Skip to main content

DDQs

What Is a DDQ? Due Diligence Questionnaires, Explained

By RocketDocs Team
Compliance professional reviewing a due diligence questionnaire at a desk

A DDQ, or due diligence questionnaire, is a structured set of questions that one organization sends to another to verify how it operates before committing capital, awarding business, or continuing a relationship. Institutional investors use DDQs to vet fund managers, regulators use them to examine supervised firms, and enterprise customers use them to screen vendors. The answers are written, factual, and become part of the sender's formal due diligence record.

If you work in proposals, compliance, or investor relations, DDQs arrive on a schedule and never stop. This guide covers the DDQ meaning in practical terms: who sends them, what they contain, how they differ from RFPs, and how to build a response process that holds up year after year.

DDQ meaning: a precise definition

A due diligence questionnaire is a formal, written information request used to assess risk before and during a business relationship. The sender wants documented, verifiable answers about your firm's ownership, financials, operations, compliance program, security, and governance.

A DDQ response is not a sales document. It is a factual record the sender will rely on and may check later. Three features set DDQs apart from other questionnaires:

  1. They verify rather than persuade. The sender is confirming facts, not comparing pitches.
  2. Answers carry consequences. A wrong answer can cost an allocation or trigger a regulatory finding.
  3. They recur. Most DDQs return annually or quarterly, and each new set of answers is compared with the last.

For definitions of terms used across this field, see the response management glossary.

Who sends DDQs, and why

Three groups account for most DDQs.

  • Institutional investors. Pension funds, endowments, sovereign wealth funds, funds of funds, and investment consultants vet fund managers before allocating capital, then keep checking for as long as the money stays invested.
  • Regulators. Supervisory bodies use questionnaire-style information requests during registrations, examinations, and thematic reviews.
  • Enterprise customers. Banks, insurers, healthcare systems, and other large buyers screen suppliers as part of third-party risk management before trusting them with data, money, or critical services.

The motive is always the same: the sender is accountable to someone else, whether beneficiaries, boards, regulators, or patients, and needs a defensible record showing the checking was done.

DDQ vs. RFP vs. security questionnaire

These documents often land on the same response team, but they do different jobs.

DDQRFPSecurity questionnaire
PurposeVerify facts and assess riskSelect a providerEvaluate security controls
Typical senderInvestors, regulators, customer risk teamsProcurement teamsCustomer security teams
What it asksOwnership, financials, compliance, operations, governanceCapabilities, approach, pricingPolicies, controls, certifications, incident history
Nature of answersFactual and verifiablePersuasive as well as factualFactual, control by control
When it arrivesBefore commitment, then recurringDuring a purchase decisionDuring onboarding, then recurring
OutcomeRisk decision or allocationContract awardSecurity approval

An RFP asks "why should we choose you?" while a DDQ asks "prove you are what you say you are." A security questionnaire is a narrower relative of the vendor DDQ, focused entirely on information security. Many teams manage security questionnaires and DDQs from the same content library because the answers overlap.

The main types of DDQs

Investor DDQs

Allocators and their consultants send investor DDQs to fund managers. They examine the whole firm: strategy, team, track record, risk management, valuation practices, service providers, compliance history, and operational controls. An initial DDQ during manager selection can run to several hundred questions. After the allocation, ongoing DDQs, annual reviews, and quarterly investor updates track what has changed. For asset management firms with multiple affiliates or strategies, the same underlying question often needs a different approved answer for each entity.

Regulatory DDQs

The SEC and CFTC in the US, the FCA in the UK, and BaFin in Germany all issue structured information requests during registrations, periodic examinations, and thematic reviews. Regulatory answers must match your filings, disclosures, and previous responses exactly, and deadlines are not negotiable. A traceable record of who wrote and approved each answer matters as much as the answer itself; you may need to defend both years later.

Vendor DDQs

Enterprise customers send vendor DDQs to assess suppliers before signing and again at each annual review. Expect questions on corporate structure, financial health, insurance, subcontractors, data handling, privacy, business continuity, and certifications such as SOC 2 and ISO 27001. In regulated industries, your customer's regulator effectively becomes your regulator: banks and insurers must evidence vendor oversight, so their DDQs are detailed and mandatory.

