can request anonymized references through a controlled call that excludes sensitive details. Therefore, you protect confidentiality while still confirming credibility.

What metrics matter most for private enterprises?

Direct Answer: Focus on qualified conversations, opportunity creation, and revenue contribution, then use platform metrics only as diagnostic indicators.

Clicks can help you diagnose creative and targeting. However, the business should judge marketing by pipeline quality and sales outcomes.

How do I prevent an agency from holding my accounts hostage?

Direct Answer: Own your ad accounts and analytics, grant partner access through role-based permissions, and require exportable deliverables and an exit handoff plan.

When you control accounts, you control continuity. Then the agency can support, not control.

Do I need cybersecurity-style vendor risk questions for a marketing agency?

Direct Answer: Yes, because agencies touch your data supply chain through tools, tracking, and access, so you should apply vendor risk controls and written data handling rules.

NIST provides detailed supply chain risk guidance you can adapt to vendor selection and ongoing governance. :contentReference[oaicite:3]

How do I evaluate honesty and compliance in ad messaging?

Direct Answer: Ask for their claim substantiation process, disclosure process, and policy review routine, then disqualify candidates who dismiss these controls.

Platforms value user trust, therefore they restrict misleading behavior. Google's policy guidance highlights misrepresentation risk and emphasizes clear, honest information. :contentReference[oaicite:4]

Should I run a pilot before I sign a long contract?

Direct Answer: Yes, because a staged 90-day pilot tests execution and governance under constraints, which predicts long-term fit better than sales promises.

Keep the pilot narrow, document everything, and judge learning speed and decision quality.

What is the biggest hidden risk when hiring an agency?

Direct Answer: The biggest hidden risk is measurement manipulation, because it lets a weak agency look successful while the business loses time and opportunity.

Therefore, lock definitions early and reconcile platform metrics with CRM outcomes.

Hub & Spoke Architecture

Direct Answer: This page supports the Digital Family Office Marketing hub by providing the due diligence system buyers use before they trust a concierge marketing partner.

Hub

Spokes In This Cluster