M&A due diligence preparation determines whether your deal closes at the price you negotiated or gets picked apart in the final weeks before signing.
Most founders spend years building a business worth selling, then almost no time preparing it to survive scrutiny. That mismatch is expensive. The average deal repricing during diligence runs between 10 and 25 percent of the agreed headline number. Some deals don't close at all, not because the business was bad, but because it looked disorganized or opaque to a buyer's legal and finance teams encountering it for the first time.
Diligence is not an audit. It is an adversarial process run by people whose job is to find reasons to pay less. Fixing what can be fixed, and framing everything else in a way that controls the narrative, is the difference between a clean close and three months of fire drills that shred your leverage and your attention. This guide covers what diligence actually examines for a software company, what belongs in your data room, and how to get ready before you send a single teaser to market.
What Does Due Diligence Actually Cover for a Software Company?
Buyers run diligence across multiple workstreams simultaneously. Each stream has its own team, its own checklist, and its own escalation path back to the deal committee. Understanding the scope helps you prepare the right materials and brief the right internal people before requests start arriving.
Financial and Quality of Earnings
This is where most deals get repriced. A financial due diligence engagement, particularly a quality of earnings (QoE) analysis, tests whether the adjusted EBITDA figure you marketed is real and repeatable. Buyers will reconstruct your revenue by cohort, by contract type, by billing frequency, and by customer. They will look at your revenue recognition policies, your deferred revenue schedule, your capitalized development costs, and your treatment of one-time items.
For SaaS businesses, they will build a net revenue retention model from scratch. If your churn is better than the aggregate suggests, that works in your favor. If you have been masking logo churn with price increases, they will find it. Tax diligence runs in parallel, covering federal, state, and international obligations including payroll tax, sales tax nexus, and transfer pricing on intercompany arrangements.
Legal and Corporate
Legal diligence covers your corporate formation documents, cap table, prior financing rounds, shareholder agreements, option pool mechanics, and any side letters or consent rights, along with all material contracts and any existing claims or litigation. A messy cap table or an undisclosed convertible note can stall a deal for weeks while lawyers determine who needs to consent to the transaction.
Technology, Architecture, and Security
Technical due diligence matters far more than most founders expect. Buyers will assess architecture, code quality, technical debt, deployment infrastructure, and third-party dependencies. Security diligence has become a separate and increasingly serious workstream. SOC 2 Type II certification is no longer optional for software companies above $5M in revenue; its absence raises flags that sometimes require escrow arrangements or price adjustments to resolve.
Commercial and Customer
Commercial diligence examines market position, competitive exposure, pricing power, and customer concentration. The standard threshold that triggers concern is any single customer above 10 to 15 percent of revenue. Buyers often want to speak directly with two or three top accounts. Contract terms, auto-renewal provisions, termination-for-convenience clauses, and renewal rates all feed into this analysis.
HR, Team, and Intellectual Property
HR diligence covers organizational structure, compensation benchmarking, key-person concentration, and the status of employment and non-solicitation agreements. IP diligence, often the most overlooked area, examines who actually owns what you built. If you used contractors at any point without obtaining signed IP assignment agreements, there is a genuine question about ownership of the underlying code. PE sponsors in particular need clean title to the IP they are acquiring, and a gap here can surface late and become expensive to remediate.
How to Build a Virtual Data Room That Buyers Will Actually Respect
A well-organized data room sends a signal before buyers read a single document. It says the management team is disciplined and the transaction is being handled by professionals. A chaotic data room does the opposite and gives buyers psychological permission to question everything. Use a dedicated VDR platform, not a shared Dropbox folder. Folder structure should mirror the standard workstreams: Corporate, Financial, Tax, Legal, Commercial, Technology, HR, and IP. Name every document clearly, remove outdated versions, and date-stamp anything where currency matters.
Below is a due diligence checklist covering the core documents most buyers expect to find at the start of a process.
