PursuitAgent
Menu

Field notes

DDQ Anatomy, Part 1 of 4: the finance section

What the finance section of a DDQ asks — SOC audit history, revenue recognition, debt covenants, parent-company financials. What evaluators want, where questions repeat, and what good answers look like.

Sarah Smith 9 min read Procurement

This is Part 1 of a four-part series on the anatomy of a due-diligence questionnaire (DDQ). A DDQ is a security questionnaire with a deadline, and a deadline always brings out the parts of the document that the team hadn’t thought hard about. The four parts of this series cover the four sections that show up in essentially every DDQ: finance, legal & privacy, security, and operations.

This post is the finance section. It is shorter than people expect — typically 15 to 40 questions out of a 200-to-350-question DDQ, per Loopio’s research — but the questions are weighted heavily by buyers because finance answers cannot be hand-waved. A vendor with weak revenue recognition is a real risk to a buyer with a multi-year procurement.

Why finance lives in a DDQ

The DDQ is the buyer’s risk-management instrument. The buyer is signing a contract with a vendor and wants three risks managed: the vendor stays in business, the vendor’s financial controls don’t produce restatements that affect their commercial relationship, and the vendor’s debt or ownership structure doesn’t introduce surprises down the line.

Finance questions in a DDQ are almost never about financial performance per se. The buyer is not your investor. They are a customer who needs to know whether you will exist in two years and whether your books are clean enough that your auditor doesn’t give you a going-concern opinion. The questions are designed to surface answers to those two questions, sometimes obliquely.

This shapes what good answers look like, which I’ll come back to.

The five sub-clusters

Finance sections in DDQs vary, but five clusters appear with high consistency.

Sub-cluster 1 — SOC audit history (4-8 questions)

The questions: when was your last SOC audit completed? Who is your auditor? What was the type (Type I or Type II)? What was the scope? Were there any findings? Provide the report.

What the buyer wants: the most recent SOC 2 Type II report, period of coverage including the past 12 months, no qualifying findings (or, if qualifying findings, a remediation plan that’s been completed). The auditor name is a sanity check — buyers are increasingly skeptical of vendors using auditors with thin reputations in the SOC space.

Failure modes I see:

  • Submitting a Type I when the buyer asked for Type II. A Type I is a point-in-time report; a Type II covers a period. Type I doesn’t substitute.
  • Submitting a SOC 2 report whose period of coverage ended more than 12 months ago. The report has aged out of usefulness for the buyer’s risk timeline.
  • Submitting a SOC 2 with a qualified opinion and no remediation evidence.

What good looks like: a one-paragraph answer that names the auditor, period of coverage, type, and any findings, with the report attached. If your most recent report is older than 12 months, name the in-flight audit’s period and the expected report date.

Sub-cluster 2 — Revenue recognition and audit posture (3-6 questions)

The questions: do you recognize revenue under ASC 606 / IFRS 15? What is your audit posture (audited / reviewed / compiled)? Who is your auditor? When was your last audited financial statement issued?

What the buyer wants: ASC 606 (US GAAP) or IFRS 15 (international) — these are the modern revenue-recognition standards. A vendor not using one of them is a vendor whose revenue is not comparable across periods. “Audited” is the highest level of assurance; “reviewed” is acceptable for smaller vendors; “compiled” is the lowest and signals risk.

Failure modes:

  • Vendors who say “we recognize revenue when invoiced” — that’s not a standard, that’s cash accounting.
  • Vendors whose auditor is the same firm that does their tax work or their bookkeeping. Independence rules vary by jurisdiction, but the optical issue is real.
  • Vendors who haven’t completed an audit in 18 months for reasons they don’t explain. The unexplained gap is the question the buyer is going to ask.

What good looks like: name the standard, the audit level, the auditor, and the most recent statement date. If the most recent audit is in flight, name the auditor and expected completion. If you’re a private company that doesn’t audit annually, say so explicitly and explain the cadence — buyers are less concerned by an unaudited posture than by a posture they can’t characterize.

Sub-cluster 3 — Debt and capital structure (2-5 questions)

The questions: what is your current debt structure? Are there any covenants that affect your ability to operate? Have you had any defaults in the past three years? What is your equity capital structure?

What the buyer wants: confidence that a debt covenant won’t accelerate against you mid-engagement and turn your company into a distressed asset. The buyer is not asking for your cap table — they’re asking whether anything in your capital structure could surprise them.

Failure modes:

  • Refusing to answer at all and citing confidentiality. This reads as “we have something to hide.” A general posture statement is acceptable to the buyer; full disclosure isn’t required.
  • Naming covenants without naming the headroom. “We have a senior debt facility with covenants” is not an answer; “we have a senior debt facility with covenants we are currently in compliance with by [significant margin]” is.
  • Failing to name material capital events in the past 12 months. A round, a recap, a debt refinancing — these affect the buyer’s risk picture.

