Don't Forget to Share this Post

51 Hedge Fund IT Due Diligence Questions You Can Expect From Investors

By Mary Beth Hamilton | Tuesday, October 17th, 2017

On our recent Emerging Manager Trends in Operational Due Diligence webinar, we looked at how today’s emerging managers face a number of challenges from fierce competition to the rapidly evolving investor IT due diligence process, especially in terms of scrutiny on technology processes and security safeguards.

The reality is that investors have a greater understanding of technology, are asking more probing due diligence questions and care about the responses they receive. In recent years the depth of operational due diligence questions around information technology and security has expanded as investors become increasingly savvy about IT and headlines around IT risks have grown.

Here at Eze Castle Integration we regularly assist our clients in completing the IT portions of investor due diligence questionnaires. The wording of questions varies but here is a handy list of 51 common IT due diligence questions we see.

Organization

  1. Provide an organization chart for the Company, its affiliates and key personnel.

  2. Provide the physical address and general contact information for each of the Company’s office locations.

  3. Provide the name and contact information of the Company employee(s) assigned to the client’s account(s).

  4. Provide a list of compliance personnel, their roles and qualifications, the date of his/her appointment and position within the Company’s organizational structure.

Annual Assessment/Audit

  1. When was the last date on which the Company tested its internal policies and procedures? Please provide a summary of the results.

  2. Describe the internal controls that ensure conformity with the Company’s policies and procedures concerning confidentiality of client information.

  3. Describe any material violations of the Company’s policies and procedures that relate to the services provided to the client in the last twelve (12) months. If any occurred, please describe the violations and the corrective action that was taken.

  4. Describe the Company’s process for (i) reporting violations that directly affect the services provided to the client and (ii) reviewing and assessing the adequacy and effectiveness of its policies and procedures. Please include an explanation of how the Company determines the materiality of violations as well as the process for identifying and reporting violations of policies and procedures internally.

  5. Do you conduct annual external or internal technology audits? If so, please detail auditor, frequency, areas covered, date of last audit and key findings.

General Hedge Fund IT Due Diligence Questions

  1. Who handles your IT strategy and oversees the day-to-day IT function? What is your IT strategy (i.e. outsource, in-house, hybrid model)?

  2. What types of challenges has your firm faced with its IT operations in the last 12 months?

  3. What IT upgrades occurred in the last 12 months? What upgrades are planned for the next 12 months? How do you stay current with technology?

  4. Provide details on relationships with third party IT integrators and support providers, including an overview of their credentials and length of the relationship.

Hedge Fund's Systems and Information Security

  1. Describe the software system(s) used to provide services to the client, including any relevant security features (e.g., firewalls).

  2. Describe any material changes within the past twelve (12) months relating to software systems used to provide services to the client.

  3. Where is/are the Company’s data center(s) located?

  4. Describe the Company’s security measures with respect to systems access, including who has access (and at what level).

  5. Describe in detail (i) what records the Company retains on behalf of the client (in both electronic and physical format), and (ii) for how long the records are kept.

  6. Describe the security procedures (e.g., locked filing cabinets) for the protection of physical documents.

  7. Describe the Company’s policies and procedures for destroying physical documents.

  8. Are ongoing vulnerability assessments performed against the Company’s systems? If so, are the assessments performed by internal personnel or third-party service providers?

  9. Have you had any security breaches or security related issues in the past 3 years?

Hedge Fund's Access Control Policy

  1. Does the organization have a formal and well-documented access control policy in place?

  2. Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

  3. Does the firm’s IT staff (or technology partner) ensure appropriate access control to applications and sensitive company data? Are there robust procedures in place to grant or deny access to applications?

  4. How does the firm manage employee remote access? Are procedures in place to ensure remote access is delivered securely?

  5. Has a password policy been implemented throughout the organization? Have all employees been trained on best practices for password security?

  6. Are procedures in place to create and disable user accounts? Are active accounts reviewed on a periodic basis? What is the process for disabling accounts of terminated employees?

  7. Are policies in place to force password changes periodically?

  8. How do you screen employees prior to employment? What background checks are undertaken?

Hedge Fund's Network Security Policy

  1. Has the organization developed a formal and well-documented network security policy?

  2. Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

  3. Does the firm have a robust firewall in place at the network level? Are policies configured to defend against external security threats? Are the firewall logs monitored regularly?

  4. Does the firm employ an intrusion detection system (IDS) to prevent unauthorized access?

  5. Is a solution in place to protect email systems against spam?

  6. Is a solution in place to ensure mobile devices and laptops are secure in the event of loss or theft?

  7. Are email messages encrypted and archived? For how long are messages archived?

Hedge Fund's Physical Security Policy

  1. Has the organization developed a formal and well-documented physical security policy?

  2. Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

  3. Are access controls in place for the Server Room? How does the firm ensure only authorized personnel gain access critical systems?

  4. Are procedures in place to manage visitors in the office? Are steps being taken to ensure visitors do not have the ability to observe or access sensitive employee systems and documents?

Hedge Fund's Disaster Recovery & Backup Policy

  1. Describe the Company’s physical security, disaster recovery and backup plans and procedures.

  2. Please describe the communication chain related to the firm’s business continuity/disaster recovery plan.

  3. Is the policy regularly reviewed to determine whether the controls are operating as intended? Are changes and enhancements to the policy implemented when necessary?

  4. Has the firm tested the BCP from both a technical and operational perspective? How often are these tests performed?

  5. Has the firm established a dedicated location to retain backup copies of all critical data? Is offsite data encrypted and stored securely?

  6. Has a secondary working location been established to which employees should report in the event of a disruption or outage?

  7. Do all employees clearly understand the BCP procedures? Have appropriate training and documentation been established and shared with all personnel?

  8. Has the firm determined its crucial recovery point objectives (RPOs) and recovery time objectives (RTOs)? Does the DR solution meet these guidelines?

  9. Please provide a copy of the Company’s disaster recovery plan.

  10. How often is the Company’s disaster recovery plan tested?

Given the focus on Cyber Security during the Operational Due Diligence process, why not visit our cybersecurity resource center, where you can find a wealth of information, including our Critical Cybersecurity Threats & How to Prepare whitepaper.

Hedge Fund Cybersecurity Whitepaper
Editor’s Note: This article has been updated and was originally published in October 2014.  

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!

Contact Us