On average, an organization that works with third-party vendors can have anywhere from 10 to 100,000 suppliers. And, about 82% of companies provide third-party vendors with access to their data. Since such an approach could bring a substantial security threat to confidential data, it should be justified, and a due diligence questionnaire is one of the ways to do that.
A due diligence questionnaire is a formal business assessment made up of specific questions that cover different areas. It can be used both on the buy- and sell-side of the due diligence process with the same goal: to mitigate potential risks.
This article embraces the notion of a due diligence questionnaire, the core areas it should cover, and the business cases for which it’s used most. Additionally, we provide question examples and several due diligence templates to use when creating one.
Highlights:
- A due diligence questionnaire is a formal document composed of questions from several areas aimed at assessing certain aspects of an organization.
- Due diligence questionnaires are used most often for mergers and acquisitions, investments, or vendor relationships.
- Among the core areas a due diligence questionnaire covers are the company’s background, financial review, ownership, cybersecurity, compliance, and risk management.
What is a due diligence questionnaire?
A due diligence questionnaire (DDQ) is a formal document consisting of a list of questions aimed to assess specific aspects of an organization prior to any type of collaboration with it: from mergers and acquisitions to potential partnerships.
Usually, due diligence questionnaires are sent to new vendors as a part of the onboarding process, but many companies send due diligence questionnaires to their existing vendors as well. This is to ensure better risk management.
Sometimes, due diligence questionnaires can be confused with security questionnaires. However, despite being essentially similar, these are two different documents and processes:
- A due diligence questionnaire focuses on many areas of the organization’s operations: from general business credentials and human resources information to finances and security compliance.
- A security questionnaire targets the security aspect specifically and attempts to determine whether the security protocols and policies of an organization meet the standards and requirements of the issuing company.
Top 3 cases when a due diligence questionnaire is needed
Due diligence questionnaires are used during the due diligence process to streamline it. Below are the top three cases when due diligence questionnaires are most beneficial:
- Mergers and acquisitions due diligence
A due diligence questionnaire is essential when planning to acquire or merge with another company. By using a DDQ, an issuing company ensures that a target has everything in place to make a potential acquisition or merger beneficial and doesn’t have anything that might put an issuing company and its operations at risk.
- Investment due diligence
A DDQ can also be beneficial when evaluating the potential of a prospective investment opportunity. By issuing a DDQ, a prospective investor can investigate information about the founders of the company, its board of directors, customers and suppliers, and intellectual property.
- Vendor due diligence
DDQs used during the vendor due diligence process identify the risks of working with a particular vendor. However, there are two types of vendor due diligence:
- Proactive sell-side due diligence
When a company markets itself for sale and expects to have several potential buyers, it can take proactive steps and initiate due diligence from its side. This is to evaluate the potential risks within the company. Then, when a company is ready for sale, it can provide the results of the DDQ to all potential buyers instead of performing it for every individual buyer. As a result, it can significantly accelerate the deal.
- Third-party risk assessment
In this case, DDQs target the risks of supplier partnerships. By issuing a DDQ, an organization can assess the cybersecurity risk, reputational risk, operational risk, and financial risk of working with a particular supplier.
Where are due diligence questionnaires mostly used?
Generally, DDQs aren’t unique to one particular industry. They can be used in any industry any time a risk assessment is required. However, some of the most common industries where DDQs are used include technology, finance, and government. Below is a list of the types of companies where DDQs are most often used:
- Hedge funds
- Private equity companies
- Tech companies
- Financial organizations
- Governmental bodies and organizations
When it comes to specialists who are involved in the DDQ issuing process, the list includes professionals of many levels and from many fields: IT, legal, financial, compliance, and procurement specialists.
Goals of the due diligence questionnaire
Now, let’s briefly review why organizations issue DDQs. Due diligence questionnaires are typically issued for:
- Risk mitigation
This is the most important reason why DDQs are issued. By implementing DDQs, companies identify risks when starting a business relationship with a new or existing vendor and when entering a new business transaction.
- Compliance guarantee
Due diligence questionnaires are also used to ensure the target’s compliance both with state, federal, and local laws and with the standards and legal requirements of the issuing company.
