M&A Software Audit Risk

M&A Software Audit Risk FAQ

The questions buyers ask most about software audits after a deal, answered plainly. What the risk is, why publishers audit after transactions, what a buyer inherits, and how to keep an inherited claim small.

This M&A software audit risk FAQ answers the questions buyers ask most when a software publisher audit follows a transaction. The pattern is consistent. Inherited software licensing exposure is usually latent and unquantified in standard due diligence, and it lands as a publisher audit after close. The questions below explain why that happens, what a buyer inherits, which publishers drive the risk, and what a disciplined buyer does about it. This page is a guide to the whole cluster on M&A software audit risk, and each answer links to the deeper page on the subject.

What is M&A software audit risk, in plain terms

M&A software audit risk is the risk that a publisher audits the combined entity after a deal and asserts a licensing shortfall the buyer never foresaw. It is distinct from ordinary compliance risk because the exposure is inherited. The decisions that created it were made by the seller, often years earlier, and were never documented in a way the buyer can defend. Standard due diligence looks at financial statements and at the assignment language in contracts, but it rarely builds a license position, so the gap stays hidden until a notice arrives. The risk is real and it is quantifiable, which is the encouraging part. It is also routinely underestimated, which is the dangerous part. Understanding why these audits follow deals is the foundation, and it is covered in why publisher audits follow M&A deals.

Why publishers audit after a merger or acquisition

A transaction is one of the clearest triggers a publisher compliance team watches for. Three things change at once. The entity becomes larger and freshly capitalised, which makes it a more attractive target. The change of control resets the publisher's attention on the estate, prompting a review of what is deployed against what was sold. And integration itself changes deployment, as systems are consolidated, migrated, and re hosted, often in ways that create new shortfalls or expose old ones. The combination is why the period after close carries elevated audit risk across every major publisher. None of this is accidental. It is a commercial response by the publisher to a commercial event, and the buyer should expect it rather than be surprised by it.

How M&A software audit risk develops across a deal A timeline showing latent exposure inside the target before the deal, the change of control event, and the publisher audit that typically lands in the first one to two years after close, with the diligence window marked as the point where the exposure can still be priced. From latent exposure to publisher audit Before the deallatent, unquantifiedexposure in target Closechange of control Year 1 to 2publisher auditnotice arrives Diligence windowprice or reserve here
The exposure exists before the deal. The diligence window is where it can still be priced. The audit usually lands within two years of close.

Which publishers pose the most audit risk

Audit risk is concentrated, not spread evenly. The long standing high risk publishers are Oracle, SAP, Microsoft, and IBM. Broadcom has become increasingly active following its acquisition of VMware, and Salesforce and ServiceNow are rising as more of the estate moves to subscription and consumption models. Each of these publishers has a measurement model that favours the broadest defensible reading of deployment. Oracle counts physical cores across virtualised clusters under a published partitioning policy that, as of June 2026, remained the basis it uses to scope virtual environments. SAP pursues indirect access, the use of SAP data by connected third party systems, which is what drove its reported 600 million dollar claim against AB InBev and its reported 60 million claim against Diageo, both reported in the trade and legal press and accurate as of June 2026. Knowing which publishers drive the risk lets a buyer focus the defense where it matters.

High risk publishers and the audit angle each tends to use
PublisherCommon audit angleWhere it bites after a deal
OracleProcessor counts, virtualisation scope, optionsConsolidated or re hosted databases
SAPIndirect access, named usersConnected systems across merged estates
MicrosoftUser and device counts, edition mixCombined headcount and shared environments
IBMSub capacity and PVU measurementRe hosted workloads after integration
Broadcom (VMware)Subscription conversion, core countsEstates migrating off legacy licensing

Key takeaways

  • M&A software audit risk is inherited exposure that is latent in diligence and lands as a publisher audit after close.
  • A transaction is a known audit trigger because the entity grows, control changes, and integration shifts deployment.
  • Oracle, SAP, Microsoft, IBM, and increasingly Broadcom, Salesforce, and ServiceNow drive most of the risk.
  • The exposure can be quantified before close so it is priced or reserved against rather than discovered later.
  • Most of the risk is avoidable through preparation, not through trying to avoid the audit itself.

What a buyer actually inherits

The defining feature of M&A software audit risk is that the buyer inherits the liability without the evidence needed to defend it. The seller deployed the software, enabled the options, and grew the user counts, but rarely kept the entitlement records, the deployment baseline, or the configuration evidence that would let anyone reconstruct the position. So the buyer takes on the gap and the burden of proof at the same time. This asymmetry is what makes inherited liability both dangerous and, with the right work, very defensible, because much of a publisher's opening demand rests on the absence of evidence rather than the presence of a genuine shortfall. The full explanation sits in inherited software audit liability explained.

