M&A Software Audit Risk

Defending a Software Audit After an Acquisition

An audit notice often arrives in the first year after close, aimed at the estate you just inherited. The outcome turns less on what was deployed and more on how the review is run. This page sets out how a buyer defends the position and keeps a publisher claim proportionate.

Defending a software audit after an acquisition is a discipline a buyer needs the moment a deal closes, because the acquired estate is at its most exposed precisely when the new owner knows least about it. Publishers read a transaction as a signal that systems are moving, contracts are being consolidated, and the people who understood the licensing have often left. The audit that follows is rarely about catching deliberate misuse. It is about pricing the gap between what the target was entitled to and what it actually deployed, a gap that integration tends to widen. This page sets out how a buyer runs the defense, as a child of the cluster on M&A software audit risk.

Why defending a software audit after an acquisition is different from a routine review

A standard audit tests a stable estate against records the customer has maintained for years. An audit after a deal tests a moving estate against records that may be incomplete, out of date, or missing entirely. The buyer inherits entitlement files it did not build, deployment data it has not verified, and contracts it has not read in full. At the same time, the integration plan is actively changing the footprint, consolidating servers, merging user directories, and migrating workloads. The result is that the position under review is a moving target, and the publisher knows it. Defending well means freezing a clear picture of what was deployed at the relevant date, separating it from the changes the buyer is making, and refusing to let the two be measured as one. A buyer that treats an inherited audit as if it were a routine review will concede ground it never needed to give.

Control the process before you concede the numbers

The first move in any defense is procedural, not technical. The audit clause in the underlying agreement sets out what the publisher may ask for, how much notice it must give, who bears the cost, and how disputes are resolved. Many buyers never read it before responding, and so accept a scope and a timetable the contract never required. A disciplined response begins by holding the publisher to the signed terms: agree the scope in writing, confirm which legal entities and environments are in scope, set a realistic timetable that respects integration work, and require that any third party running the audit signs appropriate confidentiality terms. None of this is obstruction. It is the difference between an audit run on the buyer's terms and one run on the publisher's, and it is covered in more depth in responding to an audit notice post close.

The audit defense sequence after a deal A five stage flow showing how a buyer moves from receiving an audit notice through scoping, independent measurement, data validation, and negotiated settlement, with the validation stage marked as the point where the claim is reduced. From notice to settlement Noticereceived Scopeagreed in writing Measureindependently Validatecut the claim Settleterms The validation stage is where most of the value sits. Publisher scripts overstate the position because they count where software could run and detect every enabled feature. Correcting that data before it is shared is what turns a headline finding into a defensible number. Buyer controls scope, timing, and the data that leaves the building at every stage.
An inherited audit is won in the validation stage, where unverified publisher measurement is corrected before any number is conceded.

Validate the measurement before it leaves the building

The technical heart of the defense is the data. Publisher measurement tools and scripts are built to maximise the count. Oracle scripts treat soft partitioned virtual environments as if the software could run on every physical core. SAP measurement reclassifies users to the most expensive type the activity could justify. Microsoft tooling counts every install and every access path. None of this is dishonest, but all of it overstates the licensable position relative to what the business actually needs. The buyer's job is to take the raw output, reconcile it against entitlements, remove duplicate and decommissioned systems, correct misclassified users, and separate inherited deployment from integration changes the buyer is responsible for. Only the validated number should ever reach the publisher. A buyer that hands over raw tool output is negotiating against itself before the conversation starts, and the discipline of building a defensible baseline is set out in building an audit defensible license position post close.

Where a publisher claim inflates and how a buyer answers it
Publisher positionWhy it overstatesBuyer response
Soft partitioningCounts every host in a clusterShow approved partitioning and assigned hosts
User reclassificationAssigns the most expensive user typeMap users to actual activity and role
Enabled featuresDetects options never deliberately usedEvidence usage history and disable surplus
Decommissioned systemsCounts servers no longer in serviceReconcile against the current asset register
Integration changesBlends new footprint into the findingSeparate inherited estate from post close moves

Key takeaways

  • An inherited audit usually lands in the first twelve to eighteen months after close, when visibility is lowest.
  • The defense is procedural first: hold the publisher to the signed audit clause on scope, notice, and cost.
  • Publisher measurement overstates the position by design, so no number should be conceded before it is validated.
  • Separating inherited deployment from integration changes prevents the buyer paying for moves it controls.
  • The purchase agreement may shift the cost back to the seller, but only if the claim is made within the survival period.

Connect the defense to the deal documents

Defending a software audit after an acquisition is not only a licensing exercise, it is a commercial one tied to the agreement that governed the deal. If the exposure was inherited, the purchase agreement may already provide a route to recover it. Representations and warranties about license compliance, specific indemnities for software liabilities, and escrow or holdback arrangements can move the cost back to the seller. But these protections are time limited and evidence hungry. A finding identified late, after the survival period has lapsed or without the documentation to support a claim, is a finding the buyer absorbs alone. That is why measurement and the deal documents have to be read together, a connection explored in reps and warranties for software audit exposure. The earlier the position is quantified, the more options remain open.