- Efficient data collection
Due diligence questionnaires are an effective way to productively collect large volumes of information required for due diligence or any other type of disclosure process. This is also because issuing DDQs involves large teams that can provide more data than smaller teams.
- Transaction acceleration
Though a due diligence questionnaire isn’t a part of the sales process, it can still help accelerate the deal in a way. Issuing a due diligence questionnaire doesn’t directly lead to a deal closure, but it narrows down the vendors’ and potential partners’ selection, which, in turn, can make a deal closure simpler and smoother.
Note: The table below comprises the When, Who, and Why of the DDQs’ issuing process.
| When | Who | Why |
| Mergers and acquisitions | Hedge funds and private equity firms | Risk mitigation |
| Investment | Tech companies | Compliance guarantee |
| Vendor assessment | Governmental organizations | Efficient data collection |
| Sell-side due diligence | Financial institutions | Transaction acceleration |
Simplify your due diligence with iDeals VDR
GET STARTED
What areas does a DDQ cover?
A due diligence questionnaire should cover the areas an issuing company requires extra information about to enter into a certain type of agreement. Let’s define the main areas of the due diligence questionnaire:
- Company profile and history
This area of the DDQ covers the basic company background check to ensure an issuing company enters into a business relationship with a reliable partner. Generally, this area of the DDQ includes such details as the company’s legal name, year of foundation, key products, etc.
- Ownership and employees
It seeks information about the company’s management, owners, and employees. The DDQ responses in this area help an issuing company investigate potential risks regarding specific individuals who can bring harm to it. It helps to identify risks of corruption cases, such as what happened with Siemens or any politically involved individuals.
- Financial history
This area is often a primary goal of a DDQ, which focuses on the target company’s financial information. For example, an issuing company may want to review financial statements for the last three years. This is to minimize any potential financial risk that a business relationship with a target company can bring.
- Cybersecurity implementation
For an issuing company, it’s critical to understand how the target company handles cybersecurity and what measures are practiced. This is to avoid any data breaches that could lead to reputation damage and great financial losses. Considering the latter, IBM reports that the average data breach costs $4.45 million globally in 2023, which is a significant reason to take care of cybersecurity within an organization.
- Business continuity
This area of the DDQ investigates whether target vendors or potential partners have disaster recovery plans in place and know what measures to take in case of a crisis. This is essential for an issuing company since the absence of any effective recovery plans can lead to great financial losses. According to Statista, a one-hour downtime of an enterprise server can cost a company from $300,000 to $5 million. For example, a 14-hour outage cost Facebook about $90 million in revenue in 2019.
- Regulatory compliance
This implies investigating whether a target vendor or potential partner is in compliance with state, federal, and local laws and regulations. If a business fails to comply, it may be subjected to various lawsuits and financial liability that might bring reputational damage and financial losses to an issuing company.
- Data security management
This DDQ area implies reviewing how third-party vendors manage confidential data security and privacy. It includes sensitive clients’ data such as credit card numbers, bank account information, and passwords and confidential company information on its intellectual property.
- Network security management
Being a part of cybersecurity, network security management is essential to investigate within the DDQ. An issuing company should ensure that a third-party service provider or a potential partner follows all industry standards to guarantee zero unauthorized network access.
Due diligence questions examples
Now, let’s list several example questions to include in a DDQ, depending on the areas discussed above.
