M&A →

Technical Due Diligence for M&A: What Acquirers Actually Probe Before They Sign

A few weeks of code investigation killed a nine-figure deal at First American. The acquirer's playbook: the five probes that decide whether a deal proceeds or walks.

In 2019, a few weeks of personal code and data investigation at First American Financial killed a roughly one hundred million dollar acquisition before it cleared the boardroom. The target had presented well. The data room was clean, the architecture diagrams looked credible, the security questionnaire was complete, the capability claims aligned to the deal thesis. The standard process would have moved to confirmation. Instead, the technical review went directly into the production codebase and the underlying database, and surfaced a gap between the presentation and the reality material enough to change the recommendation to the board. The savings relative to what the platform would have actually delivered post-close, before counting the integration cost First American was already absorbing on its existing portfolio, were on the order of one hundred and twenty million dollars.

That outcome is the entire argument for taking M&A technical due diligence seriously as a discipline separate from routine architecture review. The work that gets a deal repriced or killed is not the work that produces a tidy risk summary. It is the work of reading code, querying databases, and interviewing engineers under conditions a buyer rarely controls cleanly, against a clock the seller is pushing, with a decision at the end the buyer cannot reverse once the wire transfer clears.

timeline
title M&A Technical Due Diligence, From LOI to Board Decision
LOI signed : Access negotiation begins : Diligence advisor engaged
Week 1 : Data room review : Architecture document baseline : First engineering interviews
Week 2-3 : Code-level and data-level investigation : Production database queries : Adversarial security review
Red flag found : Reprice signal or walk signal triage : Findings escalated to deal team
Week 3-4 : Findings synthesis : Quantified remediation costs : Board recommendation
Board decision : Proceed, reprice, or walk : Walk away, the 120M call

How the First American walk-away actually happened

The headline number compresses the story too neatly. What actually happened inside First American Financial was several weeks of work that looked, from the outside, like standard diligence. Document review, architecture walkthroughs with the target’s engineering leadership, interviews with the technical team, the usual rhythm of a buy-side process. The difference was a deliberate decision early to not accept the data room as the basis for the recommendation. The data room was the seller’s curated narrative. The recommendation had to come from the technical reality the seller had not curated.

That meant asking for access most diligence processes do not ask for. Direct read access to the production codebase, not summaries. Direct query access to the database, not aggregate reports. Conversations with individual engineers, conducted separately from the technical leadership’s narrative. The seller resisted some of this, and the negotiation over access was its own workstream. A buyer that does not push for code and data access early loses the only leverage they have to test what the data room is asserting.

What surfaced was a familiar pattern in modern clothing. The architecture diagrams described a service-oriented platform. The production reality was a small number of monolithic applications with service-shaped wrappers on top, sitting on a database whose schema had drifted significantly from what the documentation showed. Data quality at the row level did not match what the aggregate reports claimed. The same record was represented in incompatible ways across systems that were supposed to be the single source of truth. Operational knowledge of how the most important batch jobs ran was concentrated in two engineers, neither of whom was structurally locked in to stay through an integration period. The capability claims that justified a meaningful portion of the valuation depended on data assets that, on inspection, were not the assets being described.

None of that was concealed in a deceptive sense. The information was sitting in the code and the database the entire time. It was hidden in the sense that documentation-level review does not surface it. The recommendation to walk was straightforward once the picture was complete. The harder part was earlier, in the choice to spend the time and political capital to go past the data room in the first place.

The broader context mattered. First American had acquired more than eighty companies in the prior decade and was carrying roughly seven hundred software applications across fifteen-plus subsidiaries. The enterprise architecture team I was part of spent months auditing that estate. That work meant I had already seen, at full scale, what acquired technology looks like once the deal closes and the consolidation work begins. The cost is almost never on the financial model the deal team built.

M&A diligence is a different animal than routine architecture review

Most technologists who get pulled into an M&A diligence process apply the playbook they use for internal architecture review. That playbook produces a thorough document, a list of recommended improvements, and a multi-quarter remediation roadmap. It is the wrong artifact. M&A diligence has three structural properties that change the work entirely.

The first is the compressed timeline. A target’s CTO can take eighteen months to remediate technical debt. A buy-side diligence advisor has two to four weeks against a closing calendar that does not move. You are not building a complete picture of the system. You are testing the specific claims that justify the deal thesis, finding the discrepancies that materially affect price or risk, and producing a recommendation the deal team can act on inside the window they have.

