Software Due Diligence

Common Software Due Diligence Mistakes That Cost Buyers

Common software due diligence mistakes that cost buyers are rarely exotic. They are ordinary process gaps that let inherited licensing exposure survive diligence and land as a publisher audit after close.

Common software due diligence mistakes that cost buyers are rarely exotic. They are ordinary process gaps that let inherited licensing exposure survive diligence and arrive after close as a publisher audit. The pattern is consistent across deals: the team confirms that software exists and is paid for, then stops, never testing whether the way the target deploys and consumes that software actually matches what the contracts permit. The gap between paid for and compliant is where eight figure exposures hide, and it is invisible to anyone who treats software as a line of spend rather than a body of entitlements.

This guide names the recurring errors and shows how to close each one. It builds on the core software due diligence method and connects to post close license reconciliation, where mistakes left unresolved in diligence become the buyer to fix after close. For the foundations, start with what software due diligence is and why it matters.

Common software due diligence mistakes that cost buyers, in order of damage

The most expensive mistakes are not the ones that look technical. They are the ones that feel like reasonable shortcuts under deal time pressure. Treating a clean accounts payable history as proof of compliance is the first, because paying every invoice tells you nothing about whether deployment exceeds entitlement. Accepting the target self assessment without independent testing is the second, because the seller has neither the incentive nor often the data to find its own exposure. Skipping the publishers that audit most aggressively is the third, because a time boxed review that never reaches Oracle, SAP, Microsoft, IBM, or increasingly Broadcom for VMware leaves the highest probability exposure untested.

Sources of post close licensing exposure that diligence commonly missesBar chart estimating how often each category of inherited licensing exposure is the one that surfaces as a post close audit when diligence was incomplete.Where missed exposure surfaces after closeDeployment exceeds entitlement9/10Indirect and digital access8/10Change of control clauses7/10Virtualisation and cloud counting6/10Lapsed or merged agreements5/10

Indirect or digital access exposure is the category most often missed entirely, because it cannot be seen by counting named users. When SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million over disputed and inherited licensing, as reported in those public disputes as of June 2026, the contested usage came from systems reaching into the publisher software rather than people logging in directly. A diligence process that counts seats and never maps the integrations around a core platform will not find it.

The process gaps behind the mistakes

Each mistake traces back to a missing step rather than a missing skill. The team that never receives deployment data cannot compare it to entitlement. The team that never reads the assignment and change of control clauses cannot know whether the deal structure triggers consent or repricing. The team that never reconciles the entitlement records against the actual install base is trusting that two numbers match when no one has put them side by side. The table below pairs each common mistake with its consequence and the corrective step that closes it.

Common software due diligence mistakes and how to correct them
MistakeWhat it costs the buyerCorrective step
Treating paid invoices as proof of complianceLatent under licensing survives to become a post close auditReconcile deployment against entitlement, not against spend
Accepting the target self assessmentExposure the seller never tested transfers to the buyerRun independent testing on the highest risk publishers
Skipping aggressive auditors under time pressureOracle, SAP, Microsoft, and IBM exposure goes unpricedPrioritise publishers by audit propensity, not by spend
Ignoring indirect and digital accessThe largest single exposures stay invisibleMap every system that reaches into a core platform
Not reading change of control clausesConsent, termination, or repricing surfaces at closeReview assignment clauses against the actual deal structure
Leaving findings unpricedRisk cannot be reflected in price or indemnityQuantify each exposure as a cost to cure range

Key takeaways

  • The costly mistakes are process gaps, not technical errors. Paid invoices prove spend, never compliance.
  • Indirect and digital access is the exposure most often missed, because it is invisible to a seat count.
  • A time boxed review that never reaches the aggressive auditors leaves the highest probability exposure untested.
  • Every finding must be priced as a cost to cure range, or it cannot move price, indemnity, or the day one plan.
  • The seller self assessment is a starting hypothesis, not evidence. Test it independently on the publishers that matter.

How the mistakes compound across the deal

A single missed exposure is a number. Several missed exposures interacting is a pattern that distorts the whole valuation. When the deployment reconciliation is skipped, the change of control clauses go unread, and the aggressive auditors are deprioritised, the buyer ends up with a software estate it has never actually measured, priced as if it were compliant. The exposure does not disappear. It waits for the first renewal or audit after close, when the buyer owns it outright. Avoiding that outcome means treating each finding as input to quantifying software audit exposure before you sign and carrying the priced result into the day one readiness plan.