The ILPA Standardized DDQ

The Institutional Limited Partners Association maintains a standardized DDQ for private markets. It gives limited partners a common template for evaluating general partners, so GPs answer one well-understood question set instead of hundreds of bespoke variants.

The ILPA DDQ standardizes the questions LPs ask across firm background and ownership, investment strategy and process, governance, team, fund terms, risk and compliance, ESG practices, and track record.

Standardization helps both sides: LPs can compare managers question by question, and GPs can maintain one reviewed master response updated on a set cycle. Many LPs still add custom questions on top, so treat the ILPA DDQ as a foundation rather than the finish line.

Two colleagues reviewing a multi-tab questionnaire on a shared monitor

What a typical DDQ contains

Formats vary, but most DDQs draw from a familiar set of sections:

  • Firm overview: legal structure, ownership, history, headcount
  • Key personnel and governance: bios, committees, succession, conflicts of interest
  • Strategy and process: investment philosophy or service methodology, decision rights
  • Performance and track record: composites, benchmarks, attribution (investor DDQs)
  • Risk management: frameworks, limits, monitoring, reporting lines
  • Compliance and regulatory: registrations, exam history, litigation, code of ethics
  • Operations: trade lifecycle or service delivery, reconciliations, service providers
  • Valuation: policies, committees, hard-to-value assets
  • Technology and security: infrastructure, access controls, incident response
  • Business continuity: disaster recovery, testing cadence, key-person risk
  • Insurance and financials: coverage, audited statements
  • ESG: policies, integration, reporting

A full DDQ can run from a few dozen questions to several hundred, often a multi-tab Excel workbook or a locked Word template that must be returned in its original format.

The DDQ response process, step by step

A repeatable DDQ process looks like this:

  1. Intake and triage. Log the questionnaire, confirm the deadline, and flag anything unusual before work starts.
  2. Parse the document. Break the questionnaire into individual questions with IDs, whatever the format: Excel tabs, Word tables, or a portal.
  3. First pass from approved content. Match each question against your library of approved answers. Exact and near matches fill immediately; new questions get flagged.
  4. Assign the gaps. Route new or outdated questions to the right subject matter experts. One owner per question, one editor overall.
  5. Update the facts. Refresh time-sensitive data: AUM, headcount, org charts, performance figures, certification dates.
  6. Compliance and legal review. Reviewers check accuracy, consistency with filings and prior responses, and required disclosures. Record who approved what.
  7. Format and submit. Return the document in the requested format with numbering, formatting, and attachments intact.
  8. Feed the library. Push final approved answers back into your content library, tagged by topic, entity, and date, so the next DDQ starts further ahead.

Why DDQs recur, and what that means for your team

A DDQ is rarely a one-time event. Investors send annual updates and quarterly letters. Clients run annual vendor reviews. Regulators examine on cycles. The same questions return every year, in slightly different words, on slightly different templates.

Recurrence changes the job in two ways.

Accuracy at volume. Answering one DDQ carefully is easy. Keeping hundreds of facts current across dozens of recurring questionnaires is not. When AUM figures, personnel, or policies change, every stored answer that references them is stale until someone updates it.

Traceability. When an investor asks why this year's answer differs from last year's, or a regulator asks who approved a statement, you need the history: which version went to whom, when, and on whose sign-off. Email threads and memory do not survive staff turnover. Audit trails do.

Common DDQ mistakes

  • Reusing stale answers. Last year's AUM, a departed manager's bio, an expired certificate. Recycled errors are the most common DDQ failure.
  • Inconsistency across documents. The DDQ says one thing, the pitch deck another, the regulatory filing a third. Reviewers cross-check.
  • No named owners. When every expert owns an answer, no one does, and unowned content decays.
  • Breaking the format. Returning a mangled version of the sender's Excel template creates rework and signals carelessness.
  • No approval record. If you cannot show who signed off on an answer, you cannot defend it later.
  • Pasting sensitive data into public AI tools. Client names, AUM, and holdings do not belong in consumer chatbots.
  • Starting from zero every time. Without a maintained library, teams re-research questions they answered correctly last quarter.