The second is adversarial access. Routine architecture review happens inside an organization that wants the work to succeed. M&A diligence happens across organizational lines, under NDA, against a counterparty not incentivized to surface anything that does not have to be surfaced. Document requests get partial fulfillment. Code access gets negotiated and limited. Engineer interviews happen with the target’s technical leadership in the room. The buyer’s advisor has to read what is in front of them with the awareness that the curation is itself a signal. The things the seller shows easily and the things the seller resists are both data.

The third is the irreversible decision at the end. An internal review that recommends a remediation plan can be revised next quarter. An M&A diligence recommendation runs into a wire transfer. Once the deal closes the buyer owns the technical debt, the key-person risk, the security exposure, and the integration cost. The walk signal has to be identified before the close, because there is no walk option after it. A diligence process that ends with “some issues, broadly acceptable” is often worse than no diligence at all. It gives the deal team cover to proceed without forcing the hard conversation the findings should have triggered.

The five things acquirers actually probe first

A buy-side diligence process that produces real findings concentrates the available time on five areas, in roughly this order of leverage.

Codebase health, evaluated by reading it. Not the summary, not the metrics dashboard the target produces, the code itself. What patterns were used, where the duct tape sits, how recent the meaningful changes are, what the test coverage looks like in the parts of the system that handle money or customer data. This is work a generalist diligence firm cannot do well, because the reading happens at speed and the judgment about what matters requires having operated systems at this scale. A target whose codebase the buyer’s advisor can read with confidence is a different asset than one that requires three weeks of warm-up before anything meaningful can be said about it.

Architecture coherence, evaluated against the production reality. The architecture diagram in the data room is a hypothesis. The diligence work is to test whether the production system actually matches it. Are the services described as services actually services, or are they monoliths with REST endpoints bolted on. Does the data flow described in the documentation match what the database queries show. Are the integrations on the map the integrations that actually run, or have three more been added that nobody updated the diagram for. The First American walk-away turned on this question more than any other. The diagrams were professional and clean. The production system was something else.

Team-versus-code coupling, often called bus factor. Every engineering organization has individuals whose departure would create operational disruption. In most acquisition targets that risk is concentrated in one or two people who hold critical institutional knowledge in their heads. The diligence question is whether those individuals will stay through the integration period. The acquisition changes their equity position, their reporting structure, and their sense of ownership. If they probably will not stay, and the remaining team cannot operate the systems without them, the buyer has acquired a platform with a hidden dependency the purchase price did not account for.

Data quality and ownership, especially when the deal thesis depends on the data. Any platform putting AI or data capabilities at the center of its value proposition should expect the diligence team to dig past the model and into the data underneath it. What is the AI actually operating on. Where did that data come from. What contractual rights attach to it. Is it clean enough at the row level to support the capability being claimed, or is it clean only at the aggregate report level. A capability claim resting on a weak data foundation does not survive a serious review. The First American target’s data quality at the row level, on inspection, did not match what the aggregate reports asserted. That single discovery was enough to recompute the value of the acquisition.

Security and compliance debt, evaluated as future liability. Any material vulnerability in the target’s codebase becomes the buyer’s liability the moment the deal closes. The breach risk transfers to the combined entity, with the buyer’s customer base, regulatory obligations, and customer trust now in scope. Unpatched dependencies, weak authentication, inadequate encryption, undisclosed past incidents, all of it is discoverable if the review is structured to find it. In regulated industries the compounding is worse, because compliance obligations transfer with the asset.

The signals that walk a deal versus the signals that price it down

The most useful skill in M&A diligence is distinguishing reprice signals from walk signals. The two look similar from a distance and require different responses, and the diligence advisor’s job is to be clear about which is which.

Reprice signals are quantifiable issues with bounded remediation cost. Technical debt that can be inventoried and priced. Security gaps that can be closed in known timeframes. Integration work that can be modeled. Documentation deficits addressable by a team transition plan. These findings do not end the deal. They reshape it. The right output is a quantified deduction from the purchase price, a structured escrow, a reps and warranties insurance term, or a holdback to fund the post-close remediation work. The deal still happens. The economics shift to reflect the work the buyer now knows they will inherit.

