Software code diligence is becoming standard practice for many corporate acquirers.
The aim is to assess the target company's software, systems, and technology assets to identify potential risks, liabilities, and, in some cases, opportunities that can be capitalized on post-close.
Diligence reports typically include insights into the overall health and quality of the codebase and technology infrastructure. They also identify critical risks and red flags that could impact the “go/no go” acquisition decision or post-acquisition integration plan.
At the 2025 M&A Conference at Wharton San Francisco, a poll of corporate M&A teams found IP and open source risks were the primary driver for code diligence (51%), followed by an evaluation of cyber risks (29%).
In most cases, a code review will look at open-source and third-party software components to ensure compliance with licenses to head off legal and IP claims and ensure clean title. A key concern is that the acquisition will put a fresh spotlight on the seller’s ownership of the codebase and attract IP claims against the new owner, which is often a more attractive litigation target.
The participants at the annual M&A conference recounted their specific experiences with code quality assessments, which provide visibility to the targets’ standards, maintainability / complexity, readability, and overall software design and architecture. These assessments can also look at the system's ability to handle future growth and performance post-close under increased load, as well as the completeness of technical documentation, including design schematics, API documentation, and user manuals.
Corporate M&A professionals have also pointed to the assessment’s value in identifying potential security flaws, vulnerabilities, and weaknesses in the codebase. This can include code as well as the target's hardware, network and cloud infrastructure, data storage, recovery, privacy compliance (e.g., GDPR, CCPA), and data governance policies.
The findings from the M&A Conference at Wharton San Francisco suggest more could be done to leverage the code assessment to identify critical talent and tailor the retention strategy. The survey found that only 10% are currently using code diligence to evaluate the software engineering team.
In fact, a code review can be shared with the M&A HR team to help with the design of the transaction’s retention program. Some of the most effective M&A teams are using code reviews to put additional retention funds against developers that produced high-volume and quality code. This aligns with the broader diligence stage skill and talent reviews that are typically conducted.
These assessments are also helping acquirers determine whether to maintain the target’s software development lifecycle methodologies, development tools, and technologies post-close. This is making a positive impact on integration performance.
The negotiation with the seller should allow sufficient time and access to review the target's code, IP portfolio, relevant agreements, and legal history. While there's no standard timeline, a high-level review can be done in a couple of weeks, while a more standard review takes 2-4 weeks. A more thorough analysis, including performance testing, detailed security assessments, scalability analysis, and comprehensive IP review can take 4-8 weeks.
Factors influencing the timeline include the size and complexity of the codebase, the scope of the diligence, quality of documentation, availability and responsiveness of the target company's team, expertise and capacity of the diligence team, number of issues identified, and the sophistication of the audit team and tools employed.
AI excels at identifying specific categories of issues like syntax errors, coding style violations, potential security vulnerabilities (based on known patterns), and some performance bottlenecks. An AI code review can typically be done quickly and smoothly with existing version control systems (e.g., Git) to provide rapid feedback.
However, AI may struggle with understanding the broader business logic, architectural nuances, or the intent behind prior code changes. AI tools can sometimes flag correct code as problematic (false positives) or miss actual issues (false negatives), in particular, if they are trained on existing codebases, which may contain inherent biases.
The most effective code review process often involves an initial AI review followed by a human review to catch contextual issues and verify the AI's findings. This approach balances the M&A-required efficiency and scalability of AI with the contextual understanding and critical thinking of human reviewers.
Having an internal engineering team evaluate the target’s code for scalability and proper protocols was also discussed at the M&A Conference at Wharton San Francisco. To get the best view of post-close integration challenges and opportunities, it can be helpful to apply internal ratings to assess the target against the company’s specific standards (i.e., ‘How would we measure them if they build the code here?’).
To execute peer-to-peer reviews, it was suggested that corporate development should stay out of the room and only interface with the product teams, rather than directly with engineering. It was reported that engineering-to-engineering discussions revealed far more meaningful insights. Having corporate development in the room stifled the exchange and often shifted the focus to deal topics (i.e., the economic and legal aspects of the transaction).
To protect the buyer from IP issues within the code, several deal points can be incorporated into the acquisition agreement including representations and warranties that the seller has clear and unencumbered ownership of all IP rights, including copyright, patents (if any), and trade secrets -- and that the code does not infringe upon the IP rights of any third party. This can be a particularly vexing issue if proper steps were not taken to ensure that any employees or contractors involved in the development of the code have properly assigned their IP rights to the seller.
It’s also important to ensure the acquisition agreement is clear on representations as to the use of open-source software and warranties that the target company has complied with all applicable open-source licenses to head off restrictions associated with such licenses.
Increasingly, public company M&A teams, like private equity, are obtaining representations and warranties insurance to provide coverage for breaches related to IP in the code. This can offer an additional layer of protection that is easier to pursue than a claim upon the seller.
If any issues do arise, the buyer will want to have insisted upon comprehensive indemnification clauses to protect against any losses, damages, liabilities, costs, and expenses (including legal fees) arising from any breach of the IP-related representations and warranties. The corporate development team may want to coordinate with engineering to align thresholds (baskets or deductibles) and caps on the seller's liability as well as any agreed materiality and knowledge qualifiers.
By incorporating code reviews more fully into the diligence process, corporate development teams are strengthening the IP and security footing while also gaining valued insights into the technology team to calibrate the retention framework.