Strategic fit and table stakes KPIs aren't the only things acquirers evaluate during the software M&A process. A software code review is one of the many components that is often overlooked by sellers.

1. Matt Tortora
Managing Director: Technology Services
BMI Mergers
P: 312.702.2611
E: mtortora@bmimergers.com
Identifying Code Risks in Software M&A

2. Introduction
➔ Most CEOs and founders in the
software space when thinking
about a potential exit focus on
table stakes metrics (ARR run rate,
churn, growth rate, etc…)
➔ There are often overlooked
components that are almost
always thoroughly examined
during the due diligence process.
One of these components is the
actual software code and
architecture.
www.bmimergers.com 1

3. Source Code Issues
There can be a significant risk that lies beneath
the surface from years and years’ worth of
development efforts and fast-tracked version
releases.
Risks around poorly written components of
source code and technical debt can create
significant issues. During the due diligence
process, acquirers will do a thorough technical
audit. Issues with how the software has been
written or the amount of technical debt that has
mounted can pose a real threat in the M&A
process.
www.bmimergers.com 2
Average time to complete
a 3rd party technical audit
is 2-4 weeks.

4. Technical Audit
The technical audit will typically focus on items that include:
www.bmimergers.com 3
Analysis of the software
architecture
3rd party service
integration analysis
Database design
Code release and
testing practices
Software code and
system maintainability

5. Open Source Code
Leveraging open-source software within a commercial software solution offers many
benefits. But conversely, it can come back to haunt software companies during an
M&A transaction.
60-70%
60-70%
The average amount of open-source
software in a company’s codebase
www.bmimergers.com 4
Open-source software presents complex licensing
conditions, security risks, and intellectual property
risks that a buyer could potentially inherit.
Acquirers must make an assessment of the potential
risks of the open-source code being used. If that
open source code is fraught with licensing issues,
and security risks it can be enough to cause them to
walk away.

6. Security & Vulnerability
The potential security risks posed by
open-source code dovetail into the
broader issue of security and
vulnerability. Software code with
significant vulnerabilities can end up
creating a significant liability for a buyer
post-acquisition.
Seasoned software acquirers will likely
want to run a third-party penetration test
(pentest) as part of their cybersecurity
due diligence on a software company.
www.bmimergers.com 5

7. Penetration Testing
A pentest will typically look for vulnerabilities and examine areas that include:
www.bmimergers.com 6
Encryption and
authentication
Code command and
injection
Configuration of
networks and devices
Likelihood of attacks and
potential impact

8. Interpreting Audit & Testing Outcomes
The third-party who executes the penetration test will deliver the report to both the
buyer and the seller for review.
www.bmimergers.com 7
Ninety-nine percent of the time
a senior technical resource at
both the buyer and seller will
be involved in the technical
due diligence process.
It’s incredibly important that
non-technical resources,
especially those who reside
with the buyer understand the
true implications of the findings
of a technical audit and
pentest.
The findings of a technical
audit or pentest can flag items
that show an issue. And while
these may seem like major
issues they are often fixable
and not as damning as they
initially appear to be.

9. Proper Preparation
For the vast majority of software companies eventually being
acquired is the end game. So knowing a rigorous due diligence
process that will include deep technical due diligence is next to
inevitable it’s important to be prepared.
www.bmimergers.com 8

10. Quality In > Qualify Out:
This goes without saying but hiring top-tier engineering talent and following
best practices for engineering a well-built product is a sure-fire way to avoid
issues down the road. This means avoiding or limiting the amount of
development work that is outsourced, and if you choose to outsource do so
with a great degree of caution and scrutiny.
www.bmimergers.com 9

11. Potential long-term implications of
open source code:
It’s unrealistic to assume that a sizeable portion of a commercial software
solution won’t be open source. But taking into account potential long-term
risks when selecting those open source components should be a high
priority. The risk factors that must be taken into consideration include;
security vulnerabilities, licensing compliance risks, and overall code quality.
www.bmimergers.com 10

12. Conduct periodic code audits and
pentests:
The nice thing about conducting periodic software code audits and
penetration testing is it ensures you’re developing a sound software solution
that is secure and will perform at a high level. All of which carry value when
it comes to keeping customers happy. And making this a regular practice
will naturally avoid any major issues when you get to a place where you’re
deep in due diligence with a potential acquirer.
www.bmimergers.com 11

13. Wrapping Up
The process of engaging with
potential acquirers and navigating all
of the twists and turns of the due
diligence process is time-intensive,
expensive, and emotionally
exhausting. The last thing a CEO or
founder wants is a scenario where
issues lying beneath the surface
derail an acquisition and lots of hard
work.
Understanding what lies ahead in the
due diligence process and being more
than adequately prepared will help
avoid an unfortunate outcome.
www.bmimergers.com 12

14. Matt Tortora
Managing Director -
Technology Services
BMI Mergers
E: mtortora@bmimergers.com
Contact Info
Web: bmimergers.com/techservices
Chicago:
125 South Wacker Dr., Suite 300
Chicago, IL 60606
312.702.2611
Philadelphia:
One Liberty Tower
1650 Market Street, Suite 3600
Philadelphia, PA 19103
215.240.7648
Tom Kerchner
Managing Director
BMI Mergers
E: tkerchner@bmimergers.com
For over twenty-five years, we have been
successfully engaged in the practice of buying,
selling and managing the business acquisition
process. Our professionals have been engaged in
transactions in a multitude of industries. They have
completed multi-million dollar deals, and they have
also successfully integrated businesses
post-merger. Whether your business is worth $5
million or $100 million, this experience is put to
work to achieve your desired result.
About BMI Mergers
Matt Tortora brings over fifteen years of business
ownership, sales leadership, and consulting
experience in both technology and professional
services. He has founded three companies and
held strategic leadership positions at growth stage
technology companies. Most notably, Matt was the
co-founder and CEO of a Chicago based software
company which he successfully grew and sold to a
strategic acquirer.
About The Author