The 2026 DDQ Compliance Checklist is a practical way to audit your current process against these failure points.

How DDQ automation and software help

Professional signing off on a document approval at a desk

Purpose-built DDQ automation software targets the failure points above. It parses incoming questionnaires, fills recurring questions from approved content, routes gaps to experts, records approvals, and returns the response in its original format. The goal is not to remove people; it is to spend expert time on questions that need judgment instead of ones answered last quarter.

Where RocketDocs fits

RocketDocs has built response management software for regulated industries since 1994. Its clients include J.P. Morgan, Bank of America, Prudential, Deutsche Bank, and Aetna, and it rates 4.2 out of 5 on G2 across more than 100 reviews. The platform supports investor, regulatory, and vendor DDQs, including the ILPA Standardized DDQ. Four capabilities matter most for DDQ work:

  • Private AI for sensitive data. Astro, the platform's generative AI, runs on a privately hosted Llama model. Customer data is never sent to third-party AI providers and never used to train public models, so teams can use it on answers containing AUM, client, and holdings information. Astro works in three layers: exact-match autofill for recurring questions, similarity search for near matches, and generative drafting with human review for the rest.
  • Template versioning, year over year. RocketDocs maps last year's approved answers onto this year's template even when the wording shifts, which is exactly how recurring investor and regulatory DDQs behave.
  • Multi-affiliate content libraries. Asset managers can maintain entity-specific approved answers for each affiliate or strategy, so the correct version of the truth reaches each questionnaire.
  • Immutable audit trails and governed content. Every answer carries its history: who drafted, changed, and approved it, and where it was sent. Review cycles, SME ownership, and custom approval workflows keep the library current. The platform is SOC 2 Type II and ISO 27001 certified.

LaunchPad, the platform's native Microsoft 365 add-in, brings all of this into Word and Excel, handling multi-tab Excel questionnaires and exporting responses with the sender's formatting preserved.


Looking for the platform behind this? See the RocketDocs platform or book a demo.

FAQ

Frequently asked questions

What does DDQ stand for?

DDQ stands for due diligence questionnaire. It is a structured list of questions that investors, regulators, or enterprise customers send to a firm to verify its operations, compliance, financials, security, and governance. The completed questionnaire becomes part of the sender's formal due diligence record, and most DDQs are reissued annually or quarterly.

What is the difference between a DDQ and an RFP?

An RFP, or request for proposal, is a buying document: it compares competing providers on capabilities, approach, and price, and responses are written to persuade. A DDQ is a risk document: it verifies facts about a firm's operations, compliance, and controls, and answers must be accurate and defensible. RFPs are usually one-time events, while DDQs recur throughout a relationship.

What is the ILPA DDQ?

The ILPA Standardized DDQ is a due diligence questionnaire template maintained by the Institutional Limited Partners Association for private markets. It standardizes the questions limited partners ask general partners, covering firm background, strategy, governance, risk, compliance, ESG, and track record, so GPs can maintain one reviewed master response instead of drafting bespoke answers for every investor.

How long does it take to complete a DDQ?

A DDQ can take a few days to several weeks to complete, depending on its length, how many questions are new, and how many subject matter experts and reviewers are involved. Short vendor DDQs answered from an approved content library move fastest; long investor or regulatory DDQs with full compliance sign-off take the most time.

What is due diligence questionnaire software?

Due diligence questionnaire software manages the DDQ response process end to end: it parses incoming questionnaires, auto-fills recurring questions from a library of approved answers, routes new questions to subject matter experts, records approvals in an audit trail, and exports the response in its original format. In regulated industries, look for private AI that keeps sensitive data out of public models.

Put this into practice on your next RFP.

A specialist will walk you through the platform with content from your industry, including the workflow, the AI, and the audit trail that matter most for your team.