Software Due Diligence

Why is software due diligence becoming more and more relevant these days and which topics can be clarified with it?

Regardless of whether you are planning to sell a company or company shares, want to carry out venture capital financing or a company valuation, software due diligence is becoming more and more important in today’s world around the buzzword digitization. With such topics, it is no longer just the business, legal and tax issues that are considered, but also the technical conditions, which also include the software landscape and, in particular, the core software of companies. Nowadays, many start-ups and companies are built around an application, which is the basis of the business model and is therefore also reflected in the company value. Software due diligence can be necessary for various reasons.

Reasons for a SW Due Diligence 

 

Figure 1: Reasons for a SW Due Diligence

 

 

The value of software mostly results from different aspects, which are then included in the evaluation:

  • Purchase software vs. self-developed software
  • Patents
  • Domains
  • Brands
  • Data (customer lists)
  • Distributors network
  • Etc.

The complexity of software also plays an important role, because complex software systems consist of numerous software artifacts. These have to be determined and mapped; in addition, all subsystems and interfaces have to be included.

You should keep in mind that when you buy a company you not only acquire the software, but also the associated resources such as employees, tools and processes. These topics should also be included in the software due diligence in an extensive project in order to achieve an exact evaluation of the software or the software landscape.

 

Figure 2: Topics of a SW due diligence

The following risks should be considered when dealing with software purchases from companies and also when purchasing software:

  • Components are changed by the manufacturer (e.g. functionality, performance, license model, etc.)
  • Programming interfaces are changed (often by Facebook, Google, Amazon etc.)
  • The technology of the component is subject to (state) regulation (example: blockchain

How is software due diligence carried out?

The preparation of a software due diligence depends on the level of information available and the size of the system, which are also relevant for the accuracy of the assessment. Here we differentiate between the three complementary processes gray box, white box and black box.
All data, the source code and the processes are documented in the gray box method. The following activities are carried out here:

  • Static code analyzes with our own tools and tools available on the market
  • Manual analysis of code & data structures
  • Evaluation of the development and operating processes
  • In-depth analysis of the software architecture
  • Expert interviews
  • Examination of open source integration.

The source code is available in the white box method, but no further information is available. Big risks can lurk in the code, so a white box analysis is crucial for a comprehensive picture. The following activities are carried out here:

  • Static code analyzes with our own tools and tools available on the market
  • Manual code analysis
  • Analysis of the software architecture
  • Expert interviews
  • Examination of open source integration

The source code is not available in the black box method. The following activities are carried out here:

  • Evaluation of software operation
  • UI & UX analysis
  • Manual analysis of the software architecture
Figure 3 Gray, White and Black Box
Figure 3: Gray, White and Black Box

As already mentioned with the reasons for a software due diligence, different aspects are relevant for the evaluation of an application. These are the team, the processes, the tools, the code and the application. For each individual there are parameters that can be collected:

Figure 4: Contents and methods of a software due diligence

One of the most important points in software due diligence is code evaluation.
Why should a code analysis be performed? In order to be protected against a worst-case scenario, such as: What can the company do with the code if all developers quit at the same time and the project or the development of the software product would have to be continued with a completely new development team?
There are three ways in which a code analysis can be carried out:

Figure 5 automatic, semi-automatic and manual code evaluation

Which results are generated in a software due diligence?

The results of software due diligence can vary in scope, always depending on the goal of the project. This can be a risk matrix, technical and specialist documentation and / or an evaluation matrix. Find out more about software documentation here.

Figure 6 Results of different documentation
Figure 6: Results of different documentation

Different questions can be clarified in a risk matrix, such as:

  • What are the risks of purchasing the software?
  • What are the risks in the software itself?
  • How serious are these risks?
education 7 Example of a risk matrix
Figure 7: Example of a risk matrix

In a software evaluation matrix, unlooks at different aspects of the software such as technology, architecture and organization. The aim of an evaluation matrix is to carry out an objective evaluation of the mentioned aspects, the evaluation of the future viability of the software and a comparison with similar systems.

Figure 8 Example of an evaluation matrix
Figure 8 Example of an evaluation matrix

Receive free news

Subscribe to our newsletter and receive information on TOP topics.