Home / Vendor Audit Risk Quantification M&A
Audit risk

Vendor Audit Risk Quantification in M&A

Vendor audit risk quantification in M&A converts a target's latent license gaps into a worst case figure and a likely settlement range, so the exposure is priced into the deal instead of inherited as a post close claim.

Vendor audit risk quantification in M&A answers the question a deal team cannot afford to leave open: if a publisher audited this target the day after we close, what would it cost. Inherited software licensing exposure is usually latent and unquantified in standard due diligence, and it lands as an audit after the change of ownership. Quantification replaces a vague worry with two numbers an investment committee can act on, the worst case at list price and the realistic settlement.

Why vendor audit risk concentrates around a change of ownership

Publishers watch for corporate events. A merger, an acquisition or a carve out resets the customer relationship and gives the vendor a fresh reason to measure usage. Entitlements that were informal under the old owner become contractual questions under the new one. Volume discounts tied to the seller's broader relationship can fall away. The result is that the period right after close is when audit letters arrive, which is exactly when the buyer has the least leverage and the most integration work in flight.

The major audit risk comes from Oracle, SAP, Microsoft and IBM, and increasingly from Broadcom following its VMware acquisition, with Salesforce and ServiceNow rising. As of 2024, SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million over disputed and inherited licensing, per contemporaneous reporting of those disputes. Those are the stakes quantification is built to size.

Reported and illustrative exposure scaleTwo reported public disputes shown in millions of dollars alongside an illustrative mid market figure, to show the range vendor audit exposure can reach.Reported and illustrative exposure scale0168336504672600MSAP claim ABInBev60MSAP claimDiageo9MIllustrativemid market
Public figures reported as of 2024 for the AB InBev and Diageo disputes, shown beside an illustrative mid market exposure. Public figures are disputed amounts, not settlements.

How vendor audit risk quantification works

Quantification follows a repeatable method. We establish what the target is entitled to, measure what it actually deploys and consumes, and assess the indirect access created by integrations. The gap between entitlement and use, priced at the publisher's own metrics, is the worst case. We then apply realistic discounting, settlement precedent and remediation options to produce a likely settlement range. Both numbers carry the assumptions behind them, so they survive challenge.

From data to a defensible numberA four step method moving from entitlement baseline to deployment measurement to a worst case figure to a likely settlement range.From data to a defensible number1Entitlementbaselinewhat is licensed2Deployment andaccesswhat is used3Worst case at listthe gap priced4Settlement rangethe likely cost
A four step method moving from entitlement baseline to deployment measurement to a worst case figure to a likely settlement range.

Pricing audit exposure into the deal

A quantified number is only useful if it changes the deal. The table sets out the common exposure types, how each is measured, and the instrument that handles it. The choice between a price reduction, a specific indemnity and an escrow holdback depends on the size and certainty of the exposure and on the deal structure, since a stock purchase, an asset purchase and a carve out each carry the liability differently.

Vendor audit exposure types and how to handle them
Exposure typeHow it is measuredDeal instrument
User under licensingNamed and active users against entitlementPrice reduction or escrow holdback
Processor or core gapsDeployed cores against licensed metricsSpecific indemnity covering the publisher
Indirect or digital accessIntegrations and interfaces against the agreementIndemnity plus a remediation plan
Lapsed support reinstatementBack maintenance and penalties on reactivationPrice reduction sized to reinstatement
Virtualisation exposureHost and cluster licensing for Oracle and BroadcomEscrow holdback pending remediation
Worst case and likely settlement

Two numbers, not one. The worst case at list price sets the ceiling and frames the negotiation. The likely settlement range sets the figure to actually price or hold back. Presenting only one of them either alarms the committee or understates the risk.

Key takeaways
  • Vendor audit risk concentrates right after a change of ownership, when the buyer has least leverage.
  • Quantification produces a worst case at list price and a likely settlement range, not a vague flag.
  • Oracle, SAP, Microsoft, IBM and Broadcom drive most exposure, with Salesforce and ServiceNow rising.
  • Public disputes show the scale, including a reported 600 million dollar SAP claim against AB InBev as of 2024.
  • Deal structure decides how the liability is carried, so the instrument is matched to the structure.
Recommendations for buyers
  1. Quantify before exclusivity narrows your options. Audit exposure is cheapest to handle as a price or terms adjustment before signing.
  2. Insist on two numbers. Require both the worst case at list and the likely settlement range for each major publisher.
  3. Prioritise the high risk publishers. Spend diligence time on Oracle, SAP, Microsoft, IBM and Broadcom virtualisation first.
  4. Match the instrument to the exposure. Use price reductions for certain gaps, indemnities for contested ones, and escrow for those pending remediation.
  5. Keep the model defensible. Document every assumption so the figure survives both the committee and the vendor's own measurement.

Frequently asked questions

What is vendor audit risk quantification in M&A?

It is the process of converting a target's latent license gaps into a worst case figure at list price and a likely settlement range, so the audit exposure can be priced into the deal before close rather than inherited afterward.

Why does audit risk rise after an acquisition?

A change of ownership resets the customer relationship and gives publishers a fresh reason to measure usage. Informal entitlements become contractual questions and seller linked discounts can fall away, so audit letters often arrive soon after close.

What is the difference between worst case and likely settlement?

The worst case prices the full gap at the publisher's list metrics and sets the ceiling. The likely settlement applies realistic discounting, precedent and remediation to produce the figure you actually price or hold back.

Which vendors should we quantify first?

Oracle, SAP, Microsoft, IBM and Broadcom following its VMware acquisition carry the most risk, with Salesforce and ServiceNow rising. As of 2024, SAP pursued AB InBev for a reported 600 million dollars over disputed and inherited licensing.

How do we price the exposure into the deal?

Through a purchase price reduction, a specific indemnity that survives close, or an escrow holdback sized to the likely settlement, chosen according to the size and certainty of the exposure and the deal structure.

Is this legal advice?

No. This is independent buyer side commercial and licensing advisory. For interpretation of specific contract clauses, engage your own counsel.

Related reading
M&A software audit defense serviceM&A software audit risk pillarBuy side software risk assessmentQuantify software audit exposure before a dealSoftware audit defense after acquisition

Quantify the audit exposure before you sign.

Bring us the target and the publishers. We size the worst case and the likely settlement so the exposure is priced into the deal, not inherited after close.

Book a confidential call