Home / Buy Side Software Risk Assessment
Due diligence

Buy Side Software Risk Assessment

A buy side software risk assessment maps and quantifies the licensing and audit exposure inside a target before you sign, turning a latent liability into a number you can price, indemnify or hold back.

A buy side software risk assessment is the workstream standard diligence leaves open. Lawyers read assignment clauses, code scanners check open source, and reporting accountants test the numbers. The under licensing and indirect access that becomes a seven or eight figure claim sits between those reviews, unowned and unquantified, until it lands as a publisher audit after close. The assessment exists to find that exposure while you still have leverage, which is before the deal is signed.

What a buy side software risk assessment covers

The assessment is built on the buyer side, for the buyer, by a firm paid only by the acquirer. It looks at the target estate the way a publisher would on the day after a change of ownership, then translates what it finds into a worst case figure and a likely settlement range. The scope spans entitlement records, real deployment, contract terms that bite on a change of control, and the integrations that create indirect or digital access.

Risk exposure across publishers and risk typesA matrix rating exposure as low, medium or high for major publishers across under licensing, indirect access, change of control and audit history.Risk exposure across publishers and risk typesUnder licensingIndirect accessChange of controlAudit activityOracleHighMediumHighMediumSAPMediumHighMediumHighMicrosoftHighMediumMediumHighIBMMediumMediumMediumMediumBroadcom VMwareHighLowHighHigh
Indicative exposure ratings used to prioritise diligence time. Ratings reflect general patterns as of 2025 and are set per target during the assessment.

How the exposure is quantified

A risk that cannot be quantified cannot be negotiated. The assessment converts findings into money the deal team can use. For each major publisher we establish the entitlement, measure the deployment and the indirect access against it, and produce a defensible gap. That gap becomes a worst case list price exposure and a likely settlement range, the two numbers an investment committee needs.

Public proof points show the scale of inherited licensing risk. As of 2024, SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million over disputed and inherited licensing, according to contemporaneous reporting. Those figures are why a credible assessment prices the exposure rather than noting it.

What the assessment delivers for the deal team
WorkstreamWhat we examineWhat you receive
Entitlement baselineContracts, order forms and proof of entitlementA clean record of what the target is actually licensed for
Deployment and usageInstalled and consumed software against entitlementA quantified gap for each major publisher
Indirect accessIntegrations, bots and interfaces that touch licensed systemsAn exposure estimate for digital and indirect use
Change of controlAssignment, consent and repricing clausesA list of clauses that bite under the deal structure
Exposure modelWorst case and likely settlement rangesA number to price, indemnify or hold back in escrow
Deal structure matters

The structure changes which clauses bite. A stock purchase, an asset purchase, a merger and a carve out each trigger different consent, anti assignment and repricing terms. The assessment reads the target's contracts against the actual structure, so the exposure reflects the deal you are doing, not a generic one.

Turning findings into deal protection

The output is not a report that sits in a data room. It is leverage. A quantified exposure can be handled in three ways: a reduction to the purchase price, a specific indemnity that survives close, or an escrow holdback sized to the likely settlement. The right instrument depends on the size of the gap and the appetite of both sides, and it is far cheaper to negotiate before signing than to absorb after close.

Key takeaways
  • Standard diligence leaves software licensing and audit exposure unowned, and it surfaces as a claim after close.
  • A buy side assessment values the exposure as a worst case figure and a likely settlement range.
  • Deal structure decides which change of control and assignment clauses actually bite.
  • Quantified exposure can be priced, indemnified or held back in escrow before signing.
  • Independence matters, because the assessment is built to defend your deal, not to sell software.
Recommendations for buyers
  1. Commission the assessment early. Start while you still have negotiating leverage, not after exclusivity has narrowed your options.
  2. Demand a number, not a narrative. Insist on worst case and likely settlement ranges per publisher, so the finding can move price or terms.
  3. Map the exposure to the structure. Read the target contracts against your actual deal structure before finalising consent and assignment plans.
  4. Choose the right instrument. Use a price adjustment, a specific indemnity or an escrow holdback, sized to the likely settlement.
  5. Use an independent buyer side firm. Paid only by the acquirer, with no publisher or reseller affiliation, so the analysis serves your position alone.

Frequently asked questions

What is a buy side software risk assessment?

It is a pre signing review, conducted for the buyer, that maps and quantifies a target's software licensing and audit exposure, including under licensing, indirect access and clauses that bite on a change of control.

How is it different from IT due diligence?

Standard IT due diligence reviews architecture, security and roadmap. It rarely quantifies licensing exposure. The buy side assessment focuses on entitlement against deployment and on the contract terms a publisher uses after a change of ownership.

What does the assessment produce?

A worst case list price exposure and a likely settlement range for each major publisher, plus a list of clauses that bite under your deal structure, so the deal team can price, indemnify or hold back.

Which vendors does it prioritise?

Oracle, SAP, Microsoft and IBM carry the highest historical audit risk, with Broadcom more active after its VMware acquisition, alongside Salesforce and ServiceNow. As of 2024, SAP pursued AB InBev for a reported 600 million dollars over disputed and inherited licensing.

When should we run it?

Before signing, while leverage is highest. Findings are far cheaper to handle as a price or terms adjustment than as a post close audit settlement.

Is this legal advice?

No. This is independent buyer side commercial and licensing advisory. Engage your own counsel for interpretation of specific clauses.

Related reading
Software due diligence serviceSoftware due diligence pillar guideVendor audit risk quantification in M&APrivate equity software cost optimizationQuantify software audit exposure before a deal

Request a confidential software M&A risk assessment.

Bring us the target, the deal structure and the timeline. We map and quantify the inherited licensing exposure before it becomes a post close audit.

Book a confidential call