By Dina Ferriero,

Tuesday, January 31st, 2012

Operational due diligence has become a hot topic that continues to gain importance and attention throughout the alternative investment industry. Over the past few years, as regulations have changed and investors increasingly seek transparency, funds are spending more time than ever preparing for the due diligence process.

It is no surprise that the investment industry landscape is becoming more and more competitive. As this trend continues, investors are raising their expectations and looking towards funds that display the highest levels in operational excellence. One important way to ensure your firm meets these high standards is to complete a due diligence questionnaire (DDQ) that can be shared with potential investors.

A comprehensive DDQ covers a wide range of topics, from assets under management to audited financial statements and investment strategies. One major area of focus is the funds IT and accompanying security policies and procedures. At Eze Castle, we frequently assist our hedge fund clients in completing DDQ questions on technology, and we often see the same types of questions popping up. So, to help you get started, we have compiled the following list of some frequently asked DDQ questions. You can also download the sample hedge fund DDQ list here .

Technology Provider Selection

Has the firm performed thorough due diligence on its current and/or potential IT vendors?

Does the firm have established, documented service level agreements in place with its technology partners to ensure a stable computing environment?

Information Security Policy

Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

Do the appropriate management officials approve the policy and any changes that may be made?

Access Control Policy

Does the organization have a formal and well-documented access control policy in place?

Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

Does the firms IT staff (or technology partner) ensure appropriate access control to applications and sensitive company data? Are there robust procedures in place to grant or deny access to applications?

How does the firm manage employee remote access? Are procedures in place to ensure remote access is delivered securely?

Has a password policy been implemented throughout the organization? Have all employees been trained on best practices for password security?

Are policies in place to force password changes periodically?

Network Security Policy

Has the organization developed a formal and well-documented network security policy?

Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

Does the firm have a robust firewall in place at the network level? Are policies configured to defend against external security threats? Are the firewall logs monitored regularly?

Is a solution in place to protect email systems against spam?

Is a solution in place to ensure mobile devices and laptops are secure in the event of loss or theft? Are email and text messages encrypted and archived?

Physical Security Policy

Has the organization developed a formal and well-documented physical security policy?

Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

Are access controls in place for the Server Room? How does the firm ensure only authorized personnel gain access critical systems?

Are procedures in place to manage visitors in the office? Are steps being taken to ensure visitors do not have the ability to observe or access sensitive employee systems and documents?

Business Continuity & Disaster Recovery Plans

Has the organization developed a formal and well-documented business continuity plan?

Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

Has the firm tested the BCP from both a technical and operational perspective? How often are these tests performed?

Has the firm established a dedicated location to retain backup copies of all critical data? Is offsite data encrypted and stored securely?

Has a secondary working location been established to which employees should report in the event of a disruption or outage?

Do all employees clearly understand the BCP procedures? Have appropriate training and documentation been established and shared with all personnel?

Is a comprehensive disaster recovery solution in place to provide system redundancy and ensure protection of critical data in the event of a disaster or system failure?

Has the firm determined its crucial recovery point objectives (RPOs) and recovery time objectives (RTOs)? Does the DR solution meet these guidelines?

Interested in learning more about the due diligence process? Download our webcast on Hedge Fund Operational Due Diligence or contact an Eze Castle Integration expert for more information!