Skip to content
AuditFront
ARCH-1 Tech Due Diligence

Tech Due Diligence ARCH-1: System Architecture and Design Patterns

What This Control Requires

The assessor evaluates the overall system architecture, including the choice of architectural patterns (monolith, microservices, serverless), the coherence of the design, separation of concerns, and whether the architecture supports the current and projected scale of the business.

In Plain Language

Investors and acquirers look at system architecture because it tells them how expensive the next phase of growth will be. A well-chosen architecture means the business can scale without a costly rewrite. A poor one means burning months of engineering time just to keep the lights on.

What matters here is fit for purpose. A simple monolith is perfectly fine for an early-stage company. A large-scale SaaS might need microservices or a modular monolith. The assessor is checking whether the chosen approach is coherent, well-understood by the team, and capable of supporting the business roadmap. They look at separation of concerns, clarity of domain boundaries, data flow patterns, and how tightly coupled components are to each other.

Architectural decisions are expensive to reverse, so the assessor wants to see evidence of deliberate choices rather than accidental complexity. They also want to know whether the team can evolve the architecture as the business grows, and whether accumulated architectural debt will slow down future development.

How to Implement

Start by documenting your current system architecture with clear diagrams. Show high-level components and their responsibilities, communication patterns between them (synchronous, asynchronous, event-driven), data stores and which components access them, external integrations, and deployment topology.

Make sure the architecture follows established design principles: separation of concerns (each component has a clear, focused responsibility), loose coupling (components interact through well-defined interfaces, not internal implementation details), high cohesion (related functionality is grouped together), and dependency inversion (business logic does not depend on infrastructure details).

For monolith architectures, structure them with clear module boundaries. A modular monolith with defined domains is often the ideal choice for companies that have not yet reached the scale requiring microservices. Define module interfaces and prevent cross-module database access.

For microservices, each service should own its data (no shared databases), have a clear bounded context, deploy independently, communicate through well-defined APIs or events, and run its own CI/CD pipeline. Watch out for the "distributed monolith" anti-pattern where services are tightly coupled despite being separately deployed.

Maintain Architecture Decision Records (ADRs) for significant choices. Each ADR should capture the context (what problem were you solving), the decision and rationale, the trade-offs accepted, and the current status (proposed, accepted, deprecated).

Finally, evaluate whether the current architecture can handle 3-5x current load without a fundamental redesign. Identify bottlenecks and build a roadmap to address them before they become critical.

Evidence Your Auditor Will Request

  • Architecture diagrams showing system components and interactions
  • Architecture Decision Records (ADRs) for significant design choices
  • Module boundary definitions and dependency rules
  • Assessment of architecture's scalability relative to business projections
  • Architectural roadmap for addressing identified bottlenecks

Common Mistakes

  • Premature microservices: unnecessary complexity for the current scale
  • Big ball of mud: no clear module boundaries or separation of concerns
  • Distributed monolith: microservices that are tightly coupled and cannot be deployed independently
  • No architectural documentation; system design exists only in developers' heads
  • Architectural decisions made ad-hoc without recorded rationale

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.8.25 Related

Frequently Asked Questions

Is a monolith architecture a red flag in due diligence?
Not at all. A well-structured monolith is often the best architecture for early and mid-stage companies. Premature microservices adoption can actually be a bigger concern, because it introduces operational complexity the team may not be ready to manage. Assessors care about whether the architecture fits the current stage and has a clear evolution path - not whether you are using the trendiest pattern.
How many microservices are too many?
There is no magic number, but the count should be justifiable relative to team size and domain complexity. A common guideline is no more than 2-3 services per developer. If a team of five is managing 20 services, operational overhead will eat into productive development time and that is something assessors will flag.

Track Tech Due Diligence compliance in one place

AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready.

Start Free Assessment