M&A Software Audit Risk: The Complete Guide
Publisher audits follow deals. The under licensing a buyer inherits surfaces as a claim after close, when leverage is lowest. This guide quantifies the exposure before signing and defends it after.
M&A software audit risk is the probability that a publisher will audit the combined business after a deal closes and assert a claim for under licensing it inherited rather than created. This guide explains why publisher audits follow transactions, which vendors drive the largest claims, how inherited audit liability is quantified before signing, and how a buyer defends a position after close. It links to every detailed page in the cluster, so a deal team can move from this overview into the specific publisher or instrument in front of them.
The risk is dangerous precisely because it is latent. Inherited software licensing exposure is usually unquantified in standard due diligence, does not appear on the financial statements, and surfaces as a publisher audit after the change of ownership, when the buyer has the least leverage and the most to lose. A deal that ignores M&A software audit risk is a deal that has accepted an unpriced contingent liability.
Why publisher audits follow M&A deals
A change of ownership is a signal to a publisher that the rules of the relationship may have changed and that revenue may be recoverable. Acquired companies are attractive audit targets for a simple reason: integration creates new deployment, consolidation creates new indirect access, and the buyer is usually a larger, better funded organisation than the target was. Publishers monitor public deal announcements and corporate registries, and an acquisition frequently moves an account up the audit calendar. The public proof points show the scale of what can follow. As of 2024, SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million over disputed and inherited licensing, according to contemporaneous reporting. Those figures are not typical, but they mark the ceiling of what inherited exposure can reach.
The page on why publisher audits follow M&A deals sets out the triggers, how publishers detect a change of ownership explains the monitoring, and why acquired companies are soft audit targets covers why the post deal window is the most exposed.
Where the audit exposure comes from
Inherited audit risk has a small number of recurring sources, and a buyer side review prices each. Under licensing that existed in the target before the deal. Indirect or digital access created when systems are integrated. Virtualisation and cloud migration that expands what is deemed licensable. The merger of two already licensed estates, where overlapping entitlements do not net cleanly and double counting becomes under counting. Each source has its own page, and the flow below shows how a latent gap becomes a claim.
The mechanics are detailed in inherited software audit liability explained, indirect access and audit risk after a merger, audit risk from virtualization and cloud migration, and audit risk from mergers of two licensed estates. The path from a small gap to a large number is set out in how latent under licensing becomes an eight figure claim.
Which publishers drive the most audit risk
The major audit risks post deal come from Oracle, SAP, Microsoft and IBM, and increasingly from Broadcom following its VMware acquisition, with Salesforce and ServiceNow rising. Each audits in its own way and produces its own kind of claim. The table sets out the pattern a buyer side review prioritises.
| Publisher | Primary exposure | Why deals raise it | Review priority |
|---|---|---|---|
| Oracle | Virtualisation and processor counting | Soft partitioning treated as full clusters | High |
| SAP | Indirect and digital access | Integrations read or write without named users | High |
| Microsoft | Edition and cloud entitlement gaps | Consolidation mismatches deployment | High |
| IBM | Sub capacity reporting failures | Reporting rarely survives integration | Medium to high |
| Broadcom VMware | Core counts and subscription tiers | Repricing after portfolio change | High |
| Salesforce and ServiceNow | Over deployment and connectors | New integrations after a merger | Medium |
Each publisher has a dedicated page: how Oracle targets recently acquired companies, how SAP targets recently acquired companies, how Microsoft audits follow mergers, how IBM audits follow mergers, Broadcom VMware audit risk after a deal, and Salesforce and ServiceNow audit risk in M&A. The lessons from the largest public disputes are drawn out in the AB InBev and Diageo SAP cases.
Quantifying audit exposure before you sign
A risk that cannot be quantified cannot be priced into a deal. Quantifying M&A software audit risk means building the effective license position for each high risk publisher, comparing deployment and consumption against entitlement, and expressing the gap two ways: a worst case at list price, which is what a publisher would assert, and a likely settlement range, which is what experience says it would actually resolve at. The settlement figure is the number that belongs in the deal model, because it is defensible. The page on quantifying audit exposure for an investment committee sets out the method.
