Most articles about due diligence questionnaires are actually about checklists. They are different things, and the confusion causes real problems in real deals. A questionnaire is a document you send to the target company asking them to respond with narrative answers and supporting evidence. A checklist is an internal tracking tool you use to make sure you got everything back. One is a risk discovery instrument. The other is a completion tracker. Conflating them is the single most common mistake in DD preparation.
This guide covers what a DDQ actually is, how it differs from a checklist, the four categories every DDQ must cover, real questions from the frameworks institutional investors use (ILPA, Cooley, AIMA), specific red flag thresholds with dollar amounts, and a real example from the Cisco–Splunk $28 billion acquisition showing how long this actually takes at scale.
The template is free and includes questions organized by category, response format, and space to track supporting documents. It is at the bottom of the page.
What is a due diligence questionnaire?
A due diligence questionnaire (DDQ) is a formal document sent from one party to another during a transaction, asking structured questions about the target's business, financials, legal standing, operations, and strategic position. The receiving party responds with narrative answers and attached supporting documentation. It is the primary mechanism by which buyers, investors, or limited partners gather the information they need to make an investment or acquisition decision.
The two parties involved depend on the transaction type:
In an acquisition, the buyer sends a DDQ to the target company. In a venture capital or private equity investment, the investor sends a DDQ to the founders or management team. In a fund commitment, a limited partner sends a DDQ to the general partner of the fund they are considering investing in. In every case, the flow is the same: one side asks, the other answers with evidence.
A DDQ is not a contract. It is not a term sheet. It is the structured question set that produces the information those later documents need to be written accurately.
DDQ versus checklist: the distinction that matters
This is the part most articles get wrong. A due diligence questionnaire and a due diligence checklist are different tools that serve different functions in the same process.
A DDQ asks the target to produce information. It requires narrative responses, interpretation, and supporting evidence. The questions are often open-ended: "Describe your customer acquisition strategy and how unit economics have evolved over the last eight quarters." A checklist asks the buyer team internally whether they have received something. It is typically binary or status-based: "Received signed cap table? Yes / No / Pending."
Both tools matter. A deal team that uses only a questionnaire has no way to track what is still outstanding. A team that uses only a checklist has no actual information, just a list of documents it has received and never interrogated.
The conflation causes real damage. Teams that treat a DDQ as a tick-box exercise produce shallow answers that require follow-up cycles. Teams that treat a checklist as a substitute for substantive questions end up closing deals on the basis of whether they received a balance sheet, not whether they understood it.
The four main types of due diligence
Most sources land on four canonical categories for transactional due diligence. Specialized transactions can add more, but these four are the baseline any DDQ must cover.
Financial due diligence. Revenue quality, earnings normalization, cash conversion, working capital, debt structure, off-balance-sheet liabilities, and customer concentration. This is the category where Quality of Earnings (QoE) reports live. Financial DD answers the question: is the business actually making the money it says it is, and will that continue?
Legal due diligence. Corporate formation and governance, material contracts, litigation exposure, regulatory compliance, intellectual property ownership, employment agreements, and change-of-control provisions. Legal DD answers: are there any legal obligations or risks that would materially affect the value of the deal?
Commercial due diligence. Market sizing, competitive positioning, customer segmentation, pricing power, growth trajectory, and strategic trajectory. Commercial DD is the category where a market research dossier adds the most value. It answers: does this business operate in a market worth being in, and is it positioned to win there?
Operational due diligence. Management team depth, organizational structure, systems and technology, supply chain, key vendors, and process scalability. Operational DD answers: can this business actually execute on the plan underneath the financials?
Specialized add-on categories you will see in larger deals: tax, HR, IT and cybersecurity, environmental and ESG, and regulatory. Corporate Finance Institute and Ansarada both list 10 to 13 types depending on transaction complexity. A $500 million pharma acquisition might have 15 distinct DD workstreams. A seed-stage VC round might have three. Match the depth to the deal.
The 5 Ts framework for VC due diligence
Venture capital due diligence is a specific flavor with its own framework. The 5 Ts (Team, Technology, Traction, TAM, and Terms) is a structure commonly used across VC firms to organize DDQs. It is not a proprietary framework from any single firm, but a synthesis of the categories that early-stage investors consistently prioritize.
Team asks who the founders are, what their track record looks like, how complementary their skills are, and whether they can actually execute the plan. Sample question: "What is each founder's specific domain expertise and what gap would you need to fill to scale the business past 100 employees?"
Technology asks what the product actually does, how defensible it is, and whether the IP is owned clean. Sample question: "Are there any IP assignment agreements missing from former founders or early employees, and if so, when will they be executed?"
Traction asks what the evidence is that customers actually want this. Sample question: "What is your real net revenue retention by cohort and segment, and how has it changed over the last four quarters?"
TAM asks whether the market is big enough to support venture-scale returns. This is the category where our SWOT analysis template and TAM/SAM/SOM guide both connect directly to a DDQ response. Sample question: "Walk us through your market sizing, the assumptions behind each layer, and what percentage of SAM you realistically expect to capture in 36 months."
