A repeatable process to measure, price and de risk the software position of a target before a private equity buyer signs.
This is the PE buy side software diligence playbook we run for private equity acquirers who want the software position of a target measured, priced and de risked before they sign. Financial diligence counts the revenue. Legal diligence reads the contracts. Almost no one quantifies the deployed software against what the target is actually entitled to use, and that is where a latent seven or eight figure liability sits until a publisher audit lands after close.
The pattern repeats across the mid market. A sponsor underwrites a clean business, closes, and twelve to eighteen months later receives an audit letter from Oracle, SAP, Microsoft, IBM or increasingly Broadcom for VMware. The exposure was always there. It was simply never in the data room, never in the quality of earnings, and never priced into the model. A disciplined buy side software diligence process closes that gap on a fixed timeline that fits the deal calendar.
Software cost is now one of the largest controllable line items in most portfolio companies, and it is the line item least understood at the point of acquisition. Sellers prepare a data room around revenue, customers and adjusted earnings. They rarely prepare an honest reconciliation of license entitlements against deployment, because doing so would surface a liability that reduces value. The buyer inherits that gap. Inherited software licensing exposure is usually latent and unquantified in standard due diligence, and it lands as a publisher audit after close when the acquirer, not the seller, carries the cost.
The public proof points are instructive. As reported in widely covered litigation, SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million over disputed and in part inherited licensing, including indirect access. Those figures, accurate as of the dates the cases were reported in 2017 and 2018, show the scale a license dispute can reach inside a large group. The same mechanics operate at mid market scale, just with smaller absolute numbers and far less ability to absorb them.
The playbook treats the software estate as a measurable asset and a measurable liability at the same time. We map every audit prone publisher, reconcile deployment to entitlement, model the true up exposure if the target were audited tomorrow, and read every contract for change of control and assignment terms that the transaction itself could trigger. The output is a number the deal team can price, not a list of risks the deal team has to interpret.
First, what is the effective license position for each major publisher, meaning deployed and consumed usage measured against contractual entitlement. Second, what would a true up cost today if the target were audited, expressed as a range with a most likely figure. Third, which contracts contain change of control or anti assignment clauses that the deal structure will trigger, and what is the consent, termination or repricing risk attached. Fourth, how much annual software spend is duplicated, oversized or renewing on autopilot, and therefore recoverable after close.
Most sponsors can answer none of these from a standard data pack. The reason is structural. The information needed lives in deployment tooling, license metric definitions and contract annexes that no seller volunteers and no generalist adviser knows to request. A repeatable process that asks for the right artefacts on day one is the difference between a defensible number and an educated guess.
| Workstream | Artefacts requested | Output | What it protects |
|---|---|---|---|
| Effective license position | License metrics, deployment data, user counts | Compliance gap per publisher | Purchase price and indemnity scope |
| True up exposure | Price lists, support ratios, audit history | Most likely settlement range | Reserve and warranty sizing |
| Change of control | Master agreements and annexes | Clause register with triggers | Consent, termination and repricing risk |
| Spend recovery | Renewal calendar, invoices, usage | Addressable savings map | EBITDA in the value creation plan |
A finding only protects the buyer if it changes a deal term. The playbook is built to produce findings the deal team can act on inside the negotiation window. A quantified Oracle or SAP exposure can be carved into a specific indemnity. A change of control clause that triggers repricing can be made a condition to close or a price adjustment. Duplicated spend identified pre signing becomes the opening balance of the first 100 day plan. This is why we run software diligence as a commercial exercise, not a compliance one, always on the side of the acquirer.
For the wider methodology see our PE portfolio software advisory hub, and for engagement scope see the PE portfolio advisory service. Related reading includes repeatable software diligence across a portfolio, the 100 day software plan for PE deals, and software cost as a value creation lever. This page is commercial and licensing advisory, not legal advice. Engage your own counsel for interpretation of any specific clause.
Most of the exposure the playbook surfaces lives in a small number of predictable places. Oracle Database and middleware deployed on virtualised infrastructure routinely create exposure, because the way a hypervisor presents processors to the software can mean the target is liable for far more cores than it believes it licensed. SAP indirect access, where third party systems or interfaces touch SAP data without a named user, is a second classic source, and it is the mechanism at the centre of the SAP versus AB InBev and Diageo disputes. Microsoft server and client access licensing, IBM sub capacity terms, and increasingly Broadcom VMware after its licensing model changed are the others that recur deal after deal.
The reason these hide is that none of them appear in the financial statements. A company can be fully compliant on paper, paying every invoice on time, and still be materially under licensed because deployment drifted away from entitlement over years of growth, virtualisation and staff turnover. The invoice trail looks clean. The deployment reality does not. Standard diligence reads the invoices. The playbook reads the deployment.
The deliverable that matters to a deal team is not a catalogue of risks but a single, defensible exposure figure with a clear range around it. We build that figure publisher by publisher. For each, we establish the contractual entitlement from the agreements, measure the deployed and consumed usage from the environment, and price the gap at the publisher list and likely settlement rates. We then weight the result by the probability that the publisher audits within the hold period, informed by that publisher audit history and the target profile.
The output is a most likely exposure, a downside, and an upside, expressed in money rather than risk language. That is what lets a sponsor decide whether to seek a price reduction, a specific indemnity, an escrow, or simply to proceed with eyes open. It is also why the work has to finish inside the diligence window. An exposure number delivered after signing informs nothing. The same number delivered before signing changes the deal.
The final discipline is documentation. Every figure traces back to a contract clause, a deployment record, and a published price reference dated as of when we collected it. That traceability is what makes the number defensible in a negotiation and reusable in the first 100 days, when the same dataset becomes the savings and remediation plan rather than a report that gathers dust.
A buy side software diligence engagement should produce four artefacts the deal team can use directly. The first is the priced exposure model, publisher by publisher, with a most likely figure and a defensible range. The second is a change of control register that lists every contract whose terms the transaction could trigger, with the consequence and the recommended mitigation. The third is a savings map that becomes the opening balance of the first 100 day plan. The fourth is a short, plain summary the investment committee can read in minutes, because a finding that the decision makers cannot absorb quickly tends not to influence the decision.
Each artefact should be sourced and dated, so it survives challenge in a negotiation and remains useful after close. The discipline of dating every vendor reference as of when it was collected is what lets the work age well rather than becoming stale the moment a price list changes.
Book a confidential software M&A risk assessment and we will scope a buy side diligence run that fits your deal timeline.
Book a confidential call