Two numbers, not one. The list price worst case shows the ceiling and supports the negotiation. The likely settlement range, built from how publishers actually resolve claims, is what the investment committee uses to price the risk, size an indemnity, or set a holdback. Presenting only the list price overstates the risk and loses credibility. Presenting only the settlement understates the negotiating position.
The audit defense timeline after a transaction
If an audit notice arrives, the response in the first days shapes the outcome. A buyer that has done the pre deal work walks into the audit with a defensible position already built. The timeline below shows how a defense runs.
The detailed sequence is in audit defense timeline after a transaction, with responding to an audit notice post close covering the first response and defending a software audit after an acquisition covering the full engagement. The endgame is in negotiating an audit settlement post acquisition, and the stakes are in the true cost of a failed software audit.
Allocating audit risk in the purchase agreement
Quantified audit exposure is leverage in the negotiation. A buyer can reduce the purchase price, secure a specific indemnity for the identified exposure that survives close, or require an escrow holdback sized to the likely settlement. Which instrument fits depends on the size and certainty of the gap and on the deal structure, because audit risk does not transfer the same way in a share purchase as in an asset purchase. The pages on reps and warranties for software audit exposure, software audit indemnities in purchase agreements, escrow and holdbacks for software licensing risk, and audit risk in stock vs asset deals set out the choices. These are commercial recommendations. The drafting and legal effect belong to your own counsel.
Preventing the post close audit
The best outcome is no audit at all, or an audit that finds a position already in order. Preventing the post close audit means closing the under licensing gap on the buyer's terms before a publisher arrives, setting up sub capacity reporting correctly during integration, controlling indirect access as systems connect, and building a license position that can be defended on day one. The pages on preventing the post close audit before it starts, building an audit defensible license position post close, and audit clause review in inherited contracts set out the preventive work that turns audit risk from an open contingency into a managed position. For the full questions deal teams ask, see the M&A software audit risk FAQ and the broader complete picture.
How merging two licensed estates creates new exposure
When two companies that each hold their own licenses combine, the instinct is to assume the entitlements simply add up. They rarely do. Metrics differ between the two agreements, so users counted one way in the target are counted another way in the buyer. Volume discounts negotiated separately do not survive the merger automatically, and a publisher can insist the combined entity move to a single agreement at a single, often higher, price band. Products that overlap may carry duplicate entitlement that looks like a saving but masks a deployment that now exceeds either original license. The merger of two clean estates can therefore manufacture a gap that did not exist in either company alone, which is why audit risk from mergers of two licensed estates treats consolidation as a source of risk, not only of synergy.
Indirect access compounds the problem. As the two estates are connected, systems that never spoke to a publisher product before begin to read from or write to it. Under SAP digital access rules and equivalents elsewhere, that traffic can be licensable even though no new named user was created. A buyer that integrates first and counts later can build a large indirect access exposure in the weeks after close without a single deliberate decision, which is the failure mode set out in indirect access and audit risk after a merger.
Why independence is the multiplier
The credibility of an audit exposure number depends on who produced it. A firm paid only by the acquirer, with no affiliation to any publisher or reseller, has no incentive to soften a finding to protect a vendor relationship or to inflate one to sell remediation licenses. The number it produces is built for one purpose, which is to defend the buyer. That alignment is what lets a diligence finding move a price, support an indemnity, or justify a holdback, and it is what separates independent buyer side advisory from a reseller assessment that doubles as a sales motion. Every page in this guide is written to that standard, and the legal interpretation of any clause or indemnity is referred to your own counsel.
