IT Due Diligence Questionnaire template for software outsourcing

Due Diligence is an investigatory process helping companies learn as much as possible about another party in order to reduce business risk and ensure required standards are being met.

In outsourcing transactions, there are two types of due diligence:

• Due diligence done by a buyer to confirm a supplier is able to perform given services
• Due diligence done by a supplier to understand the buyer’s environment

This article focuses on the first type of due diligence – the one which aim is to give confidence to a buyer in their choice of outsourcing partner.

Due diligence forms part of the supplier evaluation process. Regardless of whether an organisation uses an RFP or not, carrying out due diligence by buyers on potential partners is important because it reduces the risk of selecting an inadequate supplier of services.

What is a Due Diligence Questionnaire (DDQ)?

A due diligence questionnaire (or a DDQ) serves as a check of compliance with certain standards. It helps buyer organisations to understand the processes of a potential vendor and to filter out the suppliers that do not comply with required standards. Apart from using a DDQ early in the process of finding a supplier, some companies send out DDQs as a regular activity to their existing suppliers to monitor compliance with standards.

 

Due Diligence In Software Development Outsourcing: What Checks To Include?

Due diligence practices in software development outsourcing should cover a number of core areas. We propose a DDQ for software development which includes checks related to the following:

 

Basic Company Information

This includes information confirming that the supplier company exists and has required licenses to do the work it says it does. Apart from contact details, it should cover company’s legal name and structure, VAT/tax number, company registration number and information about company ownership, which helps confirm the company’s existence and legal status. Other important aspects are company background and history, size, client portfolio, business reputation, business model and case studies as well as certifications and partnerships. Thinking outside the box, a Google maps picture of a company’s headquarters can serve as a further confirmation that the given organisation exists.

 

Financial Information

When doing a due diligence check, financial check is necessary to ensure the outsourced service providers you’re about to start working with are financially stable, profitable and viable. Ask them to provide you with:

• financial statements going back 3-5 years; remember to specify the desired currency. The statements should cover profit & loss, assets, liabilities, and equity,
• revenue sources to evaluate the diversification of its client base,
• profitability and margins to assess the company’s ability to generate profits,
• growth patterns to check for consistent growth or positive trends over time,
• debt and liabilities,
• cash flow and working capital to understand the company’s cash generation and liquidity.

It’s a good idea to request help from your Finance Department to check over the information for any red flags. You may also consider asking the vendor for some bank references and financial audits to assess their financial health.

 

Insurance

When doing due diligence checklist, it is important to consider insurance coverage to protect your interests and mitigate potential risks. Some insurance-related aspects to consider include:

• general liability insurance providing financial protection in case of accidents or incidents that may occur during the software development process,
• professional liability insurance (Errors and Omissions Insurance) that protects both the outsourcing company and its clients in case of financial loss due to software defects, project delays, or inadequate performance,
• cyber liability insurance which helps cover legal expenses, notification costs, and potential financial damages resulting from a cyber incident,
• intellectual property insurance which provides financial protection in case of IP-related disputes and associated legal costs,
• workers’ compensation insurance protecting both the company and its employees in the event of work-related injuries or illnesses,
• contractual liability insurance which protects your interests and ensures that both parties have appropriate insurance protection,
• verification of coverage to ensure that the insurance is current and adequate for your needs,
• additional insurances, depending on the specific project and industry.

When reviewing insurance-related information, consider consulting with your own legal and insurance professionals to assess the adequacy of the outsourcing company’s coverage and to ensure that your own interests are protected.

 

Infosec

Assessing the information security (infosec) practices of the potential outsourcing partner as a part of due diligence check is crucial to ensure data security, confidentiality, integrity, and availability of your systems. Key aspects to consider regarding infosec are:

• security policies and procedures to ensure that their policies align with industry best practices and meet your organisation’s security requirements,
• data protection and privacy to assess their compliance with relevant data protection regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA),
• security awareness and training programs,
• secure software development practices,
• physical security measures for their offices, data centres, or server rooms, remembering that adequate physical security is important to protect against unauthorised access and potential physical threats,
• network and infrastructure security to assess their ability to protect against external threats and ensure secure data transmission,
• incident response and business continuity to assess their ability to minimise downtime and protect your systems and data during unexpected events,
• security audits and certifications such as ISO 27001 (Information Security Management System) or SOC 2 (Service Organisation Control 2) which indicate that the company has implemented and maintains a robust information security management system,
• third-party assessments, if available,
• confidentiality agreements that outlines the obligations of both parties regarding the confidentiality and non-disclosure of information.

It is advisable to engage with a qualified security professional or conduct an independent security assessment to thoroughly evaluate the outsourcing company’s infosec practices. This helps ensure that your software development partner maintains a robust security posture and aligns with your organisation’s security requirements and risk tolerance.

 

Risk Management

When conducing due diligence check of your chosen service provider, evaluating risk management practices is crucial to identify and mitigate potential risks that may arise during the outsourcing engagement. Aspects to consider include:

• risk assessment and mitigation,
• project management methodologies,
• communication and transparency,
• contractual risk allocation,
• business continuity and disaster recovery,
• vendor management and subcontracting,
• intellectual property protection,
• compliance and regulatory requirements,
• financial stability and contractual obligations,
• risk escalation and resolution.

