Anatomy of a DDQ answer: how to structure every response
Learn exactly how a good DDQ response is structured—concise answer, supporting detail, evidence, and metadata—with sample answers across security, ESG, ops, and performance.
Robert Dickson
RevOps Manager, AutoRFP.ai··12 min read
A due diligence questionnaire (DDQ) is only as strong as its individual answers. Reviewers at institutional investors, procurement teams, and third-party risk functions work through hundreds of questions under tight deadlines — each one probing what institutional reviewers are evaluating before they advance a deal. If a single answer requires follow-up emails or a search through unlinked attachments, it slows the entire process and raises doubt.
This guide covers exactly how to structure one DDQ answer—the anatomy that makes it clear, auditable, and fast to validate. It applies across DDQ types: security, ESG, operational, and performance.
Who this is for: Response teams, compliance managers, and operations leads who complete DDQs regularly and want a repeatable format that holds up under scrutiny.
Prerequisites: You should have access to your internal policy library, current certifications, and up-to-date metrics before writing answers.
Difficulty/time: Low difficulty per answer; 10–20 minutes per question when source materials are organized.
Why the structure of each answer matters
DDQ reviewers do not read linearly. They scan. The best-practice approach is to include structured, evidence-backed responses rather than leaving reviewers to infer documentation. Answers should be easily digestible, with traceable evidence and attachment references.
The goal for each answer: be understood in 10 seconds and validated in under 3 minutes. That means the answer field itself must be self-contained. It cannot depend on the reviewer reading the full attachment to find the core claim.
The four-part anatomy of a strong DDQ answer
Every well-structured DDQ response follows the same four layers:
- Concise answer (1–2 sentences): State the direct answer to the question. If it is a yes/no question, answer it explicitly, then add one or two sentences of context.
- Supporting detail (1 short paragraph): Describe the process, control, or practice that backs up the concise answer. This is where you explain how the claim holds, not just that it does.
- Evidence reference: Name the specific artifact that proves the claim. Include the document title, exhibit label or number, and a page or section pointer. Do not write “see attached” without specifying what the attachment proves.
- Metadata (owner, title, last updated, version): This gives reviewers and auditors a chain of custody. It confirms the answer is current and who is accountable.
This structure follows the source hierarchy principle: the answer comes first, then the most authoritative artifact is cited. Attachments are not implied; they are named.
Handling yes/no questions
A yes/no question is not an excuse for a one-word response. A structured yes/no answer looks like this:
Concise answer: Yes. Supporting detail: Multi-factor authentication (MFA) is enforced for all user accounts accessing production systems, including administrative and service accounts. Enforcement is managed through the corporate identity provider with policy logs reviewed monthly by the Security Operations team. Evidence: Exhibit A, Access Control Policy v3.1, Section 4.2 (MFA enforcement scope). Metadata: Owner: Head of Information Security | Last updated: 2026-05-01 | Version: 3.1
Tone and length guidance
DDQ answers must be professional, direct, and transparent. No marketing language, no superlatives, no vague claims about “industry-leading” practices.
Length by question type:
- Short (policy/yes-no): 2–4 sentences + evidence line + metadata.
- Medium (process/control): 1 concise sentence + 1 paragraph + evidence + metadata. Roughly 80–120 words in the answer field.
- Long (multi-part/narrative): Concise answer first, then bullets only where they genuinely improve scanability, then evidence and metadata. Aim for under 200 words.
One rule that matters in regulated and investor-facing DDQs: do not present planned capabilities as current. If a control or feature is on a roadmap, state it clearly with the expected implementation date. Reviewers who discover a roadmap claim presented as a current capability will flag the entire submission.
Inline data vs. attachments: a practical rule
The most common structural mistake in DDQ responses is misusing attachments. Here is a reliable rule of thumb:
- Inline answers: Direct facts, specific metrics, dates, named individuals, certification names and expiry dates, scope statements.
- Attachments: Full policy documents, audit reports (SOC 2, ISO 27001), certifications, legal artifacts, detailed procedure manuals, financial statements.
When referencing an attachment, the inline answer must include: (1) the exhibit name or document title, (2) what specific claim it supports, and (3) the page, section, or exhibit number where the reviewer can find it.
Anti-patterns to avoid:
- Writing “See Appendix” with no claim preceding it.
- Embedding raw files or entire policy documents into the answer field.
- Referencing an attachment version that does not match the metadata date.
The ILPA DDQ 2.0 framework explicitly includes an appendix of requested documents that should accompany the diligence package, with each document tied to specific sections of the questionnaire. That model works because every attachment has a defined purpose.
Version control matters here. If your answer cites “Information Security Policy v3.1 (last updated 2026-05-01)” but the attached file is v2.8 from 2024, a careful reviewer will flag the discrepancy. An evidence-first reviewer mindset expects certification validity and scope to align precisely with what is attached.
Sample answers by DDQ type
The following samples use the four-part anatomy. Copy and adapt these for your own responses.
Security DDQ, MFA enforcement (short)
Question: Does your organization enforce multi-factor authentication for access to production systems?
Concise answer: Yes. MFA is enforced for all accounts with access to production environments, including privileged and service accounts. Supporting detail: Enforcement is managed through the identity provider using time-based one-time passwords (TOTP) and hardware tokens for administrator roles. Non-compliant login attempts are blocked automatically and logged for monthly review by the Security Operations team. Evidence: Exhibit B, Access Control Policy v4.0, Section 5.1 (MFA requirements and enforcement scope). Metadata: Owner: VP of Information Security | Last updated: 2026-04-15 | Version: 4.0
Security DDQ, Incident response (medium)
Question: Describe your incident response process and average time to notify affected parties.
