M&A Software Audit Risk

Responding to an Audit Notice Post Close

The first thirty days after an audit notice arrives decide most of the outcome. Acknowledge correctly, scope tightly, and control the data, and the review stays manageable. React in haste and the buyer concedes ground it never needed to give. This page sets out the response.

Responding to an audit notice post close is the moment a buyer either takes control of an inherited review or loses it. The notice usually arrives in the first year after a deal, addressed to an entity the buyer now owns, citing an audit right buried in an agreement the buyer may never have read. How the buyer answers in the first weeks shapes the scope, the data, and ultimately the size of the claim. The instinct to cooperate fully and quickly feels reasonable, but it is the wrong instinct, because the contract gives the buyer rights it can only use before it concedes them. This page sets out the disciplined response, as a child of the cluster on M&A software audit risk.

Responding to an audit notice post close starts with the contract, not the spreadsheet

The first thing to do when a notice arrives is not to gather deployment data. It is to find and read the audit clause in the agreement the publisher is relying on. That clause defines the entire encounter: which legal entities are subject to audit, which products, how much notice the publisher must give, who pays for the exercise, whether a third party conducts it, and how disputes are resolved. A buyer that knows these terms can hold the publisher to them. A buyer that does not will accept whatever scope and timetable the publisher proposes, often far broader than the contract allows. Reading the clause first also reveals whether the audit right even survived the deal structure, because a change of control can alter what a publisher may demand. The contract is the buyer's strongest tool, and it is most useful before any data changes hands.

Acknowledge correctly and buy preparation time

The response to the notice itself should be professional, brief, and non committal on substance. Acknowledge receipt, confirm the buyer will engage in accordance with the contract, and ask the publisher to set out the precise scope and legal basis of the request. Do not volunteer deployment details, do not concede that any shortfall exists, and do not agree to a timetable before the team is ready. Publishers often press for speed because urgency favours the auditor, but the contract usually grants a reasonable response window, and the buyer is entitled to use it. The acknowledgement is also the moment to route all further communication through a single controlled channel, so that no one in IT or procurement informally supplies information that later inflates the position. This early discipline connects directly to the wider defense described in defending a software audit after an acquisition.

The first thirty days after an audit notice A timeline of the first thirty days showing four phases: acknowledge and read the contract, agree scope, measure and validate internally, then engage on a controlled basis, with internal validation marked as the protected zone before any data is shared. The first thirty days Day 1 to 5Acknowledge,read contract Day 5 to 12Agree scopeand timetable Day 12 to 25Measure andvalidate internally Day 25 plusEngage onvalidated data protected zone: nothing shared yet No measurement data should leave the building until it has been reconciled, corrected, and approved by a single controlled channel. Speed favours the auditor, preparation favours the buyer.
The buyer controls the first thirty days. Measurement happens inside a protected zone and only validated data is ever shared.

Scope the review before you measure anything

Scope is where most audits are won or lost. Publishers describe scope broadly because a broad scope finds more. The buyer's task is to narrow it to what the contract actually covers. That means confirming which legal entities are genuinely subject to the agreement after the deal, which products are named, and which environments are in service. A target that operated several subsidiaries may have agreements that bind only some of them. An estate that has been partly decommissioned should not be measured as if every historic server were still live. And integration changes the buyer is making after close should be carved out, because the audit is meant to test the inherited position, not the buyer's new footprint. Agreeing scope in writing before any script runs prevents the review from expanding into systems the contract never named, a discipline that also shapes the timetable described in audit defense timeline after a transaction.

Controlled response versus reactive response to an audit notice
StepControlled responseReactive response
First replyBrief acknowledgement, request legal basisDetailed account of deployment
ContractRead audit clause before agreeing termsAccept publisher scope and timetable
ScopeConfirm entities, products, environmentsAllow open ended access
MeasurementRun scripts, validate, then shareReturn raw tool output
CommunicationSingle controlled channelMultiple informal contacts

Key takeaways

  • Read the audit clause before gathering any deployment data, because the contract defines the whole encounter.
  • Acknowledge the notice briefly and non committally, and use the contractual response window to prepare.
  • Agree scope in writing, confirming entities, products, and environments before any script is run.
  • Route all communication through one controlled channel to prevent uncontrolled internal disclosure.
  • Review the purchase agreement in parallel, while the survival period for seller recovery is still live.

Run a single controlled channel

One of the quietest risks in a post close audit is uncontrolled internal communication. A publisher auditor who speaks directly to a database administrator, a procurement manager, and an integration lead will collect three different accounts, and the most damaging one becomes the publisher's working assumption. The buyer should designate a single point of contact through whom all questions, data requests, and answers flow. That person coordinates the technical measurement, the contract analysis, and the commercial position, and ensures nothing is shared that has not been validated. This is not about concealment. It is about consistency and accuracy, so that the publisher receives one verified account rather than several unverified ones. The same discipline supports the construction of a defensible baseline, set out in building an audit defensible license position post close.

