The following report presents an analysis of manager responses submitted via Cambridge Associates’ (CA) operational due diligence questionnaire (DDQ). The DDQs are comprehensive in nature and cover all aspects of a manager’s business, including organizational structure, service providers, operations, valuation, compliance, and cybersecurity, among other areas. CA typically performs 200 to 300 private investment fund manager operational due diligence (ODD) reviews annually. At times, a DDQ can be leveraged for more than one review on a manager, or managers may elect to provide their own DDQs and, as such, answers do not necessarily reflect the entire universe of funds reviewed by CA. Thus, results are for illustrative purposes only.
Notable highlights:
- The proportion of managers engaging third-party fund administrators has risen significantly over the past seven years, from 65% in 2018 to 87% in 2025. This trend is particularly notable among real assets (from 55% in 2020 to 78% in 2025) and private equity (PE) managers (from 68% in 2020 to 88% in 2025).
- 64% of funds reviewed in 2025 engaged a “Big Four” auditor, while an additional 20% engaged a well-regarded, mid-tier firm.
- 13% of funds reported maintaining relationships with two or more banks. Most funds still relied on a single banking partner, exposing them to a certain level of counterparty risk when calling capital or making distributions.
- 60% of managers confirmed that they have been examined by a regulatory body in 2025, in line with the prior year and a significant increase from 36% in 2019.
- 96% of firms reported conducting employee cybersecurity training, a significant increase from 30% in 2017, reflecting greater investment in mitigating employee-related cyber risks. In 2025, 7% of firms reported a cybersecurity breach, which is within the range observed in recent years.
- 80% of managers reviewed in 2025 reported using artificial intelligence (AI), indicating that adoption has become increasingly prevalent across the private investment landscape. However, only 49% reported having adopted a formal AI policy.
Key themes to watch:
- AI adoption is expanding, while governance practices continue to evolve. Managers are using AI more broadly across functions, but governance frameworks remain at varying stages of development. AI oversight, governance, and data security are becoming distinct diligence considerations.
- Cybersecurity programs are more mature, but fraud tactics are becoming more targeted and harder to detect. Employee training and cyber awareness have generally improved, but managers still face increasingly targeted social engineering attacks. Diligence should focus not only on prevention, but also on escalation protocols, payment controls, and fraud response readiness.
- A lighter regulatory approach may reduce examination and enforcement activity. Fewer SEC exams and enforcement actions may place greater importance on directly assessing managers’ internal controls, as weaknesses may be less likely to surface through regulatory examinations.
- Liquidity management tools and fund structure flexibility remain important areas of limited partner (LP) scrutiny. Net asset value (NAV) facilities, fund life extensions, and continuation vehicles continue to draw scrutiny due to their governance, disclosure, fee, and conflict implications. Clear policies, approval frameworks, and investor communication remain important.
Dataset
Funds by asset class and region
Figure 1 provides an asset class and region breakdown of the funds reviewed by CA over the past several years. The asset class composition of funds reviewed in 2025 remains broadly consistent with 2024, with private equity and venture capital (PE/VC) continuing to represent the majority. Notably, credit appears to have increased relative to 2024, while real assets returned to levels observed before 2023.
Organization
Percentage of investment employees versus non-investment employees’ [1]For the purpose of this report, non-investment employees are defined as employees dedicated to finance/accounting/operations, compliance, legal, and IT.
Overall, the percentage of investment to non-investment employees has generally decreased across asset classes over the past five years. Excluding outliers, PE/VC managers have consistently maintained a higher proportion of investment personnel. In contrast, other asset classes—such as private credit—tend to have a more balanced staffing profile. This is often due to the greater operational, regulatory, and administrative complexity of these strategies, which may require larger teams across portfolio monitoring, loan servicing, and compliance. Notably, the percentage of investment to non-investment employees among PE/VC managers has generally declined since 2021 (Figure 2). This trend suggests that firms are placing greater emphasis on strengthening non-investment functions as they scale and navigate increasing organizational complexity.
Percentage of investment employees versus compliance employees
Overall, the ratio of investment employees to compliance employees largely decreased across most asset classes. The general trend of increasing compliance staffing relative to investment employees is positive and suggests that managers may be placing greater emphasis on regulatory compliance in response to evolving regulatory standards (Figure 3).
