Software Due Diligence

Software Due Diligence FAQ: 20 Questions Buyers Ask

A software due diligence FAQ for deal teams: the twenty questions buyers ask most often, grouped by scope, exposure, and timing, answered from a buyer side advisory perspective.

A software due diligence FAQ exists because the same questions surface on every deal, and getting clean answers early is the difference between a priced position and a post close surprise. This software due diligence FAQ collects the twenty questions buyers ask most often, grouped by where they fall in the deal, with direct answers from a buyer side advisory perspective. The aim is not to replace a scoped review but to give deal teams, corporate development, and the operating partners who inherit the estate a fast, accurate reference before and during diligence.

For the underlying method behind these answers, start with software due diligence and the software due diligence checklist for acquirers. Where an answer points to post close work, it links through to post close license reconciliation.

Software due diligence FAQ: scope and purpose

The first questions buyers ask are about what the work is and why standard diligence is not enough. Software due diligence is the independent review of a target software estate to find, quantify, and price the licensing and audit exposure that standard legal and financial diligence does not test. It matters because inherited licensing exposure is usually latent and unquantified, sitting outside the data room until it surfaces as a publisher audit after close. It differs from IT due diligence, which assesses systems, architecture, and technical debt, because it focuses specifically on the contractual right to use the software the target runs.

Timeline showing when buyer questions are answered across the diligence processTimeline from scoping through signing showing the phases at which the most common buyer questions about software due diligence are answered.When each diligence question gets answeredScopingWhat is inscope andwhyData requestWhat datato askthe target forTestingDeploymentversusentitlementPricingCost tocure eachexposureSigningPrice,indemnity,day one plan

Software due diligence FAQ: exposure and risk

The next cluster of questions is about what the review actually finds. The biggest exposures come from the publishers that audit most aggressively, namely Oracle, SAP, Microsoft, and IBM, with Broadcom for VMware, Salesforce, and ServiceNow rising as of June 2026. The most damaging single category is indirect or digital access, where other systems reach into a core platform and trigger licensing that no seat count reveals. Public disputes show the scale: SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million over disputed and inherited licensing, as reported in those cases as of June 2026. The table answers the high frequency exposure questions directly.

Software due diligence FAQ: the exposure questions answered
Question buyers askShort answer
Which publishers carry the most audit risk?Oracle, SAP, Microsoft, IBM, and increasingly Broadcom for VMware
What is the most missed exposure?Indirect and digital access into a core platform
Does the deal structure change the risk?Yes. Stock, asset, merger, and carve out trigger different clauses
Can the seller indemnify the exposure?Sometimes, but only if it is found and priced before signing
How is exposure quantified?As a cost to cure range per publisher, not a single point
When does the exposure usually surface?At the first renewal or audit after close, when the buyer owns it

Key takeaways

  • Software due diligence finds and prices the licensing exposure that legal and financial diligence does not test.
  • The largest exposures come from the aggressive auditors and from indirect access that no seat count reveals.
  • Deal structure matters: stock, asset, merger, and carve out each trigger different change of control clauses.
  • Exposure can only be indemnified or priced into the deal if it is found and quantified before signing.
  • Unfound exposure surfaces at the first post close renewal or audit, when the buyer owns it outright.

Software due diligence FAQ: process and timing

The final questions are practical. Software due diligence should start as early as the data room opens, because the deployment data it needs takes time to gather. It typically runs in parallel with financial and legal diligence over the same two to six week window, scaled to the size of the estate. The buyer should own it, briefed by an independent advisor, so the findings flow straight into price negotiation and the day one readiness plan. When time is short, the review is prioritised by publisher audit propensity so the highest risk exposure is tested first. For the full question set, see the ten red flags in a target software estate.

Recommendations for buyers

  1. Use this FAQ as a pre diligence brief so the deal team asks the target for the right data on day one.
  2. Start the review when the data room opens, since deployment evidence takes time to assemble.
  3. Prioritise the aggressive auditors first when the diligence window is short.
  4. Insist every answer about exposure is backed by a cost to cure range, not a qualitative comment.
  5. Carry every open question into the day one plan with an owner so nothing is lost at close.

Using the FAQ as a working diligence brief

This question set is most valuable when it is used as a brief rather than read as reference. Before the data room opens, the deal team can run each question against what it already knows about the target and mark the ones it cannot answer. Those gaps become the data request: if no one can say which publishers the target runs on aggressive metrics, that is the first thing to ask for. If no one can say whether the change of control clauses require consent, that goes to counsel immediately. Turning the FAQ into a checklist of unanswered questions converts a passive reference into an active scoping tool that shapes the first week of diligence.

The same questions also discipline the seller responses. A target that answers every exposure question with reassurance but no evidence is signalling that its own position is untested. The buyer should treat a confident self assessment with no deployment data behind it as a prompt to test, not as an answer to accept. The questions about indirect access, virtualisation, and change of control are the ones sellers most often cannot evidence, and they are also the ones that produce the largest post close surprises, so a gap there is worth more diligence attention, not less.

Finally, the FAQ is a bridge into the post close world. Several of the questions, particularly those about when exposure surfaces and how it is remediated, point past signing into reconciliation. Carrying the open questions across the close, each with an owner, means the combined entity inherits a live list of things to resolve rather than a filed report. The buyer that treats this question set as a continuous thread, from scoping through signing into the first 90 days, never loses a finding in the handover, which is where most of the value of diligence is otherwise lost.

Why an independent advisor answers these questions cleanly

The answers in this software due diligence FAQ are only useful if they are unconflicted. A reseller answering questions about a renewal it stands to earn on, or a seller answering about its own estate, cannot give a buyer the unvarnished position. An independent, buyer side advisor with no affiliation to any publisher or reseller answers each question against the actual deployment evidence and the actual deal structure, so the buyer negotiates from measured fact rather than from the seller account of its own compliance.

Independent and buyer side. We act only for the acquirer. We hold no affiliation with any software publisher or reseller and are paid solely by you. This page is commercial and licensing guidance, not legal advice. Confirm any contractual interpretation with your own counsel.

Frequently asked questions

What is software due diligence in one sentence?

It is the independent review of a target software estate to find, quantify, and price the licensing and audit exposure that standard legal and financial diligence does not test, before the buyer signs.

How is it different from IT due diligence?

IT due diligence assesses systems, architecture, and technical debt. Software due diligence focuses on the contractual right to use the software the target runs, comparing actual deployment against entitlement to find licensing exposure.

When should software due diligence start?

As early as the data room opens. The deployment and consumption data it needs takes time to gather, so starting late forces the review to rely on the seller self assessment rather than independent evidence.

Which publishers carry the most audit risk?

Oracle, SAP, Microsoft, and IBM audit most aggressively, with Broadcom for VMware, Salesforce, and ServiceNow rising as of June 2026. A time boxed review should test these publishers first.

Does the deal structure change the licensing risk?

Yes. Stock purchase, asset purchase, merger, and carve out each trigger different change of control and anti assignment clauses, which can mean consent, termination, or repricing depending on how the deal is structured.

How is software exposure quantified?

As a cost to cure range per publisher, built from the gap between deployment and entitlement, rather than as a single point estimate. The range is what lets the buyer move price, seek indemnity, or budget remediation.

Can exposure be indemnified by the seller?

Sometimes, but only if it is found and priced before signing. Exposure that surfaces after close, when the buyer owns the estate, is far harder to recover and usually lands as an unbudgeted liability.

Get clean answers on your target software estate.

We answer every software due diligence question against the actual deployment evidence and deal structure, so you negotiate from measured fact.

Request a software due diligence