What good looks like: a paragraph that characterizes the debt facility, names the covenant compliance status without disclosing specific covenant levels, and discloses material capital events. “No material debt” is a clean answer for vendors that are equity-funded.

Sub-cluster 4 — Parent and subsidiary disclosures (2-4 questions)

The questions: what is your corporate structure? Are you a wholly-owned subsidiary of another entity? Provide the parent and any sister-company relationships.

What the buyer wants: clarity on which legal entity will sign the contract, who guarantees obligations, and whether there are sister-entity dependencies that could create operational risk.

Failure modes:

  • Vendors who say “we’re a subsidiary of X” and don’t name the contracting entity. The contracting entity is the legally relevant fact.
  • Vendors who don’t disclose intercompany dependencies — particularly when product engineering happens in a different entity than the contracting entity. This is a real risk to the buyer if the parent restructures.

What good looks like: name the contracting entity, the parent, and any material intercompany dependencies. If the contracting entity has no material dependencies on the parent for ongoing service delivery, say that explicitly — it’s the answer the buyer wants.

Sub-cluster 5 — Insurance (3-5 questions)

The questions: what types of insurance do you carry? What are the limits? Provide certificates.

What the buyer wants: cyber liability, errors and omissions, general liability, and workers’ comp at the limits the buyer’s procurement team has standardized. The limits vary by buyer; the four types are universal.

Failure modes:

  • Vendors who carry inadequate cyber-liability limits relative to the buyer’s data exposure. A consumer-data buyer won’t accept a $1M cyber limit.
  • Vendors whose insurance certificates have expired by the time of submission.

What good looks like: a table with insurance type, carrier, limit, and effective period, with attached certificates. This is one of the few DDQ sub-clusters where the answer is genuinely tabular.

Where the finance section repeats

The same questions show up across DDQs. Loopio’s research and Safe Security’s reports both note that vendors face hundreds of questionnaires per year — Safe Security puts the number at 500+ per year for some enterprise vendors. The question text varies but the underlying ask is identical across DDQs from CAIQ, SIG, and most custom buyer-built questionnaires.

This means the finance answer set is the highest-value piece of content to maintain in your KB. Twenty well-written, citable answers to the canonical finance questions — refreshed quarterly — cover 80% of the finance section across DDQs.

The catch: finance answers go stale faster than security answers do. SOC reports refresh annually but their period of coverage moves continuously. Insurance certificates expire annually. A finance answer in the KB that was written six months ago is probably citing a SOC report whose coverage period has aged out.

This is why the SME bottleneck shows up most painfully on finance. The Qorus research I’ve cited before — 48% of teams cite SME collaboration as their top challenge — applies hardest here. The finance team is small, busy, and not used to writing DDQ answers. When a security questionnaire arrives at 4pm Friday, the security team has 30 questions and a runbook. The finance team has 8 questions and no runbook.

A KB with current finance answers, owned by a finance lead with quarterly refresh on the calendar, is the difference between a 3-day finance section and a 30-minute one.

What good DDQ finance content looks like in your KB

Six things, in priority order.

  1. Current SOC 2 Type II report, with the cover summary written as a citable answer. Period of coverage, auditor, findings (or “no qualifying findings”), date of issuance. Refresh on the day the new report drops.
  2. Most recent audited financial statement summary, written as a citable paragraph. Standard, audit level, auditor, date of issuance.
  3. Capital structure paragraph, refreshed after every material capital event. Funding round, debt refinancing, recap.
  4. Corporate structure paragraph, refreshed at every legal-entity change.
  5. Insurance schedule, with carrier, type, limit, period. Refresh annually with the policy renewals.
  6. Going-concern statement, written as a single paragraph. This is the answer to questions like “is there any concern about your ability to continue as a going concern over the next 24 months.” Refresh whenever the underlying facts change.

These six pieces of content, properly maintained, answer 80% of the finance section in any DDQ. The remaining 20% is buyer-specific — questions that are unusual for that buyer’s industry — and those are the only questions that should escalate to a finance SME.

The takeaway

The finance section is small but heavy. It can’t be hand-waved, the SMEs who answer it are scarce, and the answers go stale fast. Your KB needs current versions of six specific pieces of finance content, owned by someone who refreshes them on a calendar, not on demand.

Part 2 of DDQ Anatomy — security — lands later this month. The security section is 40 to 60% of most DDQs and is where the SME bottleneck does the most damage. Worth getting the finance section out of the way first; it’s the smallest one.

Sources

  1. 1. Loopio — Best DDQ software
  2. 2. Safe Security — Vendor security questionnaire best practices
  3. 3. Qorus — Winning proposals: how to stop wrangling SMEs
Tagged ddq finance procurement