| Company profile and history | – How many years has the company been operating? – What is the company’s approximate annual revenue? – What is the company’s organizational structure? – Does the company have bylaws? |
| Ownership and employees | – Who owns the company? – Who are the key officers and board of directors? – How many employees does the company have? – Have any of the owners or employees been subject to any kind of legal proceeding, including bribery, fraud, and corruption? |
| Financial history | – Does your company have any debt? – What are the company’s major growth drivers? – What are the balance sheets and income statements from the last three years? – What are the company’s operating costs? |
| Cybersecurity implementation | – Do you have any cybersecurity policies? What cybersecurity measures does your company take? – Who is responsible for developing and implementing the security requirements and measures? – Has your company experienced any cybersecurity issues in the past? How did you deal with it? |
| Business continuity | – Who is responsible for the decision-making in case of any kind of disaster or crisis? – Do you have any disaster recovery plans developed and implemented? – Do you perform regular recovery test processes? When was the last time you did it? – For what types of disasters does your company have disaster recovery plans? |
| Regulatory compliance | – In what countries and states does your company operate? – Are there any legal proceedings the company is currently involved in or has been in the past? – Is the company certified and compliant with such frameworks as SOC 2, ISO 27001, and GDPR? – Do you have an SEC communications plan? |
| Data security management | – What data does your company collect and store? – Who can access third-party data? – What measures are taken to ensure secure data storage? – Who is responsible for secure data storage? |
| Network security management | – What network access controls does your company have? – What tools does your company use for network monitoring? – What antivirus solutions does your company utilize? – Who is responsible for network access security management? |
10 due diligence questionnaire examples
Now, let’s take a look at what a due diligence questionnaire can look like depending on the industry and investigated risk areas. Explore 10 real-life examples below:
- ESG due diligence questionnaire by Invest Europe. This DDQ targets investment risks considering the environmental, social, and governance areas of responsibility.
- Due diligence questionnaire for institutional investors by ILPA. This DDQ by the Institutional Limited Partners Association offers an example of a detailed and well-thought-out questionnaire used to identify risks when working with limited partners.
- Due diligence questionnaire for organizations that handle client money by AFME. This DDQ template is helpful for organizations starting a business relationship with companies that deal with client money.
- Business partner due diligence questionnaire by ACC. This DDQ by the Association of Corporate Counsel offers an example of questions to include in a DDQ for potential business partners.
- Anti-bribery and corruption due diligence questionnaire by MISC Group. This DDQ focuses on identifying potential risks related to bribery and corruption.
- Hedge fund due diligence questionnaire by PRI. This is a responsible investing due diligence questionnaire for hedge fund investors.
- Investor and consultant due diligence questionnaire by INREV. This DDQ was created to help investors and consultants during the due diligence process.
- Supplier due diligence questionnaire by TMLSA. This is an example of a DDQ used to assist risks of a business relation with a new or existing supplier.
- Due diligence questionnaire for business partners by GFA. This is another example of DDQ to evaluate the potential business partnership and risks associated with it.
- Due diligence questionnaire for software development outsourcing by Future Processing. This DDQ example is for IT companies that want to assess a potential partnership and avoid risks.
Best practices of DDQ process improvement
The number of suppliers and all types of third-party vendors a business has a relationship with can be striking. For instance, Apple works with about 200 suppliers, while Walmart deals with approximately 100,000 third-party vendors.
Naturally, handling form assessment in the form of a due diligence questionnaire can be daunting and challenging. To help simplify the process, consider the following tips:
- Define the strategy
First things first, have a clear strategy. This involves identifying who will be responsible for what, how the data will be collected, where it will be stored, and who will be answering the questions. This will help you to stick to the core strategy and prevent straying.
- Determine key risk areas
The next step is to identify key areas from which a certain third-party provider can bring risk exposure. It’s good to prioritize the areas based on risk levels: the more potential risk, the more attention it deserves in the DDQ.
- Standardize questions
Though not always applicable, sometimes it’s helpful to create a bunch of questions for several industries and risk types instead of doing an individual DDQ for each particular third-party vendor or potential partner. When you have a pool of such questions, you can use it to create more case-specific questionnaires.
- Opt for a DDQ template
Often, having a ready-to-use due diligence questionnaire template can significantly accelerate the due diligence process. You can use a template available on the web or craft a company-specific one and customize it to fit your needs.
- Create a single source of information
Working on a due diligence questionnaire involves dealing with large volumes of data that often get lost in different files, tables, spreadsheets, and folders. Ensure you have a single database for all the DDQ data so that every involved party has 24/7 access.
- Leverage technology
Manually working on a DDQ can be a daunting task, that’s why it’s recommended to opt for modern technologies. The use of such digital products as virtual data room can significantly facilitate the process since it’s a reliable tool for secure data storage and effective collaboration.
