On average, an organization that works with third-party vendors can have anywhere from 10 to 100,000 suppliers. And, about 82% of companies provide third-party vendors with access to their data. Since such an approach could bring a substantial security threat to confidential data, it should be justified, and a due diligence questionnaire is one of the ways to do that.
A due diligence questionnaire is a formal business assessment made up of specific questions that cover different areas. It can be used both on the buy- and sell-side of the due diligence process with the same goal: to mitigate potential risks.
This article embraces the notion of a due diligence questionnaire, the core areas it should cover, and the business cases for which it’s used most. Additionally, we provide question examples and several due diligence templates to use when creating one.
Highlights:
A due diligence questionnaire (DDQ) is a formal document consisting of a list of questions aimed to assess specific aspects of an organization prior to any type of collaboration with it: from mergers and acquisitions to potential partnerships.
Usually, due diligence questionnaires are sent to new vendors as a part of the onboarding process, but many companies send due diligence questionnaires to their existing vendors as well. This is to ensure better risk management.
Sometimes, due diligence questionnaires can be confused with security questionnaires. However, despite being essentially similar, these are two different documents and processes:
Due diligence questionnaires are used during the due diligence process to streamline it. Below are the top three cases when due diligence questionnaires are most beneficial:
A due diligence questionnaire is essential when planning to acquire or merge with another company. By using a DDQ, an issuing company ensures that a target has everything in place to make a potential acquisition or merger beneficial and doesn’t have anything that might put an issuing company and its operations at risk.
A DDQ can also be beneficial when evaluating the potential of a prospective investment opportunity. By issuing a DDQ, a prospective investor can investigate information about the founders of the company, its board of directors, customers and suppliers, and intellectual property.
DDQs used during the vendor due diligence process identify the risks of working with a particular vendor. However, there are two types of vendor due diligence:
When a company markets itself for sale and expects to have several potential buyers, it can take proactive steps and initiate due diligence from its side. This is to evaluate the potential risks within the company. Then, when a company is ready for sale, it can provide the results of the DDQ to all potential buyers instead of performing it for every individual buyer. As a result, it can significantly accelerate the deal.
In this case, DDQs target the risks of supplier partnerships. By issuing a DDQ, an organization can assess the cybersecurity risk, reputational risk, operational risk, and financial risk of working with a particular supplier.
Generally, DDQs aren’t unique to one particular industry. They can be used in any industry any time a risk assessment is required. However, some of the most common industries where DDQs are used include technology, finance, and government. Below is a list of the types of companies where DDQs are most often used:
When it comes to specialists who are involved in the DDQ issuing process, the list includes professionals of many levels and from many fields: IT, legal, financial, compliance, and procurement specialists.
Now, let’s briefly review why organizations issue DDQs. Due diligence questionnaires are typically issued for:
This is the most important reason why DDQs are issued. By implementing DDQs, companies identify risks when starting a business relationship with a new or existing vendor and when entering a new business transaction.
Due diligence questionnaires are also used to ensure the target’s compliance both with state, federal, and local laws and with the standards and legal requirements of the issuing company.
Due diligence questionnaires are an effective way to productively collect large volumes of information required for due diligence or any other type of disclosure process. This is also because issuing DDQs involves large teams that can provide more data than smaller teams.
Though a due diligence questionnaire isn’t a part of the sales process, it can still help accelerate the deal in a way. Issuing a due diligence questionnaire doesn’t directly lead to a deal closure, but it narrows down the vendors’ and potential partners’ selection, which, in turn, can make a deal closure simpler and smoother.
Note: The table below comprises the When, Who, and Why of the DDQs’ issuing process.
| When | Who | Why |
| Mergers and acquisitions | Hedge funds and private equity firms | Risk mitigation |
| Investment | Tech companies | Compliance guarantee |
| Vendor assessment | Governmental organizations | Efficient data collection |
| Sell-side due diligence | Financial institutions | Transaction acceleration |
A due diligence questionnaire should cover the areas an issuing company requires extra information about to enter into a certain type of agreement. Let’s define the main areas of the due diligence questionnaire:
This area of the DDQ covers the basic company background check to ensure an issuing company enters into a business relationship with a reliable partner. Generally, this area of the DDQ includes such details as the company’s legal name, year of foundation, key products, etc.
