Understanding due diligence questionnaires


The internet allows consumers to easily arm themselves with information that may influence their buying decisions. Before spending money at a restaurant or hair salon, for example, they might consult Yelp or Google Business reviews.

When a business enters into an agreement with another company, whether it’s a large purchase or even a merger or acquisition, making informed decisions is a little—okay, a lot—more complicated than just checking Yelp reviews. Before entering into a business relationship, buyers must do their due diligence, or there could be severe repercussions.

What does doing “due diligence” entail when entering into business agreements? In this blog, we’ll talk about when you can expect a DDQ (due diligence questionnaire), what to expect from it, and how to make filling one out a whole lot easier.

What is a due diligence questionnaire (DDQ)?

A DDQ is a formal document and request from a company looking to have a set level of understanding of a specific topic from a potential vendor. A DDQ enables the issuer to vet prospective partnerships.

It is worth noting, however, that DDQs vary between industries and types of products or transactions. Also, unlike an RFP, a DDQ is not a sales document and may not even be a precursor to a sales document.

Although, similarly to how many (if not most) companies run background checks on new hires, a DDQ might be that “background check” before signing an official deal. DDQs are most commonly sent from highly-regulated companies, such as those in the financial services industry.

Some DDQs are product-focused, asking, for example, what the product capabilities are. However, a DDQ is not a sales document, so it generally won’t get into specific product features, pricing, or logistics.

DDQs include:

  • Financial status – Businesses make large purchases to help them fulfill their customer obligations. Suppose they choose to do business with a company that isn’t on good financial footing and could go bankrupt. In that case, the purchasing organization risks financial loss, potential legal problems, damage to credit, and a hit to its reputation. This isn’t to say they’ll always receive the answers they’re looking for; we’ll get to that in a moment.
  • Business holdings – Asking an organization to disclose its business holdings is part of the financial vetting process. It could reveal potential red flags that expose the vendor—and potentially, by extension, the purchaser—to legal and tax vulnerabilities.
  • Compliance standards – Does the vendor meet the purchaser’s industry standards and applicable government regulations? These questions might arrive via a separate security questionnaire.

Due diligence core areas

Many people confuse DDQs with RFPs and security questionnaires, but they are quite different. As mentioned earlier, an RFP is a sales document. A security questionnaire has more in common with a DDQ than an RFP but security questionnaires are generally straightforward yes/no questions.

A DDQ might contain some narrative questions, similarly to an RFP. But a DDQ is strictly about vetting a company, not making a sale. The core areas include:

  • General organizational information (business credentials) – Typically, DDQs only ask about surface business credentials, such as company name, company legal name, year founded, primary products, number of customers, etc.
  • Financial review – Financial due diligence is one of the primary purposes for DDQs, especially in financial services. Customers may want to see the last three years of financial statements. Privately-held companies are not legally required to release financial information—and as a matter of course, they won’t. As an alternative, the vendor might suggest a phone call to discuss concerns.
  • Human resources – HR questions are generally more characteristic of an RFP than a DDQ. There might be some surface-level questions, such as “how many employees,” etc., but granular questions about HR are left to the RFP.
  • Funding – A DDQ issued to a startup company might ask about funding. A DDQ may also ask about a fund manager’s strategy.
  • Governance, risk, and compliance – This is a core piece of DDQs.
  • Legal – Legal questions are usually categories under compliance. Legal agreements are generally more RFP-focused.

What does a DDQ include?

While DDQs might have some narrative questions, most are yes/no. DDQ questions might cover several categories.

They might include:

  • Company questions – Company questions might include some narrative questions, such as, “tell us about (company history, organizational structure, subsidiaries, majority stakeholders, investments, etc.).”
  • Financial information – Financial information includes income, balance sheets, accounts payable and receivable, tax returns, credit reports, etc. Many privately held companies will not answer these questions.
  • Employee information – Employee information is generally part of an RFP. However, a DDQ might ask high-level questions such as the number of employees, types of non-compete and non-disclosure agreements, etc.
  • Legal overview – A DDQ is not a legal contract, but that doesn’t mean incorrect answers won’t get you in legal hot water in the future. You may see questions about litigations, permits, licensing, etc.
  • Financial and debt statements – It’s common for a DDQ to ask for financial and debt statements. However, while that information is public for publicly traded companies, privately held companies may not, and often do not, provide those answers.
  • Consumer/customer information – Customer questions are generally not part of a DDQ. However, it might include questions about security surrounding customer records or any litigations.
  • Industry and market insights – Industry and market insights are not common DDQ subjects.
  • Intellectual property – Intellectual property questions are common on DDQs. You could be asked how many patents your company holds, whether your products are intellectual property or crowdsourced, etc.
  • Operational information – Like HR questions, operational questions are typically high-level, such as about network security. However, in manufacturing, operational questions tend to be far more complex and in-depth.
  • Regulatory compliance – Regulatory compliance is generally the most critical part of a DDQ, especially in the tech, financial, and healthcare industries. You can expect several questions about whether you comply with an issuer’s regulatory requirements.
  • Data security and privacy – In most cases, data security and privacy fall under regulatory compliance. Some issuers might want to know whether you go above and beyond to meet stringent compliance requirements.
  • Contractual obligations – Contractual obligation questions are typically in an RFP instead of a DDQ.
    Reputation and publicity reports – Reputation and publicity report questions are not generally part of a DDQ. However, you will find them on RFPs and RFIs (requests for information).
  • Information technology systems – It’s common for a DDQ to ask about existing software and hardware.
  • Tax history – Tax history typically falls under financial questions. Most privately held companies won’t answer.

Why do organizations issue DDQs?

While DDQs are not a direct part of the sales cycle, they can help facilitate it. A company may issue a security questionnaire before an RFP or even compile a list of compliant vendors for future use.

It’s also prevalent for companies to issue DDQs to existing vendors to address significant organizational changes and maintain standards in their vendor pool.

  • Mitigate risks – Risk mitigation is the fundamental reason to issue a DDQ. Risk mitigation is a common concern in investment management. DDQs are often issued for existing relationships to ensure up-to-date compliance.
  • Guarantee compliance – This falls under risk mitigation.
    Streamline disclosure process – A comprehensive DDQ is designed to streamline information collection and disclosure.
  • Enable efficient gathering of large amounts of data – DDQs can collect large amounts of data, within limits. Large response teams can provide more data than smaller teams, although advanced response software helps level the playing field.
  • Accelerate transactions – Generally, DDQs do not accelerate transactions. However, they can make choosing vendors in the short or long-term future much simpler.

Understanding DDQ responses

An effective DDQ response provides enough information to empower transactions to proceed with assurance. Quality responses can help:

  • Demonstrate strengths with compliance – Demonstrating compliance can set you apart from some of your competitors, but again, DDQs are not sales documents. It’s essential to follow the issuer’s guidelines and never fudge or exaggerate your compliance.
  • Confirm historical performance – A DDQ may ask about past performance trends, especially in investment and financial firms. Other industries might be asked about overall growth, etc., although that’s usually not a focus.
  • Investment and asset management – A DDQ might also ask about investments and asset management. However, privately held companies might not answer the questions.
  • Disclose risks – From the buyer’s perspective, a DDQ is about disclosing any risks before entering into or maintaining a business relationship. Vendors might be tempted to gloss over risks, but it’s critical to be honest about your limitations and hopefully create a plan to address them.
  • Grow revenue – DDQs are not specifically revenue-generating documents, but in many cases, they are a necessary piece of housekeeping, so to speak, before entering a sales cycle.

Types of due diligence questionnaires

DDQs are about as varied as the industries they come from and their ultimate purposes. Some industry-specific or situational questions you might find are:

Mergers and acquisitions due diligence

Not surprisingly, DDQs issued before a merger or acquisition are highly detailed. Nothing is off the table, although a DDQ will commonly ask about financial history and obligations, security compliance, legal matters, contract obligations, etc.

It is worth noting that since mergers and acquisitions are typically not public knowledge within a company, the vendor should limit project access to executives and others involved in the query.

Vendor due diligence

Not all customer/vendor relationships begin with a DDQ; it depends on the industry. For example, purchases in the investment and management realm must include DDQs. Vendor management is about standardization to take any surprises out of future business arrangements. Overall, the goal is to reduce risk and inform decision-making.

Business relationship due diligence

DDQs can be a critical part of ongoing business relationships. Have regulatory requirements changed? Have you kept up? Has your business made any structural changes?

Investment due diligence

A DDQ is extremely important in vetting companies before investing. It is worth noting, once again, that the types of questions asked on an investment DDQ ask for sensitive information, so it’s unlikely that they’ll be answered by response teams.