Concise answer: The organization maintains a documented incident response plan with defined roles, escalation paths, and a 72-hour notification commitment for confirmed data incidents affecting client data. Supporting detail: The Incident Response Team (IRT) is activated within 2 hours of a confirmed incident. The process follows five stages: detection, containment, eradication, recovery, and post-incident review. Notification to affected clients follows within 72 hours of confirmation, consistent with GDPR Article 33 timelines. Annual tabletop exercises test the plan. Evidence: Exhibit C, Incident Response Plan v2.3, Sections 3 and 6 (escalation matrix and notification procedures). SOC 2 Type II Report (2025), Section 4 (availability and security criteria). Metadata: Owner: Chief Information Security Officer | Last updated: 2026-03-10 | Version: 2.3
ESG DDQ, Emissions reporting (medium)
Question: Does your organization measure and report on its greenhouse gas emissions?
Concise answer: Yes. The organization measures Scope 1 and Scope 2 emissions annually and discloses results in its ESG report. Supporting detail: Emissions data is collected across all owned facilities using the GHG Protocol Corporate Standard methodology. The 2025 ESG Report records total Scope 1 emissions of 320 metric tons CO2e and Scope 2 emissions of 1,140 metric tons CO2e. Data is independently verified by a third-party verifier. Scope 3 measurement is in progress, with full reporting expected by Q2 2027. Evidence: Exhibit D, 2025 ESG Report, pp. 22–26 (emissions data and verification statement). Metadata: Owner: Head of Sustainability | Last updated: 2026-02-28 | Version: 2025 Annual
ESG DDQ, DEI metrics (short)
Question: Does your organization track diversity, equity, and inclusion metrics?
Concise answer: Yes. The organization tracks gender, ethnicity, and seniority-level representation annually and publishes aggregate results. Supporting detail: As of December 2025, women represent 44% of the global workforce and 38% of senior management roles. Ethnicity data is collected with voluntary self-identification and reported at the regional level. Progress against targets is reviewed by the Board’s ESG Committee each quarter. Evidence: Exhibit E, 2025 Workforce Diversity Data Summary (published February 2026). Metadata: Owner: Chief People Officer | Last updated: 2026-02-15 | Version: 2025 Annual
Operational DDQ, Business continuity (medium)
Question: Does your organization have a business continuity and disaster recovery (BCDR) plan? When was it last tested?
Concise answer: Yes. A documented BCDR plan is in place, covering all critical business functions and technology systems. It was most recently tested via a full simulation exercise in November 2025. Supporting detail: The plan defines recovery time objectives (RTO) of 4 hours and recovery point objectives (RPO) of 1 hour for Tier 1 systems. Testing follows an annual schedule with biannual partial tests. Results from the November 2025 exercise identified two action items, both resolved by January 2026. The plan is reviewed and updated after each test. Evidence: Exhibit F, BCDR Plan v5.1, Section 2 (scope and RTO/RPO definitions); Exhibit G, 2025 Test Results Summary (November 2025). Metadata: Owner: Director of Operations | Last updated: 2026-01-20 | Version: 5.1
Performance DDQ, Uptime and SLA (short)
Question: What is your platform’s uptime SLA and actual availability over the past 12 months?
Concise answer: The contractual uptime SLA is 99.9%. Actual availability over the 12 months ending June 2026 was 99.96%. Supporting detail: Availability is measured continuously via third-party monitoring. Any incident affecting availability triggers a post-incident report distributed to affected clients within 48 hours. Planned maintenance windows are communicated a minimum of 5 business days in advance and excluded from SLA calculations per the service agreement. Evidence: Exhibit H, Uptime Report, July 2025–June 2026 (generated June 30, 2026, from third-party monitoring). Metadata: Owner: VP of Engineering | Last updated: 2026-07-01 | Version: Current
Reviewer checklist for a single DDQ answer
Use this checklist before submitting each answer. It reflects the evidence-first reviewer mindset and is aligned with SME sign-off requirements for technical and legal questions.
- The concise answer directly addresses the question without requiring the reviewer to read further.
- The supporting detail explains how the claim holds, not just that it does.
- No roadmap claims are presented as current capabilities. Planned features include a go-live date.
- Each attachment is named with a specific exhibit label and section/page pointer.
- Metrics in the answer match the most recent internal report, and the report date is cited.
- Attachments referenced in the answer are included in the submission package.
- Metadata (owner, title, date, version) is present and matches the evidence cited.
- The answer has been reviewed by the relevant subject matter expert (SME) for the domain (security, legal, finance, or operations).
- Follow-up risk check: would a reviewer ask a clarifying question because a claim is vague or unsupported by the cited exhibit? If yes, revise.
Gold standard recap
| Layer | What it contains | Length |
|---|---|---|
| Concise answer | Direct response to the question | 1–2 sentences |
| Supporting detail | Process, control, or practice explanation | 1 short paragraph |
| Evidence reference | Named exhibit, document title, section/page | 1–2 lines |
| Metadata | Owner, title, last updated, version | 1 line |
For teams handling high volumes of complex DDQs, maintaining a centralized DDQ response library makes this structure scalable. Platforms like AutoRFP.ai support evidence-backed drafting with content libraries that store approved answers alongside their source metadata, so each response field is populated with the correct structure and traceable to the right artifact. For specific framework requirements, the ILPA DDQ completion guide covers how this anatomy maps to one of the most detailed investor questionnaire formats in use.
With the anatomy applied consistently across every answer, a 200-question DDQ becomes a reviewable document rather than a research project. Start with the answers that carry the most risk if left vague: security controls, certifications, and any metrics with SLA implications. Get those right first, then apply the same structure across the remaining sections.
For teams looking to further systematize their process, reviewing DDQ best practices for investment firms and exploring AI DDQ solutions are practical next steps — and our guide to the best DDQ software compares the platforms that make this anatomy scalable.