Of the VC managers, 21% were registered investment advisers (RIAs) in 2025, up slightly from 20% in the prior year. VC also continued to have the highest share of exempt reporting advisers (ERAs) at 62%, while the remaining 17% were not registered with the SEC. PE had the second-highest share of ERAs at 34%, and a further 9% were not registered. Given that ERAs are subject to less stringent regulatory requirements, including the absence of a mandate to employ a dedicated compliance professional or to appoint a chief compliance officer, this is likely to help explain the higher number of investment employees per compliance employee observed in PE/VC. Even so, effective compliance infrastructure remains a core expectation for all managers, and CA expects adherence to best practices regardless of regulatory status. This includes maintaining appropriate, documented policies and procedures, as well as engaging institutional third-party compliance consultants and legal counsel to support regulatory responsibilities.
Service providers
Fund administrator
The percentage of managers engaging third-party fund administrators continues to rise, increasing significantly from 65% in 2018 to 87% in 2025 (Figure 4). This increase is seen across most asset classes, apart from credit strategies, which began from a comparatively higher base level of adoption. This is a positive trend as engaging a third-party administrator adds more independence to key activities, such as capital calls and distributions, NAV calculations, waterfall calculations, LP reporting, and LP anti-money laundering/know-your-customer (AML/KYC).
Fund accounting systems and applications
Fund accounting
In 2025, 89% of managers used specialist fund accounting systems, a stable trend in recent years (Figure 5). Many access these systems via fund administrators. Such systems help reduce manual errors and manage operational complexity.
Waterfall calculations
About 52% of managers still use Microsoft Excel or generic software for waterfall calculations, which was slightly higher than the previous year. While institutional systems are preferred due to this task’s complexity, Excel remains common in the absence of a market leader. Strong controls and oversight are essential when manual tools are used to minimize operational risks and errors.
Auditors
Overall, 84% of the funds CA reviewed in 2025 engaged either a “Big Four” accounting firm (PwC, EY, Deloitte, KPMG) or a well-regarded mid-tier firm, broadly in line with prior years (Figure 6). Mid-tier firms are smaller than the “Big Four” by size, revenue, and market share, but still maintain a significant global presence. For purposes of this report, this group includes BDO, Frank Rimerman, and RSM. While “Big Four” firms are often associated with scale, global reach, and market acceptance, they are not immune to periodic headline risks, including regulatory scrutiny and audit failures. At the same time, not engaging a “Big Four” auditor does not inherently indicate lower quality. Auditor suitability depends on factors such as the fund’s size, structural complexity, regulatory and jurisdictional requirements, asset class specialization, reporting needs, and cost. Reputable mid-tier firms can provide high-quality audit services and may be especially well suited to smaller or less complex funds, often offering specialized expertise, competitive fees, and a more personalized service model. For funds that do not require the global reach or extensive resources of a “Big Four” firm, a reputable mid-tier auditor can offer a compelling combination of technical proficiency, responsiveness, and value.
Valuation agents
Valuation is a key risk area in ODD. Fair market valuation follows fund accounting standards, mainly IFRS (the predominant standard used globally) and US GAAP (used primarily by US-domiciled funds or those with many US investors). IFRS is more principles based and allows greater interpretation, while US GAAP is generally more rules based and prescriptive.
A fund’s investment composition and accounting treatment reveal how much discretion or manual input is required for valuation. Most private fund assets are Level 3 Assets as defined by Accounting Standards Codification (ASC) 820. These assets rely on significant judgment and estimation rather than market data, which gives managers more discretion as valuations often lack independent data points.
Managers should have a valuation policy suited to the asset class and a structured valuation committee for oversight. Independent valuation agents can provide asset marks, value ranges, or assurance on valuation practices, offering independent validation and increasing transparency for investors.
PE/VC managers were observed to be the least likely to engage external valuation agents (Figure 7). This may partly reflect the characteristics of many venture or early-stage PE funds, which often manage less AUM and therefore operate with leaner budgets, making the cost of third-party valuation agents significant relative to fund size. Furthermore, early-stage companies often lack direct public market comparables, which limits the incremental value that external agents can add over the manager’s own assessment.
