Software quality: Diligence prep for sellers
Due diligence for buyers
Every year, thousands of tech companies go through mergers and acquisitions (M&As), with transaction totals reaching billions of dollars. During an M&A transaction the stakes are at their highest, and acquirers must ensure that they are making a solid investment. As part of the process of making a fully informed decision, buyers perform due diligence to deeply assess and evaluate a target company’s financial, operations, legal, commercial, and software (where we come into play), before completing the transaction. The information gained helps validate investment assumptions and inform integration planning, and sometimes turns up surprises that may impact the terms or the deal.
For sellers, getting ready for due diligence will maximize the financial position of a company as well as help it anticipate and mitigate any potential issues that might come to light during the process. How well-prepared a seller is heading into this process can make a substantial difference on exit timing and total value. Before getting acquired, future sellers can make the company attractive to buyers by preparing for an M&A event and heading off any red flags that might otherwise arise in due diligence and jeopardize a deal.
Bankers will often advise potential sellers on ways to maximize their valuation and prepare for the eventual transaction. They may encourage measures to increase sales and cut costs, and help the company develop a compelling story to communicate the company’s position most effectively to interested investors. Bankers will also suggest organizing and consolidating key documents, financial statements, contracts, licenses, permits, and other relevant info that a potential buyer may require during due diligence to expedite the process.
Software risk for sellers
Before an acquisition, tech companies with significant software assets also need to be mindful that their software house is in order. This is an area where most bankers are less comfortable advising. As part of due diligence, a target company’s software development processes are open to scrutiny, and the acquirer might require a code audit to look for potential risks that could affect the deal and future integration plan. The Synopsys Black Duck® audit team is quite familiar with the issues acquirers dig into as we are frequently the ones wielding the shovels. There are a few common risk areas we find in software due diligence. These include
- Process and organization. Except in an asset-only deal, acquirers want to get a sense of how the company develops software and how well-organized it is. This provides a look at how effective future development will be. If the acquirer plans to integrate the team into a bigger development organization, it will be interested in the cultural fit and identify critical team members. If the plan is to build the team up, it will assess the scalability of the processes and the organization—determining, for example, whether a small team too dependent on one person. Savvy sellers benefit from in a fresh set of experienced eyes to look at their processes and team as a potential acquirer would.
- Code concerns. Part of planning integration and validating the acquirer’s business plan involves identifying issues in the code that will need to be addressed going forward. The work required to address code problems is referred to as technical debt. Buyers understand that no software is perfect, but they will want to gauge how much of the future roadmap may be compromised to clean up the code. There are three areas where code concerns fall.
- Open source and third-party code. Acquirers will want to understand how much and what kinds of open source components are being used in development. They are also interested in the license obligations of that code, and more importantly, whether the code is properly licensed. Some open source licenses are not compatible with commercial use, and improperly licensed code will need to be remediated. Other open source–related issues that can arise during due diligence are operational risks (i.e., are these components old or clunky and are they maintained by an active community) and security bugs (i.e., do these components have known vulnerabilities like the one that hackers exploited in the Equifax breach). Sellers looking for a smooth exit should have a firm understanding of their open source usage and extent of known vulnerabilities.
- Security posture. Buyers will want to understand how secure the codebase is before they buy it, and if the assets they are about to buy were developed using security best practices. They will want to know how easily the code can be penetrated by bad actors, whose fire an announced acquisition often draws. Sellers with software or sensitive data should get insights into their security posture long before due diligence.
- Code quality. A sophisticated tech acquirer will want to know how well the codebase is written, how scalable and maintainable the code is, and many other factors related to the overall quality of a codebase. They will want to know if the codebase they are about to invest in is a “hairball” or if it is well-structured and modular. Sellers should identify any potential issues that might come up in due diligence, and allow enough time to remediate in order to avoid any red flags and expedite the exit.
Quality of software
Quality of earnings (QoE) refers to an assessment of a company’s financial accuracy, sustainability, and overall financial health. It provides insights into the main factors that contribute to a company’s earnings and the reliability of those earnings. Many bankers strongly recommend that potential sellers bring in a third party to assess the target’s QoE to give potential buyers comfort with the seller’s financials. Ideally, this assessment is performed well in advance of any serious discussion. One banker recently disclosed, “We won’t touch any company that hasn’t performed a QoE.” In the world of tech, buyers want a similar understanding of the technical assets—the quality of software (QoS).
For a future tech deal, a prepared seller can provide similar comfort by bringing in a third party trusted by potential acquirers to evaluate the QoS along all the dimensions listed. Ideally, this occurs a year out to identify any significant issues early enough to address them well before a formal diligence process.
With two decades of experience, the Black Duck audit group at Synopsys partners with our clients to share knowledge, insight, and expertise. We have worked with thousands of buyers to assess the quality of software of targets, and have a developed an understanding of what matters to them. Looking broadly over a prospective seller’s process and code well in advance of a deal, we can make recommendations for actions to achieve solid-quality software to help ensure a smooth software due diligence process.
Sellers that have their house in order typically achieve more successful exits.
This post was originally published in https://www.synopsys.com/blogs/software-security/software-quality-gauging-strengths-and-weaknesses/