Software due diligence is a critical process of evaluating a technology company’s software during mergers and acquisitions, significant investments, or IPOs. This process focuses on software sold by the company, not all the software they use internally.
Much like other types of due diligence, this process involves a thorough review of the software and business practices, including:
Typically, this process is carried out by the company considering the M&A or investors. However, internal software due diligence is often completed before an IPO or M&A.
While similar to technical due diligence, software due diligence differs by honing on crucial aspects of a company’s prosperity software products that form the basis of its revenue.
We touched on some of these areas above, but let’s dive deeper into what may be evaluated during this type of due diligence:
There are certainly other elements to evaluate when considering investments or M&A opportunities, but the above aspects are at the heart of what’s essential for actionable software due diligence. Once complete, a potential investor will understand what they may be getting involved with.
Significant investments, M&As, and IPOs typically necessitate thorough due diligence, considering both software and the company itself. On the other hand, software companies may wish to run internal due diligence before an external party so they can take corrective action for any areas of concern.
So, how do you conduct due diligence, either on your own company or a potential investment? Let’s break down the overall process to help you get started.
Begin by defining the total scope of the process — what do you hope to accomplish? You may want to explore all of the elements we explored above but clearly define them. Depending on the situation, you can likely skip some areas or benefit from pre-existing reports. Additionally, the nature of the business and software will inform which areas need more or less analysis.
By understanding the scope and defining key areas, you’ll avoid spending too much time or resources. Understanding what’s in and out of scope focuses your efforts and produces the information you need to proceed.
Software development due diligence focuses on code, evaluating for adherence to best practices, documentation, maintainability and scalability. Low-quality code can introduce new technical debt as it may need significant reworks or rewrites.
For SaaS platforms, infrastructure usage must also be evaluated for stability, costs, and redundancy. The usage of cloud infrastructure, on-site servers, and databases all need analysis. Many SaaS companies use AWS or Azure rather than in-house servers, but how these are configured and utilized should still be evaluated as part of the software and technical due diligence process.
Compliance goes hand in hand with security for software companies. For example, GDPR describes data protection practices that include correctly securing access to customer data. HIPAA also describes how patient data must be stored and accessed.
Thoroughly evaluate the company’s compliance standing or lack thereof, including strict compliance requirements and industry expectations.
Additionally, cybersecurity practices need to be evaluated for adherence to best practices, whether following the freely available NIST CSF or having an ISO 27001 certification. Do they have the right systems and people in place to protect your investment?
Open-source software doesn’t mean it’s freely available to use. Most open-source software includes specific license or usage requirements, which often have different stipulations for usage in commercial software. Violating these terms may result in significant legal liability.
Additionally, relying on less-popular or deprecated open-source software can result in issues down the road or introduce new security risks. Identify any usage of open-source software and make sure it’s being used appropriately within the terms and conditions. You’ll also want to be sure it’s being actively maintained.