Banking institutions
The proportion of funds maintaining more than one banking relationship has decreased slightly from the prior year, with approximately 13% of funds disclosing that they maintain two or more banking relationships (Figure 8). The VC and secondaries/fund-of-funds asset classes, which likely experienced pronounced impact during the 2023 banking crisis, were observed to have a higher proportion of funds maintaining multiple banking relationships. During the ODD review process, Business Risk Management regularly provides feedback to managers on the importance of diversifying banking relationships to mitigate risks associated with overreliance on a single counterparty—a critical lesson highlighted by the 2023 banking crisis.
Compliance consultants
In 2025, 89% of RIAs and 60% of ERAs used external compliance consultants, relatively unchanged from 89% and 62% in 2024, respectively (Figure 9). This trend among ERAs continues from previous years, with external consultants providing independent oversight, regulatory guidance, gap analysis, and functional redundancy. While ERAs face fewer regulatory requirements and often lack internal compliance resources, CA expects their programs to align with industry best practices. Encouragingly, more ERAs have engaged external compliance consultants over the past few years.
Compliance and legal
The proportion of firms subject to a regulatory exam was broadly unchanged from the prior year but remained above the 15% low observed in 2021.[2]The low proportion of managers subject to regulatory exams in 2021 was likely due to the impact of the global COVID-19 pandemic that saw regulators completing more thematic reviews to assess the … Continue reading This trend aligns with the SEC’s continued focus on private fund advisers. As in prior years, the SEC noted in its 2025 Examination Priorities Report that RIAs to private funds will remain a focus area, as they represent a significant portion of the RIA population. Among managers subject to regulatory exams, PE continued to represent the largest asset class, followed by credit (Figure 10). Looking ahead, the SEC’s 2026 Examination Priorities Report continues to address private fund adviser practices within its broader examination priorities. However, the current administration appears to be taking a lighter regulatory approach, and reduced SEC headcount may also affect examination activity.
Data and cybersecurity
Cybersecurity training
The proportion of firms conducting some form of cybersecurity training for employees has remained at or above 90% in recent years (Figure 11). By comparison, only 30% of firms reported doing so in 2017. It is encouraging that the majority of managers CA reviewed in 2025 conduct some level of cybersecurity training for employees. Most of these firms have annual or ongoing training throughout the year to address emerging cybersecurity threats. This is positive as employees are often a primary vulnerability in any firm’s cyber defenses.
Vulnerability and penetration risk assessments
Consistent with the prior year, 70% of firms reviewed in 2025 conduct vulnerability and/or penetration risk assessments of their IT infrastructure, network, and systems, while 30% either do not conduct such assessments or did not respond (Figure 12). It is recommended that managers engage an independent provider to conduct annual internal and external penetration testing, as well as vulnerability assessments, and to rotate providers for objective oversight.
Cybersecurity breaches
Of the managers CA reviewed in 2025, 7% reported experiencing a cybersecurity breach within the past 24 months, compared with 6% in 2024 (Figure 13). This remained within the historical range observed in recent years, after a slight elevation during the COVID-19 pandemic. Cybersecurity remains a key focus of operational reviews as cyber threats continue to grow in frequency and sophistication. Although the reported number of breaches remains low, it is important to note that there is no universal definition of a breach, and some firms may not have reported incidents that they deemed immaterial.
Artificial intelligence
The use of AI and machine learning remains an evolving risk area. As managers increasingly explore these tools across functions, appropriate governance, data protection, and oversight mechanisms are essential. Key focus areas include the implementation of a formal AI policy, confidential information handling, third-party vendor risk, and the risk of inaccurate or insufficiently reviewed outputs.
In 2025, 80% of managers reported some form of AI use, indicating that adoption has become increasingly prevalent across the private investment landscape, with the highest uptake among PE managers (Figure 14). In response, CA’s ODD reviews continue to evolve to better assess managers’ AI adoption and related oversight frameworks, including governance of AI implementation, controls around proprietary or confidential information, documented AI-use policies, and staff training on AI use and related risks.
Formal AI policies were reported by 49% of managers (Figure 15). While AI governance continues to evolve and some managers rely on other forms of staff guidance, such as internal communications, training, or existing confidentiality and information security policies, we would generally prefer to see a standalone AI usage policy.
Use of proprietary information in AI tools was reported by 38% of managers, underscoring the importance of clear, documented guidance and robust vendor due diligence regarding how such information is handled, stored, and used (Figure 16). As AI adoption expands, we expect formal governance frameworks to become an increasingly important component of a manager’s overall control environment.
Footnotes















