Deciding on the best approach to managing software due diligence can be a significant challenge for organizations. Frequent acquirers have a playbook, but every transaction is different, and approaches must evolve as the market changes. Given the global economic uncertainties that markets are experiencing, it is more important than ever for firms to carefully consider how they approach software due diligence so they can ensure that the process will yield a clear picture of the true value of a deal and the efficacy of plans going forward.
Black Duck Audit teams are involved in hundreds of merger and acquisition (M&A) transactions every year, and we find flaws in the target’s software in virtually every transaction. These may be licensing issues with open source and third-party components, security vulnerabilities, architecture flaws, or simply bugs in the code. Few are “deal killers” but most have implications for integration planning, and some impact deal terms or valuation.
An important part of our job is to advise acquirers about tailoring the due diligence process given the particulars of investment scenarios. There are several topics that frequently come up during initial discussions with firms when discussing the most appropriate path to take.
Most acquirers conduct interview-based due diligence to learn about a target’s strategy, product(s), employees, and perhaps development practices. This provides an important high-level overview of an organization, but it does not give an assessment of the risks that are actually in a target’s codebase.
All due diligence is about illuminating issues to reduce risk, so ultimately, the amount of due diligence performed depends on how much risk an acquirer is willing to assume when committing to a high-value transaction. Software audits can provide a complete picture of a target’s assets, complementing the typical interview-based approach for due diligence.
In an ideal world, tools that scan software for security, open source, and quality issues would yield perfect results. But the reality is that expert humans auditing code with the assistance of sophisticated tools provide the most complete and accurate results possible. There’s great value in automated scanning as it is the only practical approach for day-to-day software management, but when the stakes are high, as in an M&A transaction, audits are called for.
Although the distinction between scans and audits applies to any element of code analysis in due diligence, it most often comes up in connection with open source audits. The final output of an audit or a scan is a software Bill of Materials (SBOM) of the open source and third-party software in a codebase. The most pivotal difference is that an audit involves dedicated experts using a variety of tools to perform a complete review of the results of automated scans. These experts use techniques and reasoning to verify the output in ways that automated tools are not able to. With an automated scan, results will be less accurate and provide an incomplete picture of the open source components in a target’s codebase.
Specific techniques used in open source auditing include string search and snippet identification. Such methods achieve the most complete and accurate SBOMs, which is why an audit is typically recommended to ensure complete insights to address the inherent risks and high stakes in tech M&A transactions.
The information in Black Duck audit reports is most valuable if users understand how to effectively leverage the results to inform M&A transactions and post transaction planning.
All our reports summarize the main points before going into the details. Reviewing these summaries is a good starting point after receiving audit reports. This can help organizations quickly pinpoint items of interest and establish high-priority risk items to allow effective allocation of resources and focus on what matters.
In conjunction with the written reports, we strongly recommend an audit review call as a follow-up with the experts who performed the work. This is an opportunity to discuss the results of the reports, ensure complete understanding of the findings, and clarify any areas of interest or concern. Include appropriate members of cross-functional teams in these calls to ensure that the best insights from the report get to people who can use it.
Ultimately, it is essential to have a clear plan to address any potential issues uncovered in the audit reports to effectively manage software risks during and after an M&A transaction.
The Black Duck Audit team endeavors to ensure that customers understand and derive utility from our software audit reports. This datasheet provides a complete overview of current service offerings. We are dedicated to delivering timely results with expert insights so customers can feel more confident in managing software risks in their investments. To achieve this, the team continuously strives for feedback and is always happy to address any questions.