Home  ›  Blog  ›  M&A Software Due Diligence
Strategy · M&A · Due Diligence

M&A software due diligence — finding the exposure before signing.

Software licences are the third or fourth line item in most acquisition cost models and the first line item to break the synergy thesis. The diligence work that protects the deal is narrow, deep, and almost always under-resourced. Six exposure areas, a 30-day diligence plan, and a Day-One playbook.

Updated: June 2026 Reading time: 15 min Audience: CIO, Corporate Development, Deal Counsel, IT Integration Lead
Contract documents on desk
Why software diligence breaks deal models

The six places exposure hides.

When deal teams quote a synergy number based on "IT integration savings," the assumption underneath is usually that the target's licences will roll into the acquirer's contracts at marginal cost. They generally will not. Vendor contracts contain change-of-control provisions, assignment restrictions, geographic scope limitations, affiliate definitions and audit triggers that convert a clean acquisition into an unbudgeted renegotiation with the vendor.

In our experience across 340+ engagements, six categories of exposure produce nine out of ten of the post-close cost surprises. The diligence work is deep in those six and light everywhere else. Doing it the other way around produces a fat diligence binder and a thin protection.

1. Change-of-control clauses

Many enterprise software contracts contain change-of-control clauses that either terminate the contract on a transaction, require vendor consent for assignment, or trigger a renegotiation right. Oracle, SAP, IBM and CA contracts most often. The diligence task is to identify these clauses, quantify the at-risk licence value, and surface the negotiation window to the deal team. Failure to identify a change-of-control clause has, in our practice, caused a 30-day post-close stop-work order on a production ERP rollout. Surfacing the clause during diligence turns a forced post-close scramble into planned software contract negotiation inside the window where the buyer still holds leverage.

2. Affiliate definitions

Most enterprise contracts grant use rights to the customer and its "Affiliates," where Affiliate is defined by a percentage-of-ownership test. The acquirer's existing Affiliates may not qualify under the target's contracts post-close; conversely, the target's licences may not extend to the acquirer's pre-existing operations. The two estates merge in operational terms long before they merge in contract terms, and the licence shortfall is a function of that asymmetry.

3. Geographic and divisional scope

Enterprise contracts often define a geographic or divisional scope that constrains use. Microsoft Enterprise Agreements signed by a specific Enrolment cover that Enrolment's defined entities, not the entire corporate group. Acquiring a non-Enrolment entity adds users who were never licensed under the EA — and Microsoft's true-up reads the gap.

4. Audit-trigger language

A subset of vendors include language that makes an M&A event an audit trigger. Oracle is the most prominent. The 12–18 month period after a transaction is the most-audited window in the corporate calendar. The diligence question is not whether an audit will come; it is whether the joint estate is reconciled in time to survive it.

5. SaaS account migration friction

Cloud SaaS tenants do not merge cleanly. Salesforce orgs, ServiceNow instances, Microsoft 365 tenants, Workday tenants, Adobe Admin Consoles — each has its own migration mechanic and each has commercial implications. Salesforce tenant merges sometimes precipitate renewal renegotiations. Microsoft tenant-to-tenant migrations carry licence-reassignment timing that affects the true-up math. Each SaaS vendor is its own integration project, not a tool problem.

6. Concurrent ULA and ELA windows

If either party is mid-ULA or mid-ELA, the certification or renewal date is now a deal-event. ULA certification dates that fall during the diligence or integration period can be used to capture installed-base value at the acquirer's high-water mark — or, if mismanaged, can lock in a smaller-than-needed entitlement. The timing question is commercial, not legal, and rarely owned by anyone unless surfaced explicitly.

Live M&A diligence on a target?

We turn round software due diligence in 21 days, including a quantified exposure report.

Contact Us →
The 30-day diligence plan

What to do between signing and closing.

The diligence window in most mid-market transactions is short. The plan below is the one we run when called in after signing, and it has held up across deals from $200M to $4B in transaction value. Days are calendar days, not working days.

  1. Days 1–3: Contract harvest. Pull every vendor contract from the target's repositories. Focus on top-15 vendors by spend. Validate against AP records to find missing contracts.
  2. Days 4–10: Clause review. Read change-of-control, assignment, Affiliate, geographic-scope, audit-trigger, and renewal-pricing clauses. Build a clause matrix per vendor.
  3. Days 11–18: Entitlement vs. deployment reconciliation. Per top-15 vendor, compute the gap between contracted entitlement and actual deployment. Flag exposure exceeding 10% of vendor spend.
  4. Days 19–24: Renewal-event mapping. Identify every renewal, true-up, ULA certification or audit anniversary in the next 24 months. Map to integration milestones.
  5. Days 25–28: Quantified exposure model. Produce a vendor-by-vendor exposure model with low/expected/high scenarios. Feed into the deal model.
  6. Days 29–30: Day-One playbook. Memo to the integration lead listing the 10 most-urgent vendor actions to take in the first 30 days post-close.

Download the Multi-Vendor Negotiation Strategy paper.

Includes M&A diligence templates and post-close playbooks.

Get the paper →
Day-One actions

The first 30 days after close.

The post-close window is the moment where prevented loss compounds fastest. Three patterns recur in our practice: vendors that lean in early get more; vendors that the integration team contacts proactively grant more flexibility; and vendors that go uncontacted for 90 days produce the biggest invoices.

Carve-outs and divestitures

When you're the seller.

The diligence work runs in reverse on the sell side. The seller's task is to ensure the divested entity carries a clean, transferable software estate — and that the parent's contracts are not left short-handed. Carve-out TSAs (Transition Services Agreements) often include software re-use that the underlying licences do not actually permit, creating exposure for both the parent and the divested entity.

The defence is to map the to-be-divested workloads to the underlying licences before the TSA is drafted, identify gaps and remediate them via vendor consent or short-term right-to-use letters. Three vendors that frequently obstruct cleanly: Oracle (Affiliate definitions narrow rapidly), Microsoft (EA Enrolment scope is enterprise-specific), and Salesforce (org carve-outs require commercial action).

FAQ

Common questions answered.

When should software due diligence start in an M&A process?
Ideally at LOI. In practice, in mid-market deals, it often starts after signing. The 21–30 day post-signing window is the minimum to produce a defensible exposure model.
Which vendors most often complicate M&A integration?
Oracle (audit trigger and Affiliate scope), Microsoft (EA Enrolment definitions), SAP (license metric inheritance), Salesforce (org structure), and IBM (Passport Advantage entitlement transfer).
Can change-of-control clauses be waived?
Usually yes, but the price of waiver depends on the vendor's posture at the time. Vendors are most flexible before signing, less flexible during diligence, and least flexible after a transaction is publicly announced.
How much should be reserved for software exposure in the deal model?
Highly dependent on target. A reasonable working estimate before diligence: 5–12% of annual target software spend. The diligence work narrows this to a vendor-specific exposure figure.
Does an asset purchase avoid change-of-control issues?
It changes them but does not eliminate them. Most enterprise contracts require vendor consent for any assignment, regardless of transaction structure. The mechanics differ but the negotiation does not disappear.
Who should own software diligence in the deal team?
Either the CIO or a designated IT integration lead, supported by external SAM advisory and deal counsel. The failure mode is when the work sits entirely with deal counsel without licensing-domain expertise.

Transaction signed and integration starts soon?
Get the software exposure surfaced.

Our consultants run software due diligence on transactions $200M+ across Oracle, Microsoft, SAP, IBM and SaaS.

The Compliance Brief

Weekly compliance intelligence for IT leaders.