- Corporate: Certificate of incorporation, all amendments, bylaws, board minutes for the past three years, capitalization table (fully diluted), stock option plan and all grant agreements, any shareholder agreements or voting agreements, prior transaction documents
- Financial: Three to five years of financial statements (audited preferred, reviewed acceptable), monthly management accounts for the trailing 24 months, annual budgets vs. actuals, deferred revenue schedules, AR aging report, revenue by customer for trailing 36 months
- Quality of Earnings support: Detailed explanation of all EBITDA adjustments, officer compensation vs. market rate analysis, one-time items schedule with backup, capitalized development cost policy and schedule
- Tax: Federal and state returns for the past three to five years, any open audits or notices, sales tax nexus analysis, R&D tax credit documentation if claimed
- Legal and contracts: Top 20 customer contracts (signed), standard form agreements, all active vendor and SaaS contracts, employment agreements for senior staff, non-compete and non-solicit agreements, any NDAs with strategic parties, any claims, disputes, or demand letters
- Intellectual property: IP assignment agreements for all founders, employees, and contractors, patent and trademark registrations, open-source software inventory and license analysis, domain registrations
- Technology: Architecture overview document, infrastructure diagram, list of third-party dependencies and licenses, security policies and audit results, SOC 2 report if available, penetration test results, disaster recovery and business continuity plan
- Commercial: Customer cohort analysis (by ARR, by year of acquisition), churn waterfall by quarter for the past eight quarters, pipeline report, top 10 customer summaries, competitive positioning document
- HR: Org chart, employee census with compensation (anonymized until late diligence), benefit plan summaries, 409A valuation history, any open HR claims
What Are the Red Flags That Most Often Reprice or Kill Deals?
Every experienced M&A advisor has a list of issues that appear, in some form, on most transactions. The ones below surface often enough that any founder preparing for a sale should treat them as a pre-diligence audit of their own business.
- Aggressive or cash-basis revenue recognition: Recognizing revenue faster than the contractual delivery schedule supports, or running P&L on a cash basis without accrual adjustments, will force a restatement of adjusted earnings during QoE. Every dollar of overstated revenue becomes a multiple of EBITDA adjustment in the valuation.
- Churn hidden inside cohort data: Aggregate retention metrics can mask serious logo churn if expanding accounts are doing the heavy lifting. Buyers who build a proper cohort model and find that your net revenue retention is inflated by a handful of upsells will view the rest of your data with suspicion.
- Customer concentration: One customer above 20 percent of revenue almost always results in either a price reduction, an escrow holdback tied to contract renewal, or an earnout structure. Above 30 percent, some buyers walk.
- IP not properly assigned: Missing contractor IP assignments are among the most common and most fixable issues in software company diligence, but only if caught early. Mid-process remediation is expensive and sometimes impossible if the contractor is unreachable or hostile.
- Key-person dependence: If the CEO holds the primary customer relationships and also owns the product architecture, buyers will factor that into price or structure an earnout that keeps you economically tethered for two to four years post-close.
- Security gaps and no SOC 2: A serious vulnerability finding in a penetration test, or the complete absence of a security audit for a company selling to enterprise customers, will generate an escrow or indemnification demand. Some strategic buyers with their own compliance obligations will simply terminate.
- Related-party transactions: Leases from founder-owned entities, consulting agreements with family members, or vendor contracts with businesses where the founder holds a stake all require full disclosure and market-rate justification. Undisclosed related-party transactions are a rep and warranty red flag that spills directly into indemnification discussions.
- Messy cap table: Missing stock certificates, uncancelled options from departed employees, or investors with broad consent rights can delay a close by weeks. The cleaner the cap table, the faster lawyers can reach the closing table.
- Sales tax nexus exposure: Many software founders discover during diligence that they have years of uncollected sales tax obligations across multiple states. Quantifying and escrowing for that exposure before signing is a far better outcome than having it surface as a closing surprise.
Why a Sell-Side Quality of Earnings Before You Go to Market Pays for Itself
A quality of earnings analysis commissioned by the seller, rather than the buyer, costs between $30,000 and $80,000 depending on business complexity. For a company selling at 5x EBITDA, a single $200,000 EBITDA normalization issue costs $1,000,000 in valuation. The math is not subtle.
A sell-side QoE does three things. It tells you your actual adjusted EBITDA before you market a number you cannot defend. It surfaces issues, including officer compensation above market, undocumented add-backs, or non-recurring revenue that has been recurring for three years, that you can address or explain in advance. And it compresses buyer diligence timelines because you hand them a completed analysis rather than waiting for them to build their own. Buyers who receive a credible sell-side QoE typically have fewer follow-up questions and less incentive to use financial uncertainty as a negotiating lever late in the process.
How Does the Diligence Timeline Work After the LOI?
The letter of intent marks the start of exclusivity, not the end of negotiation. Most LOIs include a 30 to 60 day exclusivity period, which is when the buyer's full diligence machine activates. For software companies in the $10M to $100M range, the period from LOI to signed purchase agreement typically runs 45 to 90 days. FIH's average is 97 days from first outreach to LOI, with the post-LOI period adding another 45 to 75 days depending on deal complexity.