How a buyer reduces the risk

The work divides cleanly into before close and after close. Before close, a dedicated software diligence reconstructs entitlement, measures deployment, and quantifies the gap, so the exposure can be priced into the deal or reserved against. After close, the buyer builds a defensible license position and maintains it, so the answer already exists when a notice arrives. If an audit does start, the buyer controls the response, scopes it tightly, validates data before sharing it, and runs communication through a single channel. And throughout, the buyer preserves the recovery routes in the purchase agreement, because where the exposure genuinely predates the deal, reps, warranties, indemnities, or escrow may let the cost be recovered from the seller. The mechanics of mounting that defense are set out in defending a software audit after an acquisition, and the full cost of getting it wrong is covered in the true cost of a failed software audit post deal.

Recommendations for buyers

  1. Quantify before signing. Commission software diligence that builds an actual license position, not just a contract review.
  2. Price or reserve the exposure. Put the number in front of the deal team so it shapes the deal rather than surprising it.
  3. Build the defensible position after close. Rebuild entitlement, verify deployment, and reconcile the gap before any audit.
  4. Control any audit response. Scope tightly, validate before sharing, and run one communication channel.
  5. Preserve seller recovery. Keep the survival period and indemnities in view so inherited cost can be recovered.

When the exposure is best addressed

The timing question runs through every other answer. The exposure exists inside the target before the deal, which means the cheapest moment to deal with it is during diligence, when it can still be priced or reserved against. The next best moment is immediately after close, while the data is fresh and the buyer holds the initiative. The most expensive moment is when an audit notice arrives and the buyer has done neither, because then the work happens under deadline and under pressure. The single decision that drives the outcome is whether the licensing position was quantified early or discovered late. Everything else follows from that. We do this work on the buyer side only, paid solely by the acquirer, with no affiliation to any publisher or reseller.

Independent and buyer side. We act only for the acquirer. We hold no affiliation with any software publisher or reseller and are paid solely by you. This page is commercial and licensing guidance, not legal advice. Confirm any contractual interpretation with your own counsel. Vendor and legal references carry the source and the date they were accurate as of.

Frequently asked questions

What is M&A software audit risk?
It is the risk that a software publisher audits the combined entity after a transaction and asserts a licensing shortfall that the buyer did not foresee or price. The exposure is usually inherited from the target, was latent and unquantified during standard due diligence, and lands as a publisher audit in the first year or two after close.
Why do publishers audit companies after a merger or acquisition?
A transaction is a known trigger for publisher compliance teams. The combined entity is larger and freshly capitalised, the change of control resets attention on the estate, and integration often changes deployment in ways that create or reveal shortfalls. Oracle, SAP, Microsoft, and IBM all audit more frequently in the period after a deal closes.
Which software publishers pose the most audit risk after a deal?
Oracle, SAP, Microsoft, and IBM are the long standing high risk publishers, with Broadcom increasingly active following its VMware acquisition, and Salesforce and ServiceNow rising. Each has a measurement model that favours the broadest reading of deployment, which is what produces large opening demands.
What does inherited software audit liability mean?
It is the licensing exposure a buyer takes on from the target, created by the seller's historic deployment decisions and carried into the combined entity by the deal. The buyer inherits the liability without the entitlement records and evidence needed to defend it, which is what makes inherited liability so difficult and so often underestimated.
Can software audit exposure be found during due diligence?
Yes, but standard financial and legal due diligence rarely finds it because it does not build a license position. A dedicated software diligence reconstructs entitlement, measures deployment, and quantifies the gap before signing, so the exposure can be priced into the deal or reserved against rather than discovered after close.
Can a buyer recover an inherited audit cost from the seller?
Sometimes. If the exposure predates the deal and the purchase agreement contains the right reps, warranties, indemnities, or escrow, the buyer may recover part of the cost from the seller. These protections are time limited, so the inherited element must be identified while the survival period is still live.
How does deal structure affect software audit risk?
Structure determines which contracts transfer and on what terms. A stock purchase usually carries agreements across intact, so the buyer inherits any historic gap. An asset purchase or carve out can trigger change of control or anti assignment clauses, requiring consent, repricing, or relicensing. The structure decides which clauses bite and what the buyer is entitled to.
How can a buyer reduce M&A software audit risk?
By quantifying the exposure before close, building a defensible license position after close, controlling the response if an audit notice arrives, and preserving seller recovery routes in the purchase agreement. Most of the risk is avoidable through preparation rather than through avoiding the audit itself.

Turn audit risk into a number you can manage.

We quantify inherited audit exposure before close and defend it after, on the buyer side only, so the risk is priced and prepared for rather than discovered too late.

Request an audit risk assessment