Software Due Diligence

Quantifying Software Audit Exposure Before You Sign

Exposure is a range, not a number. Building a defensible list price, likely settlement and cost to cure per publisher is what turns a licensing finding into a deal lever you can use before signing.

Quantifying software audit exposure before you sign is the step that turns a list of licensing issues into a number the deal team can use. A finding that a target may be under licensed is not actionable. A finding that the exposure is roughly four million dollars on a likely settlement basis, against seven million at list price and two million to cure, is something a buyer can price, indemnify or make a condition of close. This is the analytical heart of the software due diligence method, and the reason it protects a buyer.

Exposure is never a single figure. It is a range, because the amount a publisher could claim, the amount it would likely accept, and the amount it would cost to fix the deployment are all different. Quantifying the exposure means building that range with defensible assumptions, per publisher, so the deal team understands both the worst case and the realistic case.

Quantifying software audit exposure before you sign

The work starts from an effective license position: deployment measured against entitlement on each publisher own metrics. From there the exposure is expressed in three layers. The list price figure is the headline a publisher would assert, useful as a worst case ceiling. The likely settlement is what comparable disputes actually resolve at, which is the number a buyer should plan around. The cost to cure is the lowest layer, the price of remediating the deployment and renegotiating quietly, which is often far below the settlement. Presenting all three lets the deal team choose its lever with eyes open.

Quantifying audit exposure: from list price to net costBar chart showing how a publisher exposure is expressed as a range, from the full list price figure down to the likely negotiated settlement and the lower cost to cure, then to the net cost once it is priced into the deal.Quantifying audit exposure: from list price to net costWorst caseList priceexposureExpectedLikelysettlementRemediatedCost tocureIf pricedNet tobuyer

The largest exposures cluster around a few drivers. Oracle virtualisation can pull every physical core in a cluster into scope. SAP indirect and digital access can require licensing for users who touch the system through another application. As of mid 2025, SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million in disputes tied to indirect and inherited licensing, which shows how large a single driver can become when it is left unquantified.

How audit exposure is quantified per publisher
PublisherWhat drives the exposureHow the range is built
OracleVirtualisation scope, options and lapsed ULAsCores in scope at list, then likely settlement, then cost to cure
SAPNamed user classification and indirect or digital accessDocument flows and user types priced at list, then negotiated
MicrosoftServer cores, CAL shortfall and edition mismatchDeployed versus entitled at list, then volume settlement
IBMSub capacity reporting gaps measured in PVUsFull capacity exposure, then sub capacity corrected position
VMware (Broadcom)Subscription repackaging and core countsRepriced renewal at list, then negotiated multi year position

Build the range with defensible assumptions

A quantified exposure is only as good as the assumptions behind it, so each figure should be documented and defensible. State the metric applied, the deployment data it rests on, and the comparable basis for the settlement estimate. This matters because the number will be challenged, first by the seller in negotiation and later, potentially, by an investment committee or a lender. An exposure that cannot show its working collapses under the first challenge. The discipline behind this is set out in building a software license position during diligence.

Separate cost to cure from settlement

One of the most valuable distinctions in quantifying exposure is between the settlement and the cost to cure. A target running unlicensed Oracle options on a virtualised cluster faces a large settlement if audited, but the cost to cure, by re architecting the deployment and renegotiating, can be a fraction of that. A buyer who knows both numbers can choose to remediate before close rather than carry the settlement risk. The method is covered in estimating the cost to cure licensing gaps.

Key takeaways

  • Exposure is a range, not a single figure: list price worst case, likely settlement, and cost to cure.
  • Quantifying before signing turns a licensing issue into a number the buyer can price, indemnify or condition.
  • The largest exposures cluster around Oracle virtualisation and SAP indirect access.
  • Every figure must be documented and defensible, because it will be challenged in negotiation.
  • The cost to cure is often far below the settlement, which can make pre close remediation the cheapest lever.

Why list price is the wrong number to plan around

Publishers open an audit at list price plus back maintenance, and that figure can be alarming enough to push an unprepared buyer into a fast, expensive settlement. It is the wrong number to plan around. List price is a ceiling a publisher rarely collects, because disputes resolve through negotiation and most settle well below the opening demand. A buyer who only sees the list price figure either overpays in panic or, fearing the headline, walks away from a deal whose real exposure was modest and curable. The discipline of quantifying the likely settlement alongside the list price is what keeps the response proportionate, and it is one of the clearest ways an independent advisor protects an acquirer from its own publisher.

Turn the number into a deal lever

A quantified exposure is useless until it changes the deal. For each publisher, the position should recommend a lever: a price adjustment for structural gaps, a specific indemnity for risks that need publisher engagement, an escrow against uncertain outcomes, or remediation as a condition of close. The choice depends on the size of the range and how much of it can be cured. Presenting this clearly is what lets the work survive the investment committee, covered in how to present software risk to an investment committee.

Account for the deal structure

The same exposure can be worth more or less depending on how the deal is structured. A stock purchase carries the under licensing across unchanged. An asset purchase or carve out can trigger anti assignment and change of control consent, which can convert a quiet cure into a forced renegotiation at current pricing. The quantified exposure should therefore be stated against the structure, so the deal team sees whether the structure helps or hurts before it commits. The publisher specific detail is in vendor specific diligence.

Recommendations for buyers

  1. Express every exposure as a range: list price, likely settlement and cost to cure, per publisher.
  2. Document the metric, the deployment data and the comparable basis behind each figure so it survives challenge.
  3. Separate cost to cure from settlement, because pre close remediation is often the cheapest lever.
  4. Recommend a specific lever per finding and state it against the deal structure before signing.

Quantified exposure is the output that makes the rest of the software due diligence method commercial, and it is delivered through our software due diligence service. The next step is to present it where decisions are made.

Independent and buyer side. We act only for the acquirer. We hold no affiliation with any software publisher or reseller and are paid solely by you. This page is commercial and licensing guidance, not legal advice. Confirm any contractual interpretation with your own counsel.

Frequently asked questions

How do you quantify software audit exposure before signing?

By building an effective license position per publisher and expressing the exposure as a range: the list price worst case, the likely negotiated settlement, and the lower cost to cure, each with documented assumptions.

Why express exposure as a range rather than one number?

Because the amount a publisher could claim, the amount it would likely accept, and the cost to fix the deployment are all different. A buyer needs the worst case and the realistic case to choose the right lever.

What drives the largest exposures?

Oracle virtualisation, which can pull every physical core into scope, and SAP indirect and digital access. As of mid 2025 SAP pursued AB InBev for a reported 600 million dollars in disputes tied to these issues.

What is the difference between settlement and cost to cure?

Settlement is what a publisher would accept to resolve a claim. Cost to cure is the price of remediating the deployment and renegotiating quietly. Cost to cure is often a fraction of the settlement, which can make pre close remediation the cheapest option.

How does a quantified exposure change the deal?

It becomes a lever: a price adjustment for structural gaps, an indemnity for risks needing publisher engagement, an escrow against uncertain outcomes, or remediation as a condition of close.

Does deal structure affect the exposure?

Yes. A stock purchase carries under licensing across unchanged. An asset purchase or carve out can trigger anti assignment and change of control consent, turning a quiet cure into a forced renegotiation at current pricing.

Put a defensible number on the exposure.

We quantify the audit exposure per publisher as a range and recommend the lever, so you price the risk into the deal before you sign rather than absorb it after close.

Request a software due diligence