Due diligence questionnaires: Best practices

Unlike the RFP process, which focuses on features, pricing, onboarding processes, etc., the DDQ process elicits details and insights that may be overlooked.

Define your strategy

Your DDQ strategy should begin long before you receive one. Response managers should determine:

  • Whether their SLAs are defined and available.
  • Who is going to intake the DDQ?
  • How long will it take before you start answering questions?
  • Who will answer the questions?
  • How long will the DDQ be in question/answer mode?
  • When will the DDQ be ready for review?

Address vulnerabilities

It’s easy to assume that a DDQ mitigates risks for the issuer with little benefit to the company responding. However, it’s not that simple. An accurate and thorough DDQ response strategy can identify vulnerabilities within your organization.

As for the issuer, failure to issue a comprehensive DDQ can result in:

  • Security breaches – If a company fails to properly vet vendors for compliant security protocol, they risk breaches that are out of their control, and the vendor risks fines and litigation when they fail to deliver or try to gloss over risks.
  • Failed revenue goals – If a purchase is tied to your company’s revenue and you’ve failed to do your due diligence, it could have revenue ramifications for several quarters.
  • Falling out of compliance – Even if all of your company’s systems are compliant, a non-compliant vendor could knock you out of compliance.
  • Breached contracts – If you choose a vendor who fails to adhere to their agreement, your customers will blame your company, not the vendor.
  • Fraud – Fraud in B2B (business to business) sales is rare, in no small part because the vetting process is far more rigorous than with most consumer purchases.
  • Mismanagement – DDQs help protect against the mismanagement of funds or data.

Clearly articulate core DDQ objectives

Why did you receive the DDQ? Is it a precursor to a sales process, or will it be an ongoing quarterly or yearly review or audit?

Employ a consistent and systematic approach

An effective DDQ response process requires thoroughness, accuracy, and consistency. Advanced response management software, such as RFPIO, is the tool that creates time-saving repeatable processes.

  • Prepare customized templates – Create a branded answer template that easily imports information from whatever format a DDQ appears in.
  • Identify and quickly access SMEs – Are the questions in their area of expertise, and do they have the time?
  • Leverage RFP response management software – RFP response management software helps ensure that your answers are accurate and on-brand while saving time and resources.

Work from due diligence checklists

Checklists are built into nearly every project management software. Checklists keep you on time and on track.

Super-organized issuers might even build checklists into their DDQs.

A checklist:

  • Enables easier comparisons – Think of a DDQ as an opportunity to check your company’s compliance as it compares to yours and your issuer’s standards.
  • Effectively collects information – A checklist helps ensure that you aren’t missing anything and aren’t gathering the wrong information.
  • Prevents missed deadlines – A checklist will help ensure that your response is complete and on time.

Centralize organizational knowledge

DDQs aren’t known for originality; however, two issuers rarely ask similar questions in identical ways. Can you make the answers repeatable? Can you store answers in a single source of truth to accelerate future DDQ responses? Whether a DDQ has 20 or 2,000 questions, having content in place is by far the biggest time saver.

A single source of truth:

  • Ensures accuracy – All information stored in a company’s knowledge library should be verified accurate through regularly scheduled audits.
  • Supports transparency – With pre-approved answers, a comprehensive AI-powered knowledge library does much of the work for you.
  • Improves knowledge access – In a perfect world, every DDQ stakeholder would have access to their single source of truth. RFPIO’s unique project-based, rather than user-based, pricing structure gives access to any authorized person without having to purchase additional licenses.

Leverage automation

Because DDQs arrive via a myriad of formats, it’s crucial to have software in place that helps you standardize them. Intelligent automation goes several steps further by doing up to 80% of your work.

Benefits of DDQ response automation include:

  • Tracking the completion process in real-time
  • Streamlining the response time
  • Scaling the ability to respond to DDQs
  • Efficiently managed tasks and deadlines
  • Improved collaboration

Due diligence example questions

Not surprisingly, a DDQ’s questions are industry-specific. Below are some common industry-specific examples:

Organizational due diligence questions

Organizational due diligence questions can be a part of any DDQ, but in-depth organizational due diligence questions are more common in mergers and acquisitions than in vendor DDQs.

Questions might include:

  • What is the organizational structure of your company?
  • Can you provide professional bios for senior leadership?
  • Can you offer diagrams and charts of your corporate structure?

