PE Tech Report

NEWSLETTER

Like this article?

Sign up to our free newsletter

Operational due diligence: Common DDQ questions investors are asking

By Eze Castle Integration – Operational due diligence has become a hot topic that continues to gain importance and attention throughout the alternative investment industry. Over the past few years, as regulations have evolved and investors increasingly seek transparency, financial firms are spending more time than ever preparing for the due diligence process.

It is no surprise that the investment industry landscape is becoming more and more competitive. As this trend continues, investors are raising their expectations and looking towards firms that display the highest levels in operational excellence. One important way to ensure your firm meets these high standards is to complete a due diligence questionnaire (DDQ) that can be shared with potential investors.

A comprehensive DDQ covers a wide range of topics, from assets under management (AUM) to audited financial statements and investment strategies. One major area of focus is the firm’s IT and accompanying cybersecurity policies and procedures. At Eze Castle, we frequently assist our clients in completing DDQ questions on technology, and we often see the same types of operational due diligence questions popping up.

So, to help you get started, we have compiled the following list of some frequently asked DDQ questions. You can also download the sample investment firm DDQ list here. In addition, a great resource for conducting due diligence on a firm’s service providers is the 300+ question document published by the Alternative Investment Technology Executives Club (AITEC).

Technology Provider Selection

  • Has the firm performed thorough due diligence on its current and/or potential IT vendors?
  • Does the firm have established, documented service level agreements in place with its technology partners to ensure a stable computing environment?

Information security policy

  • Has the organisation developed a formal and well-documented information security policy?
  • Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?
  • Do the appropriate management officials approve the policy and any changes that may be made?

Access control policy

  • Does the organisation have a formal and well-documented access control policy in place?
  • Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?
  • Does the firm’s IT staff (or technology partner) ensure appropriate access control to applications and sensitive company data? Are there robust procedures in place to grant or deny access to applications?
  • How does the firm manage employee remote access? Are procedures in place to ensure remote access is delivered securely?
  • Has a password policy been implemented throughout the organisation? Have all employees been trained on best practices for password security?
  • Are policies in place to force password changes periodically?

Network security policy

  • Has the organisation developed a formal and well-documented network security policy?
  • Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?
  • Does the firm have a robust firewall in place at the network level? Are policies configured to defend against external security threats? Are the firewall logs monitored regularly?
  • Does the firm employ an intrusion detection system (IDS) to prevent unauthorized access?
  • Is a solution in place to protect email systems against spam?
  • Is a solution in place to ensure mobile devices and laptops are secure in the event of loss or theft? Are email and text messages encrypted and archived?

Physical security policy

  • Has the organisation developed a formal and well-documented physical security policy?
  • Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?
  • Are access controls in place for the Server Room? How does the firm ensure only authorized personnel gain access critical systems?
  • Are procedures in place to manage visitors in the office? Are steps being taken to ensure visitors do not have the ability to observe or access sensitive employee systems and documents?

Business continuity & disaster recovery plans

  • Has the organisation developed a formal and well-documented business continuity plan?
  • Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?
  • Has the firm tested the BCP from both a technical and operational perspective? How often are these tests performed?
  • Has the firm established a dedicated location to retain backup copies of all critical data? Is offsite data encrypted and stored securely?
  • Has a secondary working location been established to which employees should report in the event of a disruption or outage?
  • Do all employees clearly understand the BCP procedures? Have appropriate training and documentation been established and shared with all personnel?
  • Is a comprehensive disaster recovery solution in place to provide system redundancy and ensure protection of critical data in the event of a disaster or system failure?
  • Has the firm determined its crucial recovery point objectives (RPOs) and recovery time objectives (RTOs)? Does the DR solution meet these guidelines? 

Like this article? Sign up to our free newsletter

MOST POPULAR

FURTHER READING

Featured