Recommendations for buyers

  1. Demand deployment and consumption data early, and reconcile it against entitlement rather than against invoices.
  2. Rank publishers by audit propensity and start with Oracle, SAP, Microsoft, IBM, and Broadcom for VMware.
  3. Read every assignment and change of control clause against the actual deal structure before signing.
  4. Map indirect and digital access around each core platform, since the largest exposures live there.
  5. Price every finding as a cost to cure range so it can move price, indemnity, or the day one plan.

How to build the mistakes out of your diligence process

Naming the mistakes is only useful if the process is rebuilt so they cannot recur. The fix is structural, not heroic. A diligence checklist that demands deployment data alongside contracts forces the deployment versus entitlement comparison rather than leaving it optional. A publisher ranking that puts the aggressive auditors at the top of the work queue means a time boxed review spends its scarce hours where the probability and the size of exposure are greatest. A standing requirement that every finding carry a cost to cure range stops qualitative comments standing in for quantified risk. Each of these is a small discipline, and together they remove the conditions under which the costly mistakes happen.

The second structural fix is the handover. Many exposures are found in diligence and then lost between the deal team and the integration team, because the finding was filed rather than assigned. Building a single thread from the diligence report into the day one plan, with an owner and a date against every priced exposure, closes the gap where a finding quietly disappears. The same evidence base that priced the risk before signing should be the one that drives remediation after close, so nothing has to be rediscovered. This continuity is the difference between a report that protected the price and a process that protects the value.

The third fix is independence. The reason these mistakes survive in so many processes is that the parties closest to the software, the seller and the incumbent reseller, are the least incentivised to surface exposure. Inserting an unconflicted reviewer whose only job is to find what the standard process misses changes the economics of the diligence itself. The reviewer has no renewal to protect and no compliance record to defend, so the deployment level testing that catches indirect access, virtualisation breaches, and unread change of control clauses actually gets done. The mistakes that cost buyers are not inevitable. They are the predictable result of asking conflicted parties to grade their own work.

Why an independent advisor avoids these mistakes

The mistakes persist because the parties best placed to find them are conflicted. A reseller earns on the renewal it is asked to review. The seller has no reason to surface its own exposure. An independent, buyer side advisor with no affiliation to any publisher or reseller is paid only to find what the standard process misses, and brings the deployment level testing that turns a software line of spend into a measured, priced position the buyer can act on before signing.

Independent and buyer side. We act only for the acquirer. We hold no affiliation with any software publisher or reseller and are paid solely by you. This page is commercial and licensing guidance, not legal advice. Confirm any contractual interpretation with your own counsel.

Frequently asked questions

What is the most common software due diligence mistake?

Treating a clean payment history as proof of compliance. Paying every invoice shows the target funds its software, but it says nothing about whether deployment and consumption exceed what the contracts permit. The gap between paid for and compliant is where exposure hides.

Why is indirect access so often missed in diligence?

Because it cannot be seen by counting named users. Indirect or digital access comes from other systems reaching into a core platform. A review that counts seats and never maps the integrations around that platform will not find it, which is why it is the category most often missed.

Should we rely on the target self assessment?

Treat it as a starting hypothesis, not as evidence. The seller has neither the incentive nor often the data to surface its own exposure. The highest risk publishers should be tested independently against actual deployment before the findings are trusted.

Which publishers should diligence prioritise?

Rank by audit propensity rather than by spend. Oracle, SAP, Microsoft, and IBM audit most aggressively, with Broadcom for VMware, Salesforce, and ServiceNow rising as of June 2026. A time boxed review should reach these first.

How do these mistakes actually cost the buyer money?

Unfound exposure does not disappear at close. It waits for the first renewal or publisher audit, when the buyer owns it outright. Because the estate was priced as if compliant, the cost to cure lands as an unbudgeted post close liability.

How do we avoid these mistakes under deal time pressure?

Reconcile deployment against entitlement rather than spend, prioritise the aggressive auditors, read change of control clauses against the deal structure, and price every finding as a cost to cure range so it can move price or the day one plan.

Find the exposure standard diligence misses.

We run deployment level software due diligence that tests compliance, not just spend, so inherited licensing exposure is found and priced before you sign.

Request a software due diligence