Terms asks what the deal structure looks like — valuation, dilution, liquidation preference, governance, anti-dilution rights. This is the category that bleeds into the term sheet rather than staying in the DDQ.
The 5 Ts framework comes from VC practice, but the structure generalizes. Any early-stage DDQ can be organized around these categories even if the specific questions vary by industry.
Real questions investors actually ask
Here are specific questions pulled from published VC and PE frameworks. These are not hypothetical. They come from the standard templates that Cooley and ILPA have documented publicly.
On growth: "What is driving growth right now — new logos, expansion of existing customers, price increases, or product mix shift? Which of those is sustainable and which is one-time?"
On retention: "What are your real gross and net revenue retention numbers by cohort? Can we see the raw data, not just the blended averages?"
On win/loss: "What are the top five reasons you win deals and the top five reasons you lose them? Who do you lose to most often, and why?"
On runway: "What is your cash zero date at current burn? What is your cash zero date with the new funding? When does the company reach operational breakeven in the current plan?"
On competition: "Identify and describe your key direct, indirect, and replacement competitors. Where does your strategy provide a defensible advantage? What would it take for a competitor to replicate your position?"
On IP: "Do you have registered patents, trademarks, or trade secrets? Are all contributions from current and former employees, contractors, and founders covered by valid IP assignment agreements? Please provide signed copies."
On customer concentration: "What percentage of revenue comes from your top five customers? What happens to revenue and cash flow if your largest customer leaves?"
On legal: "Are there any pending, threatened, or past material litigation matters? Any regulatory inquiries? Any change-of-control provisions in material customer or vendor contracts?"
Each of these questions should be answered with narrative context AND supporting documents. A one-line answer is a follow-up request waiting to happen. A complete answer includes the data, the source, and the interpretation.
Due diligence red flags with specific thresholds
Most red flag lists are vague. Here are the specific thresholds and patterns that experienced deal teams actually flag.
Customer concentration above 20 percent. If a single customer accounts for more than 20 percent of revenue, the business carries significant concentration risk. This is the most-cited threshold in M&A diligence.
Revenue and tax return mismatches. If the company reports $5 million in revenue on its financials but $3 million on its tax returns, something is wrong. This is the classic sign of either aggressive revenue recognition or tax avoidance, neither of which you want to discover after closing.
Missing IP assignment agreements. If former founders or early employees contributed code, designs, or patents without signed assignment agreements, the IP ownership is unclear and the entire business may be at risk. This is the single most common legal issue in early-stage acquisitions.
Change-of-control provisions in key customer contracts. If the target's largest customers can terminate on a change of control, the buyer is essentially purchasing the right to re-negotiate those contracts from zero. This can materially reduce the value of the deal post-close.
Pending undisclosed litigation. Any material litigation or regulatory inquiry that surfaces during DD but was not proactively disclosed by the seller is a trust issue on top of a legal issue. Deals have collapsed over this alone.
Quality of Earnings adjustments above 10 percent of reported EBITDA. If a QoE report normalizes reported EBITDA downward by more than 10 percent, the financials on the marketing materials are not the financials of the actual business. This frequently triggers renegotiation.
Red flag discovery is the reason due diligence exists. A DDQ that does not surface anything uncomfortable is usually not thorough enough. This is exactly the kind of deep investigation that goes into every $997 Deep Dive we deliver.
Buy-side versus sell-side due diligence
DDQs come in two flavors depending on who initiates the process.
Buy-side due diligence is conducted by the acquirer or investor. The buyer controls the scope, timing, and depth of the questions. The goal is to verify the seller's claims and uncover anything that would materially affect the valuation or the decision to proceed. Buy-side DD is usually deeper on risk areas because the buyer has every incentive to find problems before signing.
Sell-side due diligence (also called vendor due diligence) is initiated by the seller before going to market. The goal is to surface issues early so the seller can neutralize them before a buyer's team finds them. Sell-side reports are often shared with multiple potential buyers as part of the data room, saving time in parallel negotiations. A well-run sell-side process can significantly accelerate a transaction.
The questions in both processes are similar, but the framing is different. A buy-side DDQ is adversarial in tone: assume nothing, verify everything. A sell-side DDQ is confessional: identify the issues the seller already knows about, so they can be managed rather than discovered.
Private equity firms increasingly run both processes in parallel. A PE firm might run buy-side DD on a $50 million SaaS target it is acquiring in Q1 while simultaneously running sell-side DD on a portfolio company it plans to exit in Q3. Same team, same frameworks, opposite sides of the table. The sell-side exercise both prepares the portfolio company for market AND identifies operational improvements worth making before the sale, which often adds several million to the exit valuation.
How long due diligence actually takes: Cisco and Splunk
The commonly cited estimate for due diligence is four to six weeks. Real deals at scale take much longer.
Cisco completed its $28 billion acquisition of Splunk on March 18, 2024, at $157 per share in cash. The path from first conversation to close stretched nearly three years. Cisco first approached Splunk in 2021. After roughly 21 months of iterative negotiation, revised offers, and ongoing due diligence, Splunk's board accepted Cisco's final offer in August 2023. From accepted offer to shareholder vote and close took another seven months. The entire process from first conversation to close was approximately 32 months.
