Digital Asset Due Diligence in Business Acquisition: Part 2

Framework to help you ask the right questions.

Cover photo illustrating the concept behind the article - clean minimalistic illustration

Updated March 14, 2025

Reading time: 6 minutes

Part 1 | Part 2

The inspection report is common (and highly recommended) during real estate transactions. It provides a solid framework for walking through major systems and understanding the current state, future investments, and deficiencies that would assist you with the purchasing decision.

Similarly, the inspection of the tech assets is essential during the business acquisition process, regardless of the company’s size.

What are digital assets?

For due diligence evaluation purposes, digital assets are software used by businesses to solve problems. The assets can be categorized in various ways, but the following framework makes it easier to frame the right questions for the due diligence discovery.

Digital Assets Categories

By intended use – internal or external

Internal assets are used by employees only, while external are customer-facing.

For example – a customer-only website to take orders and an internal site to manage backend inventory. Because internal sites do not generate direct revenue, they are quite often ignored, as investing in feature development and bug fixes in customer-facing apps makes more operational sense.

However, at a certain point, a lack of resources becomes a significant hindrance, requiring an urgent and expensive upgrade.

If the company you are looking to buy has internal-only applications, it’s essential to understand their quality and impact on productivity.

By visibility – known and invisible

Website, mobile app, ERP - these are examples of visible assets.

Invisible assets are unsanctioned solutions created by the team to make their work easier. They can be Excel spreadsheet automation, a Zapier Zap running on a personal subscription, or a script written by a technically inclined power user.

Often, these invisible solutions are critical to the operations and introduce a certain level of risk:

They are not adequately vetted from a security standpoint
They create an unofficial workflow that can cause hard-to-track operational interruption if broken
They may not have been thoroughly tested to produce consistently accurate results
The presence of invisible assets (also known as Shadow IT) indicates the team’s resourcefulness and the opportunity to improve internal operations.

By source - in-house developed or vendor-supplied

Inherited in-house assets that were not maintained and difficult to modify or move to different hosting locations would require significant investment. Review the past update schedule to understand the possible impact.

For vendor-provided applications, determine if you are dealing with “king software”—an industry-specific application that is difficult to replace and that dictates the organization’s workflow to comply with the functionality provided. Such a solution would limit the modifications you can make from an operational perspective to streamline the business.

By construction method – created by a developer or no-code solution

No code (or low code) drag-and-drop solutions are easy to audit. Understand who developed them, how they were validated, and who will maintain them going forward – to avoid panic during the busiest time of the day when something malfunctions.

For code created by a developer, determine the language and frameworks used and the latest version to gauge how quickly the solution would need to be updated.

Side note: the software does age. There are many reasons why, but the two most important are: lack of security support that makes your solution vulnerable to hacks and attacks inability to host the solution due to OS and dependency limitations.

By size – application or automation scripts

Small scripts (especially written and configured long ago) are often forgotten. If business operations involve moving data, performing merges, or uploading files, it’s essential to know how that happens.

By location – in-house hosting or cloud

For in-house hosting, ensure you understand the hardware replacement schedule and software licensing costs (unless it’s an open-source shop). For cloud hosting, review costs (and projected increase) and a vendor lock-in level.

Where would you find the assets?

Ideally, the seller will provide the list to you. However, be aware of the Shadow IT elements and forgotten operations. If the company you are considering does not have an inventory sheet for their software, ask for one.

How do you evaluate digital assets during a business purchase?

Grading based on the following metrics would give you a better picture of what you are buying (an inspection report of sorts):

Quality

Numerous attributes can be used to evaluate software quality, but from the purchasing perspective, the most important ones are:

Does it solve the problem effectively – or does it require workarounds to address inefficiencies?
Can changes be made within a reasonable amount of time – or does it require long planning, finding resources, and execution?
Does it work reasonably well - or is there a constant need for fixes and patches?

Answering these questions would provide sufficient data to evaluate future investments and risks to operations optimization.

Annual Cost

Understanding annual costs (which may include license fees, development fees, subscription fees, hosting fees, and updates) helps identify non-performing assets.

For example, if the cost of maintaining a mobile application does not translate to revenue generated, the app’s value is significantly reduced. Understanding this metric requires detailed analytics.

Vendor Lock-In Risk

This metric evaluates the risk and required investment to switch from existing solutions. If this particular solution was not available tomorrow, what would it cost to find a replacement—in terms of money and time?

Disaster resilience

Things can happen. If the vendor providing the crucial part of the software to support the business closes the shop or discontinues the product, would you still have a business? What if your business account is suspended or closed?

This metric is important because it indicates if you are buying a business with assets or renting a digital space. While there is nothing wrong with renting, it’s essential to understand what you are buying.

Exposure

Exposure covers anything that can make the business you are considering liable for fines, lawsuits, restrictions, and other unplanned consequences.

Improper license usage – for example, using developer edition for commercial production purposes. Using copyleft open source license for commercial distributed software. Using Oracle’s Java instead of OpenJDK and not paying license fees.
Insufficient license count – purchasing fewer licenses than required to be compliant. In addition to potential fines and lawsuits, this situation will increase annual costs.
Data security - missing GDPR, CCPA, HIPAA, or PCI compliance. At the very least, not encrypting sensitive data, missing access control, lack of backups, and no approved process to update old dependencies and software create a security risk.
For websites violating legal requirements of WCAG 2.1 (web content accessibility guidelines)

Special consideration

If you have an existing business and plan to expand it, evaluating the complexity of data and software integration is a critical part of the evaluation.

Are you in need of a digital inspector?

Knowing whether you are buying a house with a solid foundation or a digital fixer-upper is essential when purchasing a business.

Do you have a few questions about your particular case? Reach out to get personalized advice.