Remember to tailor this evaluation based on the specific requirements and risk tolerance of your organisation. Engaging with legal and risk management professionals can provide additional expertise to assess risks and ensure appropriate risk management strategies are in place for your software development outsourcing initiative

 

Human Resources

Assessing the human resources (HR) aspects of the potential service provider is an essential part of the due diligence check to ensure that they have the necessary talent, expertise, and capacity to meet your project requirements. Here are some key aspects to consider regarding HR:

• workforce expertise and skills to assess if they have the necessary technical knowledge, domain expertise, and proficiency in relevant programming languages and technologies,
• employee retention and turnover,
• scalability and resource allocation to understand how they manage resource allocation, balance multiple projects, and ensure timely delivery,
• employee training and professional development to check their investment in keeping their workforce up-to-date with the latest technologies and industry best practices,
• cultural fit and communication,
• HR policies and compliance,
• employee confidentiality and non-disclosure,
• succession planning and key personnel to ensure they have appropriate knowledge transfer processes in place to minimise the impact of personnel changes,
• employee engagement and satisfaction,
• compliance with social responsibility and ethical standards.

While assessing the HR aspects when doing due diligence checklist, it can be valuable to conduct interviews with the outsourcing company’s HR representatives or request references from their current or past clients. This will provide insights into their HR practices, employee satisfaction, and overall professionalism.

 

Subcontractors

As a part of diligence checklist, it is also important to evaluate the involvement of subcontractors, as they can have a significant impact on the quality, timelines, and security of your project.

Key aspects to consider regarding subcontractors include:

• identification of subcontractors,
• subcontractor selection process,
• subcontractor expertise and skills,
• communication and collaboration,
• subcontractor management,
• security and confidentiality,
• subcontractor contracts and agreements,
• due diligence on subcontractors,
• subcontractor relationships and stability,
• risk mitigation and contingency plans.

When evaluating subcontractors, it can be beneficial to request additional information about their qualifications, work samples, and references. This will provide insights into their capabilities, reliability, and past performance. Additionally, include relevant clauses in your contract with the outsourcing company to ensure that the subcontractors meet your requirements and adhere to the same quality and security standards.

 

CSR Policies

When conducting due diligence, it is important to evaluate the Corporate Social Responsibility (CSR) policies and practices of the potential outsourcing partners, which refer to a company’s commitment to ethical, social, and environmental responsibilities. Here are some key aspects to consider regarding CSR policies:

• CSR strategy and commitment,
• ethical business practices to assess if they have established procedures for ensuring compliance with applicable laws and regulations,
• employee welfare and diversity,
• community engagement and philanthropy to assess their commitment to making a positive impact beyond their immediate business operations,
• environmental stewardship,
• supply chain responsibility,
• transparency and reporting,
• certifications and awards such as ISO 14001 (Environmental Management System) or social responsibility standards like ISO 26000 which can indicate their commitment to CSR practices,
• stakeholder engagement,
• integration of CSR in business operations check if they have mechanisms to assess and mitigate the social and environmental impacts of their work.

While evaluating CSR policies, consider engaging in discussions with the outsourcing company’s CSR representatives, reviewing their CSR reports, and seeking references from their clients or other stakeholders. This will provide insights into their commitment to responsible business practices and alignment with your organization’s values and expectations

 

IT Capabilities

Evaluating the IT capabilities of the potential service provider as a part of due diligence check is crucial to ensure they have the technical expertise and infrastructure necessary to meet your project requirements and business needs. Here are some key aspects to consider regarding IT capabilities:

• technical expertise and skills,
• development methodologies and processes,
• team composition and roles to assess if they have the right mix of skills and experience to handle your project effectively,
• technical infrastructure to assess if they can scale their infrastructure to accommodate your project’s needs,
• quality assurance and testing,
• security measures to understand if they follow industry security standards and best practices to protect against cyber threats and ensure the security of your software,
• documentation and knowledge management,
• infrastructure and cloud services to assess their ability to leverage cloud services to optimise scalability, performance, and cost efficiency,
• software development tools and technologies,
• innovation and research.

To evaluate the IT capabilities as a part of your diligence checklist, good practice is to consider reviewing their past project portfolio and existing clients, assessing their technical case studies, and requesting demonstrations or proofs of concept related to your project requirements. Engaging technical experts or conducting technical assessments can also provide deeper insights into their capabilities.

 

Due Diligence Questionnaire: Software Development Outsourcing Template

To see a detailed list of questions for each section, download our Free Template Due Diligence Questionnaire for Software Development Outsourcing.
The list within the diligence checklist is not exhaustive, so you may want to add your own questions, which is why the template is editable and allows you for appropriate data gathering.

Using a diligence checklist template is a great way of making sure you ask the right questions, check the right information and will not forget about anything crucial that may have an impact on your future collaboration. The process can be complicated and timely so having something that makes it easier is a great bonus!

 

Going Beyond IT DDQ: Checking Software Development Providers

To make the process of selecting your supplier even more through, there are more things you can do. Apart from sending out the Due Diligence Questionnaire to your chosen supplier, we recommend that you:

• use a Request for Proposal – check out this editable RFP template
• speak to the supplier’s clients and conduct some reference checks
• check the company website and social media, e.g. LinkedIn
• check the company’s profile on Clutch
• do a site visit and speak to people of all levels at the company’s premises
• ask the vendor to do a test task to check work quality.

 

Looking For A Partner In Software Development Outsourcing?

While you’re at it, why not add Future Processing to your list of potential partners? We’re software development experts with over 20 years of experience and an individual approach to each client. We’re here to help.

We hope you’ll find the DDQ for software development and other tools useful!