Technical due diligence is the process of assessing the technology and related aspects of a company, including its products, software, product roadmap, product differentiators, systems, and practices. Technical due diligence generally occurs in conjunction with major corporate events such as mergers, acquisitions, and initial public offerings (IPOs).
Technical due diligence is important because it helps the potential buyer or investors get an accurate view of a company’s true value and potential for growth and risks, taking into account factors like product differentiators, competitors, protections on intellectual property, market forces, risks from use of third-party software, technological processes, and more.
Depending on the target company’s size and maturity (as well as the specific type of due diligence event), legal and technical due diligence checklists may have hundreds of items requested for review. As such, we won’t cover every single possible area of inquiry in this blog.
Instead, in consultation with some of our contacts in the legal community, we’ve put together a list that highlights four important dimensions of conducting technical due diligence, with examples of specific documentation that can help with these efforts.
1. Third-Party Software Usage
Conducting a comprehensive scan of the target company’s codebase is an important step in any technical due diligence process. This helps interested parties get a handle on any potential software license compliance, security, and code quality concerns.
Specifically, an analysis of the target company’s codebase should produce a list of all third-party software dependencies and relevant metadata, the relationship between dependencies, and any involved open source software licenses. This includes:
- Package name, author, supplier, and version
- Declared and hidden licenses
- Dependency path
- Other relevant contextual information (for example, whether the package has been statically or dynamically linked to the product)
An audit should also flag any known open source vulnerabilities (ideally with contextual data such as CWE or CVE score). Depending on the risk tolerance of the acquiring party/investors, the audit may also include identification of the use of any copyleft-licensed components; improper use of copyleft-licensed code can have significant ramifications, including mandatory disclosure of impacted source code.
In an earlier generation of software development, organizations may have been able to conduct an audit and produce these findings via manual processes and an Excel doc. But given the sheer volume of different software components in modern applications, such an approach is no longer practical.
Instead, organizations often use software composition analysis solutions like FOSSA, which can generate an auto-updating software bill of materials; this type of report goes a long way toward satisfying the due diligence checklist items related to the use of third-party software.
Thank you for submitting details. Your email address is added to our subscription list.
2. Current Product Offerings and Product Roadmap
Along with an inspection of the target organization’s codebase, it’s also important to review its current product offerings and roadmap.
The first step in this process is to compile a comprehensive list of the target company’s products and services (both those that are currently on the market and those still under development). You may consider asking questions like:
- What revenue can be attributed to each product?
- How does the company’s product functionality stack up to the competition?
- What are its product differentiators?
It’s also valuable to obtain intelligence on market conditions that may influence the target organization’s future growth and revenue. Technical due diligence areas of inquiry may include:
- Barriers to entry: How hard would it be for another player to create a competitive solution?
- Market growth: What is the current TAM (total addressable market), and how is it expected to evolve?
Finally, the product evaluation wouldn’t be complete without an assessment of the target company’s roadmap. There are numerous types of product roadmaps in use today (market, release theme-based, feature-based, portfolio-based, and more), but, at minimum, this area of inquiry should touch on:
- Future developments, priorities, and the timeline for any planned releases
- New monetization opportunities
- Efforts and costs related to the completion of products that are still in development
3. Protections on Intellectual Property
Of course, even an organization with best-in-class products operating in a high-growth industry may face serious challenges without sufficient protections covering its intellectual property. Where and when applicable, target organizations should consider developing an intellectual property portfolio, including without limitation, copyrights, trademarks, and both offensive and defensive patents. While this review is often performed in legal due diligence, it overlaps with and relates to some of the technical due diligence requirements and cannot be ignored.
In addition to reviewing the target company’s intellectual property portfolio, it’s important to evaluate the risk of the target company potentially infringing on the intellectual property (IP) of another entity, as the risk of litigation, royalties, injunctions, etc. could materially diminish the value of the target company. Good corporate practices in this endeavor include the identification of and generation of a comprehensive inventory of the following:
- Third party and open source dependencies that are part of the target company’s products
- Any notification of claims of, or settlement agreements or litigation related to claims of, IP infringement by the target organization
- A comprehensive listing of the target company’s intellectual property, including patents, patent applications, registered and unregistered copyrights, trademarks, trade secrets, know-how, domain names, databases, and logos
- Any licensing agreements that govern the use of third-party intellectual property
- Documents or agreements that cover any transactions where the target company acquired intellectual property from another entity
- Independent contractor or consulting agreement forms
- Employee inventions assignment agreement templates, as well as any executed employee invention assignment agreements
- Any non-disclosure or non-compete agreements that involve the target company (or its employers, contractors, or consultants)
- Name and contact information for the law firm(s) that have helped the target company with matters related to intellectual property
4. Engineering Systems and Practices
Another key part of conducting technical due diligence involves a review of the target company’s technological systems and engineering practices. This may include an assessment of areas like engineering org structure, programming languages, technological integrations, data centers, databases, APIs, applications, and more.
This is an important part of technical due diligence for several reasons. For one, it can help identify potential security risks (i.e. if there are gaps in the target organization’s security tech stack or authentication protocols). It can also bring to light valuable information about product development and the likelihood of future success — is the target company using the sort of tools and development practices that support scalable growth?
This analysis is often particularly valuable in M&A due diligence because it can help identify potential redundancies between the two organizations. This, of course, can create cost savings once the transaction closes: Why pay for two enterprise subscriptions to the same tool if you only need one?
Evaluating technical systems and engineering processes is also an important part of understanding how straightforward (or, perhaps more realistically, complex) merging different IT architecture and technical teams together may be.
Technical Due Diligence: The Bottom Line
Given the large number of different software components in many of today’s products — not to mention complex IT architecture and ever-evolving market conditions — technical due diligence plays an increasingly vital role in helping interested parties make smart investment and M&A decisions.
And, fortunately, even though today’s technical due diligence checklists tend to be rather lengthy, solutions like FOSSA automate large portions of the process, saving time and helping to ensure data accuracy. Using a tool like FOSSA can also help offer peace of mind that you have sufficiently verified knowledge to feel comfortable in making and preparing schedules against representations and warranties in the definitive agreements.