Data sources: Cisco investor relations announcement (March 2024), Mergersight Cisco-Splunk case study, public SEC filings.
The Cisco–Splunk timeline is not unusual for strategic deals at this scale. Large transactions go through multiple rounds of DD as new information surfaces, valuation assumptions get revised, and deal structures get re-negotiated. The "send a questionnaire, get answers, make a decision" model assumed by most DDQ articles does not reflect how actual complex deals work.
For smaller deals, the compressed version still takes weeks. A typical mid-market M&A process runs six to twelve weeks of active DD. A Series A VC round compresses into two to four weeks but involves less depth. A fund DDQ from an LP to a GP can take six weeks on its own, independent of the underlying portfolio questions.
Common DDQ mistakes on both sides
The failure patterns that surface in deal post-mortems and institutional DDQ guides show up across industries and transaction types. These are the ones that actually kill timelines and trust.
Vague answers that trigger follow-up cycles. A DDQ response that says "We have strong customer retention" without numbers will produce a follow-up question within 48 hours. The follow-up asks for the numbers. The response provides blended numbers. The third follow-up asks for cohort data. Every vague answer is a cycle you did not need to run.
Missing supporting documentation. A DDQ response without attached evidence is incomplete by definition. Audited financials, signed contracts, cap tables, and IP assignment agreements all need to be attached, not referenced.
Inconsistent data across subsidiaries or regional offices. If the US financials say one thing and the UK financials say something different, the combined response is internally inconsistent. This shows up most often in multi-entity deals where each entity prepared its own answers without reconciliation.
Static questionnaires that never get updated. A DDQ template from three years ago may miss entire risk categories (data privacy compliance, AI governance, ESG disclosure requirements) that have become standard since then. Questionnaires need to evolve.
Binary questions without evidence requirements. "Do you have IP assignment agreements? Yes / No" is worse than useless. The useful version asks for signed copies of every agreement with a schedule of any gaps. A yes/no answer without evidence is an invitation to lie.
No risk-based prioritization. Not every question in a DDQ is equally important. The best DDQs flag the top 10 critical questions that must be answered before proceeding, so the deal team knows where to spend time if the schedule compresses.
Vague document requests. "Send us your due diligence documents" produces noise. Specific requests like "provide signed cap tables, stock option agreements, and 409A valuations from the last three years" produce useful information.
DDQ framework comparison
Several institutional frameworks exist. Each was built for a specific audience and type of transaction. Use these as starting points rather than building from scratch.
| Framework | Use case | Publisher | Availability |
|---|---|---|---|
| ILPA DDQ 2.0 | LP to GP fund due diligence (private equity) | Institutional Limited Partners Association | Free public PDF |
| Cooley GO Sample VC DD Request List | Early-stage venture capital investment | Cooley LLP | Free public template |
| AIMA DDQ | Hedge fund manager due diligence | Alternative Investment Management Association | Free to AIMA members |
| Our DDQ template | M&A, VC, and commercial due diligence | Dossier Intel | Free at the bottom of this page |
The institutional frameworks are thorough but often industry-specific. Our template is designed to work across M&A, VC, and commercial transactions with the same core structure, organized around the four types of DD rather than the specific document types in any one framework.
Download the Due Diligence Questionnaire template
The template covers all four categories of due diligence (financial, legal, commercial, operational), includes questions from the 5 Ts framework, a red flag checklist with specific thresholds, and response tracking so you can manage multiple parallel DDQs at once.
Free Due Diligence Questionnaire Template
PDF and Google Sheets format. Four-category structure, 5 Ts framework questions, red flag thresholds, response tracking for parallel deals.
- Four-category DDQ framework
- 5 Ts framework question set
- Red flag threshold checklist
- Response tracking for parallel deals
Frequently asked questions
What is the difference between a due diligence questionnaire and a due diligence checklist?
A questionnaire is a document sent to the target company asking them to respond with narrative answers and supporting evidence. A checklist is an internal tracking tool the buyer uses to verify document receipt. The questionnaire discovers risk. The checklist tracks completion. Both tools are used in parallel, but they serve different purposes and should not be confused.
How long does due diligence take?
A Series A venture capital round typically runs two to four weeks of active DD. A mid-market M&A transaction runs six to twelve weeks. Large strategic acquisitions can run 18 to 32 months from first conversation to close, as the Cisco-Splunk $28 billion deal demonstrated. Scale the timeline to deal size and complexity.
What are the main types of due diligence?
The four canonical categories are financial, legal, commercial, and operational. Larger transactions add specialized categories including tax, HR, IT and cybersecurity, environmental and ESG, and regulatory compliance. A Series A round may only cover the four basics. A large pharmaceutical acquisition might have 15 parallel DD workstreams.
What are the biggest red flags in due diligence?
Customer concentration above 20 percent of revenue is the most commonly cited threshold. Others include revenue-to-tax-return mismatches, missing IP assignment agreements, change-of-control provisions in material customer contracts, undisclosed pending litigation, and Quality of Earnings adjustments exceeding 10 percent of reported EBITDA.