Software Due Diligence

What Standard IT Due Diligence Misses About Licensing

Standard IT diligence is thorough on architecture and security, but it never counts deployment against entitlement. That gap is where inherited exposure survives into ownership.

Understanding what standard IT due diligence misses about licensing is the single most useful insight a buyer can carry into a deal, because the gap is wide and the cost lands after close. Standard IT diligence is thorough on architecture, security, infrastructure and technical debt. It maps the systems, reviews the cloud estate, and assesses resilience. What it does not do is count deployment against entitlement, classify users on each publisher own metrics, or test for indirect access. Those are the measurements that produce an exposure number, and they sit outside a standard IT review. This is the gap that software due diligence exists to close.

The reason the gap persists is that IT diligence and licensing diligence answer different questions. IT diligence asks whether the systems work, scale and are secure. Licensing diligence asks whether the target is entitled to run what it is running. A target can pass an IT review with a clean bill of health and still carry an eight figure compliance exposure, because the two reviews never overlap. A buyer who assumes the IT review covered licensing is the buyer who meets the publisher audit after close.

What standard IT due diligence misses about licensing

Standard IT due diligence misses four things about licensing, and each can carry material cost. It does not measure deployment against entitlement, so it never produces an effective license position. It does not classify users on publisher metrics, so SAP named user exposure stays invisible. It does not test indirect or digital access, so the licensing required for connected systems goes uncounted. And it does not size the audit exposure that travels with the estate, so the buyer inherits a risk no one has quantified. The detail of how this exposure hides is in how latent licensing exposure hides from diligence.

What standard IT diligence covers versus what it missesBar chart contrasting the high coverage standard IT due diligence gives to architecture, security and infrastructure with the low coverage it gives to license entitlement, indirect access and audit exposure.What standard IT diligence covers versus what it missesCoveredArchitectureand systemsCoveredSecurity andinfrastructureMissedLicenseentitlementMissedAuditexposure

The clearest example is virtualisation. An IT review will document a VMware cluster and confirm it is resilient and well managed. A licensing review will ask how many physical cores in that cluster are running Oracle, because Oracle policy can pull every core into scope unless the deployment is partitioned in an approved way. The same cluster is a strength to the IT reviewer and a potential seven figure exposure to the licensing reviewer. Only one of them is counting.

What standard IT due diligence covers and misses
AreaStandard IT diligenceWhat is missed on licensing
Architecture and systemsMaps the stack and integrations in detailDoes not count deployment against license entitlement
Infrastructure and cloudReviews capacity, resilience and costDoes not measure Oracle cores in scope on virtualised hosts
Security and accessAssesses controls, identity and riskDoes not classify SAP named users or test indirect access
Spend and contractsConfirms invoices and renewal datesDoes not reconcile entitlement against what is deployed
Roadmap and technical debtReviews modernisation and support statusDoes not size the audit exposure that travels with the estate

Why the spend review does not catch it either

A buyer might reasonably assume that the financial review of software spend would surface a licensing gap, but it does not. A spend review confirms what the target pays and when its contracts renew. It reconciles invoices, not entitlement against deployment. A target can pay every invoice on time and still be materially under licensed, because spend measures what was bought, not what is used. The distinction between the legal, financial and licensing views is set out in the difference between legal and commercial software diligence.

The publishers where the gap costs most

The gap is widest with a small set of publishers known for aggressive audit practices: Oracle, SAP, Microsoft and IBM, and increasingly Broadcom through VMware, alongside Salesforce and ServiceNow. As of mid 2025, SAP pursued AB InBev for a reported 600 million dollars and Diageo for a reported 60 million in disputes tied to indirect and inherited licensing, which shows how large a single missed measurement can become. A standard IT review would not have surfaced the indirect access at the centre of those disputes, because measuring it is not what an IT review does. The publisher specific detail is in vendor specific diligence.

Key takeaways

  • Standard IT diligence covers architecture, security and infrastructure, not license entitlement.
  • It does not measure deployment against entitlement, classify users, test indirect access, or size audit exposure.
  • A target can pass an IT review cleanly and still carry an eight figure compliance exposure.
  • A spend review confirms invoices, not entitlement, so it does not catch the gap either.
  • The gap costs most with Oracle, SAP, Microsoft, IBM and increasingly Broadcom, Salesforce and ServiceNow.

How to close the gap in practice

Closing the gap does not mean redoing the IT review. It means adding a licensing workstream that runs alongside it, owned by someone whose job is to measure entitlement against deployment and quantify the result. That workstream takes the architecture the IT team has already mapped and asks the licensing questions the IT team did not: how many cores, how many users, how much indirect access, and what is the resulting exposure. The scoping of that workstream is described in how to scope software due diligence on a target.

What the buyer gains by closing it

A buyer who closes the gap gains a quantified exposure it can price, indemnify, or make a condition of close, instead of a clean IT report that hides a latent liability. The cost of the licensing workstream is a fraction of a single avoided settlement, which is why the buyers who run it consistently treat it as standard rather than optional. Leaving the gap open does not remove the exposure. It only delays the moment the buyer meets it, usually as a publisher audit in the first eighteen months of ownership.

Recommendations for buyers

  1. Do not assume the IT review covered licensing, because it answers a different question.
  2. Add a licensing workstream that measures entitlement against deployment alongside the IT review.
  3. Prioritise Oracle virtualisation, SAP user and indirect access, and any publisher with a recent audit history.
  4. Reconcile entitlement against deployment rather than relying on a clean spend or invoice review.
  5. Require a quantified exposure number so the gap becomes a deal lever rather than a post close surprise.

Closing the licensing gap is the whole purpose of the software due diligence method, and it is what an IT review on its own cannot deliver. The full workstream is run through our software due diligence service.

Independent and buyer side. We act only for the acquirer. We hold no affiliation with any software publisher or reseller and are paid solely by you. This page is commercial and licensing guidance, not legal advice. Confirm any contractual interpretation with your own counsel.

Frequently asked questions

What does standard IT due diligence miss about licensing?

It does not measure deployment against entitlement, classify users on publisher metrics, test indirect access, or size the audit exposure that travels with the estate. It covers architecture and security, not license compliance.

Can a target pass an IT review and still have licensing exposure?

Yes. IT diligence asks whether the systems work and are secure. Licensing diligence asks whether the target is entitled to run what it runs. A clean IT report can sit on top of an eight figure compliance gap.

Does the financial spend review catch licensing gaps?

No. A spend review confirms invoices and renewal dates, which measures what was bought, not what is deployed. A target can pay every invoice on time and still be materially under licensed.

Why is virtualisation the clearest example?

Because an IT review documents a VMware cluster as resilient, while a licensing review asks how many physical cores run Oracle. Oracle policy can pull every core into scope, turning a strength into a seven figure exposure.

Which publishers make the gap most expensive?

Oracle, SAP, Microsoft and IBM, and increasingly Broadcom through VMware, Salesforce and ServiceNow. As of mid 2025 SAP pursued AB InBev for a reported 600 million dollars over indirect and inherited licensing.

How do you close the gap?

Add a licensing workstream that runs alongside the IT review, owned by someone who measures entitlement against deployment and quantifies the result into an exposure the deal team can price or indemnify.

Close the gap a standard IT review leaves open.

We add the licensing workstream a standard IT review misses, measure entitlement against deployment, and hand your team a quantified exposure before you sign.

Request a software due diligence