IT Due Diligence for M&A:
Software Licensing Review Checklist

Why Software Licensing Is the Most Overlooked M&A Due Diligence Category

Technology M&A due diligence typically scrutinises intellectual property ownership, data privacy exposure, and cyber security posture. Software licensing — the contractual framework governing the right to use the target company's software estate — receives far less attention than it deserves. In our experience across 40+ M&A engagements in 2024 and 2025, we have identified an average of $4.7M in unmodelled software licensing liabilities that were not surfaced in the initial due diligence report. These liabilities do not disappear at closing; they transfer to the acquirer.

The asymmetry is striking. Vendors' legal teams are well aware that M&A activity creates licensing exposure — Oracle's licence agreements contain some of the most aggressive change of control provisions in enterprise software, triggering consent requirements and potential renegotiation rights on acquisition. Microsoft, SAP, and IBM have similar provisions. The target company's procurement team may not have flagged these clauses because they negotiated the agreement years earlier and the M&A scenario was never considered. The result is a day-one liability that the acquirer owns. For broader context on enterprise software contract terms, our enterprise software contract red lines guide covers the 20 provisions that create the most frequent post-acquisition disputes.

Change of Control Clauses: The Primary Source of Day-One Liability

A change of control clause grants the software vendor specific rights when ownership of the licensed entity changes. At minimum, these rights include notification requirements — typically 30–60 days post-close, though some vendors require pre-close notification. At their most aggressive, change of control clauses can trigger consent requirements (the vendor must approve the assignment), renegotiation rights (the vendor can demand revised commercial terms), or termination rights (the vendor can terminate the licence on change of ownership).

Oracle's Change of Control Provisions

Oracle's standard licence agreements require the licensee to obtain Oracle's written consent before any change of control. "Change of control" is defined broadly to include indirect changes — an acquirer purchasing a holding company whose subsidiary holds the Oracle licence triggers the clause even if the subsidiary is never restructured. Oracle's LMS (License Management Services) team uses the M&A notification window as an audit trigger: in our experience across 12 Oracle-related M&A engagements in 2024, 9 resulted in an Oracle licence audit within 18 months of close. Acquirers who fail to notify Oracle, and who are subsequently audited, face non-compliance findings calculated against the post-acquisition estate — which is typically larger than the target's pre-acquisition estate.

SAP and Microsoft Provisions

SAP's licence agreements require notification of change of control but do not automatically grant SAP consent rights — however, SAP's Indirect Access provisions mean that any integration of the acquired entity's non-SAP systems with the acquirer's SAP estate creates new digital access exposure that must be scoped and licensed. Microsoft's change of control provisions vary by agreement type: Enterprise Agreements (EAs) require notification and allow Microsoft to adjust licensing terms at the next anniversary date. Cloud agreements (MCA-E, CSP) have different mechanics, with user-based licences following the user regardless of entity restructuring. The complexity of maintaining compliance across two legacy EA structures post-acquisition is significant, and most acquirers underestimate the re-licensing cost. Our guide on multi-year enterprise software deal structuring covers how to plan for these scenarios contractually.

Licence Shortfall Modelling: Calculating Day-One Compliance Risk

A licence shortfall occurs when the post-acquisition entity uses more licences than it is authorised to under the inherited agreements. This is almost inevitable in software-heavy acquisitions for a simple reason: the target's licence estate was sized for the target's user base. The moment the acquisition closes, the acquirer's employees may have access to the target's systems — whether through integration, shared services, or simply being granted access to assist with transition — and this access may be unlicensed.

Oracle's processor-based licensing creates particular exposure here. If an Oracle Database licence covers processors in a data centre that is consolidated post-acquisition into the acquirer's larger data centre estate, the processor count may increase. If the acquirer's hardware runs in a virtualised environment, Oracle's virtualisation licensing rules apply — and these rules regularly produce 2× to 5× the expected licence requirement when processor partitioning is not recognised by Oracle. To understand your current virtualisation exposure, our internal software audit methodology provides a structured approach to quantifying licence position before a vendor audit does it for you.

Salesforce and ServiceNow licences are user-based, which creates a different shortfall risk: if the acquirer grants the target's employees access to the acquirer's Salesforce or ServiceNow instance, those users require licences. This is often handled informally during transition — "just add them to the system temporarily" — and the temporary access becomes permanent without procurement formally acquiring the licences. In our audit of 15 post-acquisition software estates in 2025, 11 had at least one user-based vendor where post-close access exceeded licensed quantities. To book a confidential call to discuss your specific acquisition scenario, our team is available within 48 hours.

Audit Right Provisions in Target Contracts

Every enterprise software agreement contains an audit rights clause granting the vendor the right to audit the licensee's compliance. In M&A contexts, this clause deserves specific scrutiny in four areas. First, does the audit right transfer with the licence? In almost all cases it does, meaning the acquirer inherits not just the licence but the vendor's contractual right to audit the acquirer's use of that software. Second, is there a look-back period? Some agreements allow the vendor to audit compliance for the 12 or 24 months preceding the audit — meaning non-compliance discovered post-close may be assessed back to a period before the acquisition, when it was the target's problem and the acquirer had no visibility.

Third, what are the financial consequences of a non-compliance finding? Oracle's standard terms allow Oracle to bill at list price for any unlicensed deployment — no discount, no retrospective credit for existing spend. On a large estate, list price Oracle Database licensing can exceed negotiated pricing by 300–500%. Fourth, does the agreement include any acquisition-specific protections? These are rare in standard agreements but can be negotiated: an "audit-free transition period" of 12–18 months post-close gives the acquirer time to remediate compliance without financial exposure. Redress has negotiated this provision into 14 enterprise software agreements in the past 18 months.

Integration Costs: The Underestimated Third Category

Beyond day-one compliance risk and change of control exposure, M&A transactions carry substantial software integration costs that routinely exceed acquirer estimates by a factor of three. These costs fall into three categories. Deduplication involves rationalising duplicate software estates — two ERP systems, two CRM platforms, two ITSM tools — and deciding which to retain, which to migrate off, and on what timeline. This is primarily a project cost, but it generates licence exposure: during the transition period, both systems are running and both require licences.

Re-licensing involves formalising access rights for the combined entity. Even where the change of control clause has been satisfied, most enterprise software agreements licence the named entity — not its subsidiaries or parent. The acquirer must formally transfer or expand licences to cover the combined user base. Vendors use this moment as an upsell opportunity, and without independent advisory support, acquirers routinely pay 25–40% more than market rate for the re-licensing. Finally, integration project costs — the work of connecting the target's systems to the acquirer's estate — often require access to vendor APIs, additional platform modules, and deployment in new environments, each of which can create additional licence obligations. Our approach to modelling these costs draws on the same framework described in our perpetual licence vs SaaS subscription TCO guide — the same 5-year and 10-year horizon modelling applies in an M&A integration context.