Common mistakes in handling inherited audit risk
The errors that turn a manageable exposure into a large settlement are consistent across deals. Treating software as a finance line and never building the effective license position, so the gap is discovered by the publisher rather than the buyer. Assuming entitlements transfer cleanly because the deal is a share purchase, when the metric or the discount does not survive a change of ownership. Integrating systems before counting them, and manufacturing indirect access in the process. Responding to an audit notice without first controlling the scope, and handing the auditor data that was never validated. Negotiating against the list price worst case rather than the defensible settlement, and either overpaying or losing credibility. Each of these is avoidable with a quantified position built before signing and a disciplined response after close, which is the entire case for treating M&A software audit risk as its own workstream rather than a footnote in the IT review.
How deal structure changes inherited audit risk
The same under licensing carries different weight depending on how the deal is built. In a share or stock purchase the entity survives, so its historic non compliance travels with it and the buyer inherits the full exposure, which is why a quantified position and a survival period indemnity matter most in that structure. In an asset purchase the buyer takes named assets and contracts, so some historic liability can be left behind with the seller, but only if the agreements are read carefully and the gaps are mapped before the assets transfer. A carve out is the most exposed, because the carved business often loses the parent entitlement it was relying on and starts life with a deployment that has no license behind it. The page on audit risk in stock vs asset deals works through the differences, and the structure decision feeds directly into the choice between a price reduction, an indemnity and a holdback. The legal allocation of that risk is drafted by your own counsel, while the quantification and the negotiating position are what the buyer side review provides.
- M&A software audit risk is inherited under licensing that surfaces as a publisher audit after the deal closes.
- Acquired companies are soft audit targets because integration creates new deployment and indirect access.
- Oracle, SAP, Microsoft and IBM drive the largest claims, with Broadcom, Salesforce and ServiceNow rising.
- As of 2024, SAP pursued AB InBev for a reported 600 million dollars over disputed and inherited licensing.
- Quantify a worst case and a likely settlement so the risk can be priced, indemnified or held back before signing.
- Quantify audit exposure before signing. Build the effective license position for each high risk publisher and express a worst case and a likely settlement.
- Prioritise the publishers that audit. Start with Oracle, SAP, Microsoft, IBM and Broadcom, where a single gap can reach seven or eight figures.
- Allocate the risk in the agreement. Use a price reduction, a specific indemnity, or an escrow holdback sized to the likely settlement.
- Prevent the audit where possible. Close gaps on your terms, set up reporting correctly, and control indirect access during integration.
- Engage independent buyer side advice. Paid only by the acquirer, with your own counsel for the legal drafting of any indemnity or warranty.
Everything in this M&A software audit risk guide
Frequently asked questions
What is M&A software audit risk?
It is the risk that a publisher audits the combined business after a deal and asserts a claim for under licensing the buyer inherited rather than created, covering under licensing, indirect access, virtualisation and the merger of two estates.
Why do audits follow acquisitions?
A change of ownership signals that deployment and indirect access may have changed and that revenue may be recoverable. Publishers monitor deal announcements, and an acquisition often moves an account up the audit calendar.
Which vendors carry the most audit risk after a deal?
Oracle, SAP, Microsoft and IBM historically drive the largest claims, with Broadcom more active after acquiring VMware, and Salesforce and ServiceNow rising. As of 2024, SAP pursued AB InBev for a reported 600 million dollars over inherited licensing.
How is inherited audit exposure quantified?
By building the effective license position for each high risk publisher and comparing deployment against entitlement, then expressing the gap as a worst case at list price and a likely settlement range for the deal model.
Can audit risk be handled in the purchase agreement?
Yes. A quantified exposure can support a price reduction, a specific indemnity that survives close, or an escrow holdback. The right instrument depends on the size, certainty and deal structure. Counsel drafts the terms.
Is audit defense legal advice?
No. It is independent buyer side commercial and licensing advisory. For legal interpretation of audit clauses or indemnities, engage your own counsel.
Quantify the audit risk in your deal.
Bring us the target and the publishers. We build the license position, quantify the worst case and the likely settlement, and turn it into deal protection before you sign.