Measure inside the building, share only what is validated

Once scope is agreed, the buyer measures the position on its own terms before the publisher sees anything. That means running the relevant scripts in a controlled way, reconciling the output against entitlements, removing duplicate and decommissioned systems, correcting user classifications, and isolating any exposure created by integration rather than inherited from the target. The validated result is the only number that should ever reach the publisher. Raw tool output overstates the position in every major publisher's model, and a buyer that returns it unfiltered is conceding a claim it could have reduced. The gap between raw and validated data is frequently large, which is why this internal measurement phase is the single highest value activity in the whole response.

Connect the response to the deal in parallel

While the technical response proceeds, the commercial team should review the purchase agreement for recovery routes. If the exposure is genuinely inherited, reps and warranties, indemnities, or escrow may allow the buyer to recover some or all of the cost from the seller. These protections are time limited, so identifying the inherited element early preserves the option to claim before the survival period lapses. Responding to the notice and reading the deal documents are not sequential tasks, they run together, and a buyer that treats them separately risks fixing the licensing problem while losing the commercial recovery. The mechanics of that recovery are set out in reps and warranties for software audit exposure.

Recommendations for buyers

  1. Read the audit clause first. Confirm entities, products, notice, and cost before you agree to anything.
  2. Acknowledge briefly. Use the contractual window to prepare rather than answering in detail at once.
  3. Scope in writing. Narrow the review to what the contract covers and carve out integration changes.
  4. Run one channel. Coordinate all communication and data through a single controlled contact.
  5. Read the deal documents now. Preserve seller recovery routes while the survival period is still live.

What not to do when the notice arrives

Much of a good response is defined by restraint. A buyer should not reply at length on the same day, because a detailed early account commits the organisation to a version of events before anyone has checked it. It should not run the publisher's scripts and return the raw output, because that output overstates the position in every major publisher's model. It should not allow several people to correspond with the auditor independently, because inconsistent accounts hand the publisher its choice of the least favourable one. It should not concede that a shortfall exists before the position has been measured, and it should not agree to a scope or timetable simply because the publisher proposed it. None of this is obstruction or bad faith. Each restraint is the buyer holding open an option that a hasty response would close. The publisher is a commercial counterparty pursuing a commercial outcome, and the buyer is entitled to prepare its own position with the same care. A measured response that says little while the team gets ready is almost always stronger than a cooperative one that gives away the position in the first week, a point that runs through the wider approach in preventing the post close audit before it starts.

Responding to an audit notice post close, in one line

Responding to an audit notice post close is about taking control early and conceding nothing before it must be conceded. Read the contract, acknowledge without disclosing, scope tightly, channel communication, validate before sharing, and read the deal documents in parallel. A buyer that does these things keeps an inherited review proportionate. A buyer that answers in haste pays for the haste. We manage that response on the buyer side only, paid solely by the acquirer.

Independent and buyer side. We act only for the acquirer. We hold no affiliation with any software publisher or reseller and are paid solely by you. This page is commercial and licensing guidance, not legal advice. Confirm any contractual interpretation with your own counsel.

Frequently asked questions

What should a buyer do first when an audit notice arrives?
Acknowledge receipt professionally, confirm nothing about deployment, and read the audit clause in the underlying contract before agreeing to anything. The first letter sets the tone. A measured acknowledgement that buys time to prepare is far stronger than an immediate, detailed response.
How quickly must a buyer respond to an audit notice?
Most contracts allow a reasonable response window, often measured in weeks rather than days. The publisher may press for speed, but the buyer is entitled to the notice period and preparation time the agreement provides. Confirm the contractual timetable rather than accepting the one the publisher proposes.
Should a buyer run the publisher's audit scripts straight away?
No. Scripts should only be run once scope is agreed, the environments in question are confirmed, and the buyer can validate the output before it is shared. Running scripts blindly and returning raw results is the fastest way to hand the publisher an inflated number.
Can a buyer limit the scope of a post close audit?
Often yes. The audit right is defined by contract and usually applies to specific entities and products. A buyer can confirm which legal entities are actually covered, exclude environments outside the agreement, and resist scope creep into systems the clause never named.
Who should manage the response internally?
A small, controlled team. License data, contracts, and communication with the publisher should run through a single coordinated channel, not be scattered across IT, procurement, and integration staff who may volunteer information informally. Uncontrolled internal communication is a common source of unnecessary disclosure.
How does an inherited audit connect to the purchase agreement?
If the exposure predates the deal, the purchase agreement may allow recovery from the seller through reps, indemnities, or escrow. Identifying the inherited element early, while the survival period is live, preserves that option. Responding to the notice and reviewing the deal documents should happen in parallel.

Answer the notice without giving the publisher the keys.

We manage the response from the first letter, set the scope, control the measurement, and build the independent position before any data is shared, on the buyer side only.

Request an audit risk assessment