Many acquirers perform interview-based due diligence, but adding a software audit can provide an in-depth assessment of software risks in a target’s code.
When deciding between an interview-based due diligence or software audit, the short answer is both.
Most tech company acquirers perform interview-based due diligence themselves or they hire a strategic consultant—and that’s a great start. Interview-based due diligence (including document reviews) is well-suited to understanding a target’s strategy, product, roadmap, and of course, people. Most acquirers have the internal expertise to be effective, or they have a longstanding partnership with existing vendors that may have a good understanding of their target’s organization, product line-up, and industry—all valuable knowledge in evaluating the fit of an acquisition.
Why you should consider software audits
A software audit is a great complement to the interview-based due diligence approach. Black Duck® audits include all levels and breadth of software due diligence, but audits focus mostly on the security, quality, architecture, and open source composition of the code. We work on all these areas in parallel to avoid any transaction delays. We also work alongside your current vendors, especially if your vendor has advised you to pay close attention to a specific area of concern.
Interview-based evaluation is just one part of the equation
Product and interview-based software due diligence typically covers
- Product portfolios, fit, and roadmaps
- Architecture and technologies
- Organization and processes
The benefits of these evaluations include
- High-level overview: This overview doesn’t require access to software as it relies on the target’s inputs and a review its documentation and interviews.
- Flexible cost: There may be no out-of-pocket costs if the work is done by internal teams, although there is opportunity cost. Even if a consultant is involved, the acquirer can limit how much time the consultant spends (say, one or two weeks). This can limit costs, although it also limits the depth of analysis.
- Time: Similar to costs, acquirers can control how much time is allowed as well, with the same limit to depth of analysis.
What software audits add
- In-depth assessment vs. high-level overview. There is only so much that such assessments can discover when they are not done by experts reviewing the actual code and methodologies. It may be sufficient for some to tick the software due diligence box, but reviewing technical documentation and interviews only scratches the surface. The bottom line is what’s in the code, and that can only be inferred through a high-level assessment. For example, a good QA process on paper suggests that the code isn’t buggy, but it’s no guarantee. Results of automated scans provided by the target may be another confidence builder, but they are no substitute for a detailed, expert audit of the code.
Our white paper “Top Considerations for Evaluating the Tech in Tech M&A” can help you further understand what to focus on.
- Insights that only come from code analysis. If the transaction value is over $100M, would you be happy to discover two to three years into the investment that although the product roadmap was great, the coding execution was not ready to scale beyond x point? The cost of refactoring a codebase could dwarf any software due diligence costs. And despite a nice architectural diagram, the actual hairball code may have the development team spending most of their time fixing bugs instead of implementing new functionalities/features. These example scenarios will cost money to fix, and they won’t be discovered by reviewing documents and interviewing the CTO, VP of engineering, and chief architect. The cost will depend on the transaction specifics, as not all are made equal. The question you should ask yourself is, “How much risk are we willing to take, and for what price?” Additionally, audits can potentially reduce the representation and warranty (or warranty and indemnity for my European peers) insurance price and/or increase your policy cover. Our white paper “Benefits of a Design Quality Audit in Due Diligence Evaluations” will help you understand this aspect further.
- Time. A concern with deep code analysis is often fitting it into the due diligence window. Does it add time? It depends. When we scope for our audit efforts (at no commitment from your side), we look at the codebase size, complexity, and most importantly, how many people and how much time we need to get a complete view and generate the reports. For clients acquiring enterprise companies, it can take five weeks, but one company requested an audit in less than 15 hours. And because we have a team of professionals across Europe and the U.S., we capitalized on 18-hour business days, so we delivered the reports early. Of course, timing will vary from one transaction to another; there’s no one-size-fits-all. The best approach is to consult with people who have a lot of experience with both types of solutions to help you make educated trade-offs in a timely manner.
Finding the right approach for your organization
Ask yourself and the rest of your strategy team the right questions. Here are just a few questions that will help you in determining the right approach.
- How much risk are you willing to own? Or in other words, with the current approach, will you sleep tight at night? The blog post M&A, trust in software, and a good night’s sleep is a good place to start.
- Has the high-level product and roadmap due diligence process raised any red flags, and will you need to dig deeper due to concerns with some of the results?
- Have you asked your insurance broker what audits/code review reports will help you get the best representation and warranty policy coverage and its price?
Black Duck audits provide the benefits of our technology and expertise as an audit service. We have over 15 years of experience helping companies evaluate acquisition targets, prepare for acquisition or investment diligence, evaluate suppliers, meet customers’ or insurers’ requirements, or simply get a handle on their software’s content, security, and quality.