Due diligence questionnaire: 7 DDQ examples
A due diligence questionnaire is a formal document with questions designed to ascertain a third party’s compliance with industry standards, laws and regulations, cybersecurity best practices and anything else material to the company.
DDQs are commonly used ahead of a merger or acquisition to assure the acquiring company that the target company won’t expose them to excessive risk. Organizations may also create a DDQ at the start of a new vendor relationship and at intervals throughout the relationship to verify that the vendor’s compliance practices align with the company’s requirements.
Why do organizations use DDQs?
Organizations use DDQs to streamline the due diligence process. DDQs consolidate important information and data into a single document, making determining a third party’s risk exposure easier. This is particularly beneficial for:
- Mergers and acquisitions: Companies want to verify that the business they’re merging with or acquiring will boost their profits, not detract from them. A due diligence questionnaire is a key way companies can vet the target’s compliance practices, financial information, existing contracts, legal disputes and more.
- Vendors: An estimated 60% of security incidents arise from vendors and third parties. DDQs help companies mitigate these risks by enabling a comprehensive third-party risk assessment before the business relationship begins.
- Investments: DDQs can also be a tool for evaluating the strength of an investment. Corporations and individual investors can create a due diligence questionnaire that explores critical investment criteria like supplier information, leadership and board backgrounds, and competitive analyses.
What should a due diligence questionnaire cover?
A due diligence questionnaire should cover any areas you need additional information — or that require enhanced due diligence — before entering into a binding business agreement. This may vary between companies and industries, but DDQs generally focus on the following:
- Compliance: Vendors and target companies are usually subject to the same regulations as you are. DDQs should uncover the compliance practices the target or vendor already have in place. If they don’t take compliance seriously, it may be a red flag that they have a high-risk exposure and may introduce more risk for regulatory action.
- Cybersecurity: Attacks and breaches often happen through vendors with sub-standard cybersecurity practices. While it’s possible to shore up a vendor or target company’s cybersecurity practices, uncovering their position with a DDQ will help you evaluate whether it is worth the investment.
- Data security: Data is among a company’s most important resources, whether employee data, customer information or the company’s confidential files. Effective DDQs can help companies uncover if a vendor or target company has satisfactory data practices or if they might introduce a more significant risk of breach or attack.
- Crisis recovery: How will the vendor or third party do business during a crisis? The DDQ should include questions about the third party’s preparedness, including whether they’ve identified key systems and how they’ll protect them should disaster strike.
- Network infrastructure: In many ways, the third party’s network becomes your network. Are you sure it’s secure? Use the DDQ to cover how their network is configured, determine their visibility into their system and any tools they’re using to monitor network activity.
What questions should I ask during due diligence?
Asking the right questions is as important as covering the right risk areas. Some examples of questions to include in your due diligence questionnaire are:
- What is the company’s organizational structure?
- What are the company bylaws?
- Who is a member of the board?
- What does their supply chain include?
- How does the company comply with industry regulations?
- What cybersecurity practices does the company have in place?
- Are they in good legal standing?
- Where are the company’s most recent financial statements?
- Who are the company’s competitors?
- Who is the company’s customer base?
Due diligence questionnaire examples
With so much to cover, due diligence questionnaires can quickly become unwieldy. A template is a great way to standardize the DDQ process and make it easier to compare questionnaires. Some effective DDQ examples are:
- ESG due diligence questionnaire: In ESG, due diligence uncovers a company’s risk exposure related to environmental, social and governance issues. An ESG DDQ would focus on items like where the company operates, the regulations, and whether they follow ESG best practices. Invest Europe offers a sample PDF for investors that’s a great example of a thorough DDQ.
- ILPA due diligence questionnaire: The ILPA, or the Institutional Limited Partners Association, published a comprehensive questionnaire. It offers an approach private equity funds can take to standardize their approach to investigating potential investments.
- AFME due diligence questionnaire: The Association for Financial Markets in Europe (AFME) is a thought leader on regulatory and capital markets issues. As such, their DDQ is a thorough framework for any organization that handles client money.
- ABAC due diligence questionnaire: Anti-bribery and corruption (ABAC) efforts focus on eliminating the offering or accepting of bribes within corporations. MasterCard’s ABAC DDQ illustrates how due diligence can be important to any ABAC policies.
- Business partner due diligence questionnaire: Though many DDQs are multi-page documents, they can also be short and sweet. The Association of Corporate Counsel issued a sample one-page DDQ that includes important questions to ask when partnering with another company.
- FCPA due diligence questionnaire: The Foreign Corrupt Practices Act attempts to limit bribery and corruption among public companies in the UK. This sample DDQ includes questions that directly ask about FCPA and the third party’s compliance.
- Enhanced due diligence: In some instances, businesses may go beyond standard due diligence to verify the third party or target company’s identity. A DDQ like this one shows the additional investigations companies can conduct.
How to improve the due diligence questionnaire process
According to Gartner, the average organization partners with over 1,000 third parties. That’s 1,000 possible due diligence questionnaires — and even more individual questions — that organizations need to identify, organize and ultimately distill into actionable insights.
Improving the DDQ process isn’t just about better questionnaires but about optimizing the process to cut down on repetitive tasks and related costs. To do so, implement the following best practices:
- Identify key risk areas: What risks does the third party present? This might vary depending on the service they provide or the level of access they need to your system. Analyze the risks they may introduce, then prioritize risks from high to low. The higher the risk, the more important you cover it thoroughly in your DDQ.
- Standardize questions: Rather than reinventing your due diligence process for every potential partner, create a bank of questions for different industries, risk types, regulatory bodies and more. You can pull from these standardized questions to streamline DDQ creation.
- Use a DDQ template: Use your common questions to create a due diligence questionnaire template. You can reduce the time it takes to interpret each DDQ by ensuring questions and sections appear in the same order for every report.
- Create a single source of truth: The information you gather in your DDQs shouldn’t remain in the questionnaire or be dispersed among various spreadsheets and documents. Develop a central report accessible by any teams involved in the due diligence process. This ensures everyone has the same information about the new business relationship.
- Leverage due diligence technology: Manually creating DDQs can quickly become overwhelming. Enhanced due diligence services can streamline the process by supplementing your DDQs with information from analysts and investigators worldwide.
Get ahead of risk with effective DDQs
Managing risk requires proactivity. It’s also what makes due diligence questionnaires so valuable because they offer the opportunity to uncover critical information about third parties and target companies before formalizing the relationship.
DDQs can also be the foundation of a better third-party risk management program that fosters a culture of compliance throughout your value chain. Get Diligent’s best practices checklist to learn what it takes to build a credible, defensible approach to risk management.