Walk signals are findings that change the nature of the asset. The data does not match the capability claims, and the capability is what is being acquired. The architecture cannot scale into the growth thesis without a rewrite that consumes the expected return. The operational knowledge sits in one or two people who will not stay, and the systems cannot be operated without them. The AI capability that justifies the premium is a wrapper over a public API any developer with credentials could replicate. These are not findings the deal economics absorb. They say the asset is not the asset the buyer thought they were buying. The recommendation is to walk, and the discipline is to make that recommendation cleanly without trying to bridge findings that should not be bridged.

The First American target had walk signals, not reprice signals. The data quality, the operational concentration, and the capability claims were not issues the purchase price could be adjusted around. The asset was structurally different from what the deal thesis assumed.

What a seller can do, briefly

This post is written for the acquirer’s chair, but a note for the other side. Sellers who do not want their platform to look like the First American target should not start preparation when the banker engagement letter is signed. The window to fix anything closes by then. The longer-runway approach, including a twelve to eighteen month preparation timeline, is covered in technology exit preparation. The buyer’s diligence team will surface what is there. The only question is whether what is there has been remediated before they look, or whether it gets priced into their bid.

The diligence is the highest-leverage step in the transaction

Most of the work in an acquisition produces marginal improvements in the deal. Negotiating the purchase price up or down by a few percentage points. Tightening contract terms. Adjusting the earnout. Technical due diligence is in a different category. It is the only workstream that can change the recommendation from proceed to walk on the basis of findings the deal team would not otherwise see.

The diligence process at First American that produced the walk recommendation was not exotic work. It was the standard playbook for code-level, data-level, and team-level review, applied with discipline against a target whose presentation was tighter than its reality. That playbook is the M&A advisory work I run for buy-side clients, and the technical assessment framing it sits inside is structured around the kind of code-level investigation that surfaces what a checklist process misses. If you are approaching a deal and want to understand what a rigorous buy-side review looks like before the LOI is signed, reach out directly.

M&A Advisory
How Strong Is This Acquisition’s Technology?
A buy-side scorecard for evaluating a target’s codebase, architecture, team, security, technical debt, and data before you sign.

Frequently Asked Questions

What is different about M&A technical due diligence versus a routine architecture review?

Three things change the work entirely. The timeline is compressed, usually two to four weeks of real access against a closing calendar that does not move. The access is adversarial, you are reading code under NDA against a counterparty who is not incentivized to surface anything that does not have to be surfaced. And the decision is irreversible, because once the wire transfer clears the buyer owns the technical debt, the key-person risk, the security exposure, and the integration cost. A routine architecture review can recommend a six-month remediation plan. An M&A review has to deliver a proceed, reprice, or walk recommendation in days, knowing the buyer cannot return the asset.

How long should buy-side technical due diligence take?

Two to four weeks of intensive work for a target with revenue under one hundred million dollars, four to eight weeks for larger or more complex targets. The window inside that is what matters: the first week is access negotiation and document review, the middle weeks are the code-level and data-level investigation, and the final days are findings synthesis and the board recommendation. Buyers who try to compress this to a week of meetings and a checklist end up signing on the basis of the data room, which is exactly what the seller wants them to do.

What signals should walk a deal versus just reprice it?

Reprice signals are quantifiable issues with bounded remediation cost, technical debt that can be inventoried and priced, security gaps that can be closed in known timeframes, integration costs that can be modeled. Walk signals are issues that change the nature of the asset, the data does not match the capability claims, the architecture cannot scale into the thesis without a rewrite, the operational knowledge sits in one or two people who will not stay, or the AI capability that justifies a premium is a wrapper over a public API. The reprice signals shape the deal. The walk signals end it.

Can a buyer rely on the target's own technical documentation as the basis for diligence?

No. The documentation in a data room is what the target wants the buyer to see, organized to support the deal thesis. Real technical reality lives in the code, the database, the deployment scripts, and the heads of the engineers who actually run the system. Documentation-level diligence confirms the seller's story. Code-level and data-level diligence is the only thing that surfaces the gap between the story and the reality. The cost of skipping that second layer shows up post-close at full purchase price.

Shawn Livermore — Fractional CTO & Chief AI Officer
About the Author

Shawn Livermore

Fractional CTO and Chief AI Officer with nearly 3 decades of enterprise architecture experience. Clients include Kelley Blue Book, LERETA ($18B property tax processor), First American Financial, Carvana, WellPoint/Anthem, and PacifiCare. 92 client reviews, 5-star average.

View full background →

Need a fractional CTO or CAIO?

Technology leadership without the full-time headcount. Engagements start with a conversation.

Man writing a flowchart diagram on a whiteboard with a blue marker.