The critical dynamic is that diligence and negotiation run simultaneously. While lawyers review contracts and accountants rebuild your income statement, deal teams are also negotiating reps and warranties, indemnification baskets, and escrow amounts. Every finding becomes a lever. Being prepared means fewer findings and fewer levers for the buyer to pull.
The broad sequence: data room access within the first week, management presentation in week two, parallel financial and legal workstreams through weeks two to five, a draft purchase agreement from the buyer around week four, and back-and-forth on reps, warranties, and indemnification through weeks five to eight before final closing.
Does Being Prepared Actually Preserve Price and Leverage?
Yes, and the mechanism is straightforward. Buyers price uncertainty. When they cannot verify your revenue or your cap table has ambiguities, they add a discount to compensate for assumed risk. When everything is clean and well-organized, that discount shrinks or disappears.
There is also a psychological dynamic that experienced deal teams understand. A disorganized process signals that the seller is not in control. A buyer who senses that the seller is stressed or uncertain about their own numbers will push harder on price, structure, and terms. A seller who delivers a clean data room, a credible QoE, and a consistent management presentation projects confidence, and that confidence translates directly into leverage at the negotiating table.
Frequently Asked Questions
How long does M&A due diligence typically take for a software company?
For most software companies in the $5M to $100M revenue range, the post-LOI diligence period runs 45 to 75 days. Deals with complex IP issues, multi-jurisdictional operations, or high customer concentration tend to run longer. A fully populated data room at the start of exclusivity is the most reliable way to hold the timeline.
What is the most common reason a software M&A deal gets repriced during diligence?
Revenue quality issues, specifically problems with how revenue is recognized or normalized, are the most frequent source of repricing. Close behind are customer concentration and security gaps. In each case, the repricing happens because the buyer discovers something they were not shown in the marketing materials, which erodes trust and gives them a legitimate basis to reopen valuation.
Do I need a SOC 2 report to sell my software company?
You do not legally need one, but the absence of SOC 2 Type II is increasingly a flag for software companies selling to enterprise buyers or PE sponsors who plan to exit the business again. If your customers are enterprises or regulated businesses and you have no SOC 2, expect a buyer to raise it. Starting the certification 12 to 18 months before going to market gives you time to complete Type II, which requires a 6 to 12 month observation period.
What is a virtual data room and which platform should I use?
A virtual data room (VDR) is a secure, permissioned document repository used to share confidential company information with buyers during a sale process. Purpose-built platforms include Intralinks, Datasite, and Firmex; for smaller transactions Dropbox Business is sometimes used, though purpose-built VDRs offer better audit trails, granular access controls, and watermarking. Your M&A advisor will typically recommend and configure the platform at the start of the process.
Should I hire an accountant to do a sell-side quality of earnings before going to market?
For any business above roughly $3M in EBITDA, a sell-side QoE is almost always worth the cost. It typically runs $30,000 to $80,000 and can prevent multiples of that in valuation erosion when buyers run their own analysis. It also compresses timelines because the buyer's team does not have to rebuild your financials from scratch. Use a firm with M&A transaction experience rather than your regular tax preparer.
What happens if a buyer finds something during diligence that was not disclosed?
The outcome depends on what was found and whether the omission appears intentional. Minor issues typically lead to a price adjustment, an escrow holdback, or a specific indemnification provision. Material undisclosed issues, particularly those that touch representations the seller has already made, can give the buyer grounds to terminate or renegotiate the entire structure. Full proactive disclosure, framed in context, is almost always a better outcome than a buyer discovering something independently.
The Bottom Line: Preparation Is Price Protection
Due diligence preparation is not about hiding problems. Sophisticated buyers find problems. It is about knowing your own business well enough to present it accurately, explain its nuances before they become red flags, and project the kind of operational discipline that gives buyers confidence in the numbers they are paying for.
The founders who close at their original headline price are almost always the ones who spent three to six months before going to market cleaning up their cap table, commissioning a sell-side QoE, and documenting things that had only ever lived in someone's head. The ones who lose 15 percent of deal value in the final stretch are usually the ones who assumed the business would sell itself.
If you are a technology or software founder considering an exit in the next one to three years, FIH offers confidential exit-readiness conversations with no obligation. The companies that have gone through FIH's process, across 79 deals and 27 countries since 2020, consistently say preparation was where real deal value was made. Reach out directly to start a private conversation.