Financial due diligence questions

DDQs are most common in the financial services industry. Expect DDQs to ask:

  • What are your operating costs?
  • Can you provide income statements and balance sheets?
  • Can you provide accounts receivable information?
  • Can you give a breakdown of sales and gross profits (by Product Type, Channel, and Geography)?

HR due diligence questions

HR due diligence questions are uncommon but not completely unheard of. You may have to answer questions such as:

  • What do current employee contracts look like?
  • What are historical and projected head counts, both by function and location?
  • What are your benefit plans?
  • Can you provide incentive stock plan overviews?

Investment fund information

Investment and hedge funds, of course, are an arm of the financial services industry, so you will generally see DDQs. Questions might include:

  • What are your fund strategies and goals?
  • What are your historical and projected growth rates?
  • What is your market share?

Governance, risk, and compliance

A DDQ’s most basic function is to determine and mitigate risk. Governance, risk, and compliance questions include:

  • What are your organizational policies?
  • Can you provide an organizational code of ethics?
  • Can you provide a breakdown of service provider risk?
  • Can you provide your SEC communications plan?

Legal due diligence questions

Legal questions generally fall under RFPs rather than DDQs, however there are some cases where an issuer might include legal questions, including:

  • Have you been involved in any litigation?
  • Are you currently involved in any litigation?
  • What trademarks and patents do you currently have?
  • Can you provide insurance coverage details?
  • Can you provide your history of regulatory agency issues?
  • What are your compliance programs and policies?

Simplify due diligence with RFPIO

Repetitive, manual due diligence efforts are inefficient and cumbersome. RFPIO is a response platform and a project management platform. Simplify your DDQ response processes with:

Standardize importing – Whether your DDQ arrives as a spreadsheet or a Word document, import it into RFPIO for standardized, highly-searchable, formatting and functionality.
Project management – RFPIO will let you set project goals and timelines, helping ensure your answers will arrive on time.
The ability to choose your SMEs – Your SMEs are very busy and have varying degrees of expertise. RFPIO will show you the SMEs who’ve answered similar questions in the past, and show their availability.
Repeatable answers – DDQs can have thousands of questions. RFPIO’s Content Library stores approved answers to previous questions, letting you auto populate and edit as you see fit.
Standardize exporting – RFPIO lets you customize templates to match your brand and impress the issuer.
Responding to DDQs

RFPIO is the number one response management platform, and not just for RFPs. Leverage RFPIO throughout your entire DDQ response process to provide professional, accurate, and on-time responses. RFPIO’s AI-powered response platform provides:

  • A single knowledge library (RFPIO’s Content Library) – Add answers to any DDQ from anywhere within the company
  • RFPIO® LookUp– Provides access to the Content Library to any authorized person with a browser.
  • Recommendation Engine – Automatically suggests the best responses
  • Project management functions – Assign, manage, and track workflow tasks and deadlines.
  • Scalability to respond to DDQs – While most SaaS (software as a service) products have a per license pricing model, RFPIO allows for unlimited users with project-based pricing. Your capabilities will grow as you need and scale back when your response team can take a little breather.

RFPIO also enables collaboration with seamless integrations with all of the most popular communication applications. Keep in touch with teammates from anywhere in the world using Slack, Microsoft Teams, Google Hangouts, or Jira to:

  • Ensure accuracy – It would be tough to answer a DDQ without help from some SMEs. Real-time communication and fact checking helps you submit accurate answers.
  • Efficiently manage tasks and deadlines – Stay in touch with each stakeholder to ensure each task is completed on time.
  • Streamline response time – Better communication enables faster response times.

Explore a better DDQ solution

RFPIO isn’t just for RFPs. Our comprehensive response management platform makes responding to DDQs fast, secure, scalable, accurate, and on time. If you would like to learn how RFPIO can help you demonstrate compliance, schedule a free demo.


Wendy Gittleson

Wendy has more than 10 years experience as a B2B and B2C copywriter. She developed a passion for writing about tech from living in the San Francisco Bay Area and working for a technology school. From there, she transitioned to writing about everything from SaaS to hardware and cloud migration. She is excited to be part of the wonderful team at Responsive and looks forward to playing her part in building the future. Connect with Wendy on LinkedIn.

Related Post

See how it feels to respond with confidence

Why do 250,000+ users streamline their response process with Responsive? Schedule a demo to find out.