This area is often a primary goal of a DDQ, which focuses on the target company’s financial information. For example, an issuing company may want to review financial statements for the last three years. This is to minimize any potential financial risk that a business relationship with a target company can bring.
This implies investigating whether a target vendor or potential partner is in compliance with state, federal, and local laws and regulations. If a business fails to comply, it may be subjected to various lawsuits and financial liability that might bring reputational damage and financial losses to an issuing company.
This DDQ area implies reviewing how third-party vendors manage confidential data security and privacy. It includes sensitive clients’ data such as credit card numbers, bank account information, and passwords and confidential company information on its intellectual property.
Being a part of cybersecurity, network security management is essential to investigate within the DDQ. An issuing company should ensure that a third-party service provider or a potential partner follows all industry standards to guarantee zero unauthorized network access.
Now, let’s list several example questions to include in a DDQ, depending on the areas discussed above.
| Company profile and history | – How many years has the company been operating? – What is the company’s approximate annual revenue? – What is the company’s organizational structure? – Does the company have bylaws? |
| Ownership and employees | – Who owns the company? – Who are the key officers and board of directors? – How many employees does the company have? – Have any of the owners or employees been subject to any kind of legal proceeding, including bribery, fraud, and corruption? |
| Financial history | – Does your company have any debt? – What are the company’s major growth drivers? – What are the balance sheets and income statements from the last three years? – What are the company’s operating costs? |
| Cybersecurity implementation | – Do you have any cybersecurity policies? What cybersecurity measures does your company take? – Who is responsible for developing and implementing the security requirements and measures? – Has your company experienced any cybersecurity issues in the past? How did you deal with it? |
| Business continuity | – Who is responsible for the decision-making in case of any kind of disaster or crisis? – Do you have any disaster recovery plans developed and implemented? – Do you perform regular recovery test processes? When was the last time you did it? – For what types of disasters does your company have disaster recovery plans? |
| Regulatory compliance | – In what countries and states does your company operate? – Are there any legal proceedings the company is currently involved in or has been in the past? – Is the company certified and compliant with such frameworks as SOC 2, ISO 27001, and GDPR? – Do you have an SEC communications plan? |
| Data security management | – What data does your company collect and store? – Who can access third-party data? – What measures are taken to ensure secure data storage? – Who is responsible for secure data storage? |
| Network security management | – What network access controls does your company have? – What tools does your company use for network monitoring? – What antivirus solutions does your company utilize? – Who is responsible for network access security management? |
Now, let’s take a look at what a due diligence questionnaire can look like depending on the industry and investigated risk areas. Explore 10 real-life examples below:
Naturally, handling form assessment in the form of a due diligence questionnaire can be daunting and challenging. To help simplify the process, consider the following tips:
First things first, have a clear strategy. This involves identifying who will be responsible for what, how the data will be collected, where it will be stored, and who will be answering the questions. This will help you to stick to the core strategy and prevent straying.
The next step is to identify key areas from which a certain third-party provider can bring risk exposure. It’s good to prioritize the areas based on risk levels: the more potential risk, the more attention it deserves in the DDQ.
Though not always applicable, sometimes it’s helpful to create a bunch of questions for several industries and risk types instead of doing an individual DDQ for each particular third-party vendor or potential partner. When you have a pool of such questions, you can use it to create more case-specific questionnaires.
Often, having a ready-to-use due diligence questionnaire template can significantly accelerate the due diligence process. You can use a template available on the web or craft a company-specific one and customize it to fit your needs.
Working on a due diligence questionnaire involves dealing with large volumes of data that often get lost in different files, tables, spreadsheets, and folders. Ensure you have a single database for all the DDQ data so that every involved party has 24/7 access.