Negotiate the settlement as a commercial transaction

Once the validated position is clear, the audit becomes a negotiation, and publishers expect it to be one. A compliance finding is rarely paid at list price. The realistic outcomes range from a modest true up to a larger commercial deal that bundles the shortfall into a forward looking subscription or migration. A buyer that has measured the position independently can choose the path that costs least over the deal horizon rather than accepting the first number offered. It can also use the leverage it holds, including future spend, renewal timing, and migration plans, to settle the back exposure on better terms. The aim is not to win an argument but to close the matter at a number that reflects what the business actually uses, an approach detailed in negotiating an audit settlement post acquisition.

Recommendations for buyers

  1. Read the audit clause before you respond. Confirm scope, notice, cost, and dispute terms, and hold the publisher to them.
  2. Freeze the position at the relevant date. Separate the inherited estate from changes your integration plan is making.
  3. Validate every number before sharing it. Correct soft partitioning, user classes, and decommissioned systems first.
  4. Check the purchase agreement early. Map any finding to reps, indemnities, and escrow while the survival period is live.
  5. Settle as a commercial deal. Use renewal and migration leverage to close back exposure at a defensible number.

The cost of getting the defense wrong

The downside of a poorly run defense is not abstract. A buyer that accepts unvalidated data, misses the contractual recovery window, and negotiates without an independent position can pay many times what the underlying shortfall justified. Public cases show the scale these claims reach. As of mid 2025, SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million over disputed and inherited licensing, a reminder that publisher claims over inherited estates are real and large. The discipline that keeps a claim proportionate is the same in every case: measure independently, validate before you share, tie the finding to the deal documents, and negotiate from evidence. The full picture of what an unmanaged audit can cost is set out in the true cost of a failed software audit post acquisition.

Timing the defense around the integration plan

A defense does not happen in isolation from the rest of the deal. While the licensing team measures and validates, the integration team is consolidating servers, merging directories, and migrating workloads, and those moves change the very footprint under review. A buyer that lets integration run ahead of the licensing analysis can find that the estate measured in the audit no longer resembles the estate that existed at close, which hands the publisher an argument that the buyer caused the growth. The discipline is to sequence the two so that the inherited position is captured and frozen before integration alters it, and so that any change the buyer makes is documented as the buyer's own, not the target's inherited liability. This sequencing also protects the commercial recovery, because a clean separation between inherited exposure and post close change is what lets the buyer attribute the right portion of any finding to the seller. Where integration cannot wait, the buyer should at least record the state of the estate at the relevant date, so the inherited baseline survives even as the systems move beneath it. The full timeline that governs this sequencing is set out in audit defense timeline after a transaction.

Defending a software audit after an acquisition, in one line

Defending a software audit after an acquisition comes down to control. Control the process by holding the publisher to the contract, control the data by validating it before it leaves the building, control the commercial outcome by tying the finding to the deal documents and negotiating from an independent position. A buyer that does these things turns an inherited review into a managed line item. A buyer that does none of them lets the publisher set the number. We run that defense on the buyer side only, paid solely by the acquirer.

Independent and buyer side. We act only for the acquirer. We hold no affiliation with any software publisher or reseller and are paid solely by you. This page is commercial and licensing guidance, not legal advice. Confirm any contractual interpretation with your own counsel.

Frequently asked questions

When does a software audit usually arrive after an acquisition?
Most commonly within the first twelve to eighteen months after close, once the publisher has registered the change of ownership through filings, renewal conversations, or a consolidated contract. The acquired estate is at its most exposed during integration, which is exactly when a review is most likely to open.
Who controls the data a publisher sees in an audit?
You do, within the bounds of the contract. The audit clause sets out what the publisher may request, but the buyer controls how scripts are run, which environments are in scope, and how results are validated before anything is shared. Releasing raw tool output without checking it is the most common and most expensive mistake.
Can a buyer refuse a software audit after an acquisition?
Rarely outright, because most agreements grant an audit right that survives a change of control. A buyer can, however, hold the publisher to the contract terms, agree scope and timing, require reasonable notice, and insist that the process follows what was actually signed rather than what the publisher prefers.
What is the single biggest driver of an inflated audit claim?
Unvalidated measurement data. Publisher scripts count what could run, not only what is used, and they detect enabled features regardless of intent. A buyer that reviews and corrects the raw data before it leaves the building routinely cuts the headline number by a large margin.
Does the seller pay for an inherited audit finding?
Sometimes, depending on the purchase agreement. Reps and warranties, indemnities, and escrow can shift inherited compliance cost back to the seller, but only if the exposure is identified and the claim is made within the survival period. That is why early measurement matters commercially, not just operationally.
How large can a post acquisition audit claim be?
It can reach eight figures. As of mid 2025, SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million over disputed and inherited licensing. Those public cases show the scale an inherited position can reach once a publisher prices it.

Run the audit defense on your terms, not the publisher's.

We build the independent license position, manage the data a publisher sees, and negotiate the settlement on the buyer side only, so an inherited review lands as a line item rather than a surprise.

Request an audit risk assessment