Similar to a home inspection, M&A software due diligence helps organizations assess the risk of an investment.
When a company buys another company, the due diligence process is analogous to a home inspection during a real estate transaction. A buyer sees only so much when they tour a home—enough to know they like it and to assess the value, but not enough identify hidden problems that might devalue the property. An in-depth assessment requires time and expertise.
Similarly, a company acquiring another starts with a fairly good idea about the target’s value and strategic fit before they agree on a price and a timeline for the deal. But when they sign a Letter of Intent, they reserve the right to dig deeper via a process called due diligence. The acquirer then has several weeks to request information, ask questions, and perform analyses to allow them to:
This kind of analysis covers all aspects of a business. Acquirers will dig into financials, HR records, legal documents, customer complaints, marketing plans—everything, including the software technology. This is particularly relevant for deals in which software is a substantial part of the value. Inquiries about the technology will range from a high-level look at product strategy and roadmap to the people and processes, and extend down to the code itself. The breadth of inquiry spans quality, security, and legal issues.
As with any aspect of due diligence, much information is gleaned through Q&As and documents as well as discussions. A meeting between respective CISOs might start with walk through of the target’s AppSec program at a high level. A disclosure request might include documented processes on open source use, handling vulnerabilities, building in security, and software architecture.
Where the rubber meets the road, though, is in the code. That’s where an audit comes in. It will delve deeply into all aspects of the code and focus on open source, application security, architecture, quality, and processes. This kind analysis is well-suited to a trusted third party because targets will not share their code with a potential acquirer. The exhaustive analysis Synopsys performs also requires skills that acquirers may not possess, much like a home buyer relies on the expertise of the inspector to spot issues that would escape a typical homeowner (and require willingness to crawl into the deepest corners of the attic). Applying such expertise is what distinguishes an audit from a mere automated scan.
Once alerted to security, quality, and legal issues in the code, a buyer can protect themselves in the deal and plan to address them going forward. Rarely, though occasionally, code issues can kill a deal. However, they certainly impact planning, and extreme issues can affect deal valuation, timing, or terms. Newly discovered vulnerabilities or open source license compliance issues may need to be remediated before close. A revealed architecture hairball may reduce the price to cover refactoring costs. Or buyers may hold back some money as insurance against a potential licensing lawsuit based on a discovered GPL-licensed component.
Tech acquirers rely on Black Duck® software audits to keep their technical houses in order, ensuring they are making wise M&A investments that pay off in the long run.
Phil is the general manager of Synopsys’s Black Duck Audit business auditing the composition, security and quality of software for companies on both sides of M&A transactions. He focuses on software due diligence best practices and the M&A market. He also works closely with the company’s law firm partners and the open source community and is a frequent speaker on open source management and M&A. Phil chairs the Linux Foundation's Software Package Data Exchange (SPDX) working group which created an ISO standard for Software Bills of Materials (SBOMs). With decades of software industry experience, Phil held senior management positions at Hammer/Empirix and High Performance Systems, a startup in computer simulation modeling. He began his career in marketing and sales with Teradyne's electronic design and test automation (EDA) software group. He’s also written a book on fly fishing. Phil has an AB and an MS in engineering from Dartmouth College.