Software Code Audit: 12-Section Checklist for Founders (2026)

Why Fora Soft wrote this playbook

Fora Soft has shipped 625+ projects since 2005 and audited dozens of inherited codebases for clients in M&A, vendor-replacement and post-acquisition contexts. Several recent NDA cases: a $9.7M Series A acquisition where our 2-week audit surfaced a critical IP issue that re-priced the deal; a healthcare startup where our audit caught HIPAA violations in 4 days that would have killed their next funding round; a SaaS founder switching dev shops who recovered $80k in technical debt avoidance.

If you are a founder inheriting code from a previous dev shop, an M&A acquirer doing technical due diligence, or a CTO assessing tech-debt before scaling, this guide gives you the 12-section checklist, the toolset, and the report template we use.

The 4 trigger scenarios for a code audit

1. Vendor replacement. You are firing the current dev shop. Before the new one starts, audit what you are inheriting. Catches abandoned tech debt, undocumented hacks, missing tests, broken CI/CD — the exact things the outgoing vendor will not mention in handover.

2. M&A technical due diligence. Acquirer hires audit before signing. Findings can re-price the deal, add escrow holdbacks, or kill it. The seller cannot afford to refuse audit access; if they do, that itself is a red flag.

3. Pre-Series-A scaling readiness. Founders with a seed-stage MVP getting ready to scale need to know what breaks at 10× load. Audit catches scaling cliffs before they happen.

4. Post-incident review. After a security breach, outage or data loss. Forensic audit identifies root cause, lateral risks, and remediation plan. Often legal-mandated.

The 12-section checklist

Total: 11 working days for a single senior auditor on a moderate codebase. We typically run two auditors in parallel, completing in 5–7 calendar days; the second auditor cross-checks findings to reduce false positives in the report.

Tools we use

Code quality. SonarQube (or SonarCloud) for cyclomatic complexity, duplication, code-smell detection. CodeClimate as alternative. Tree-sitter-based custom queries for non-mainstream languages.

Security. Snyk for dependency vulnerabilities + license compliance. Semgrep for SAST custom rules. trufflehog for secrets-in-history detection. Burp Suite or OWASP ZAP for DAST. Trivy for container images.

Performance. k6 / Locust for load tests. py-spy / clinic.js / dotnet-trace for profiling. Sqlcheck or pgBadger for slow query analysis.

Documentation completeness. Custom scripts for repo-walk — counts README files, ADRs, runbook docs. Mermaid graph extraction for architecture pictures.

Cost analysis. AWS Cost Explorer / GCP Billing Reports / Azure Cost Mgmt API export. Per-service breakdown over 6–12 months. Trajectory forecasting for next 12 months.

AI-assisted analysis. Claude or GPT-4 reading source code for architectural insight, complexity hotspot identification, and dependency analysis. Used in addition to traditional tools, not instead of them.

What a 2-week audit produces

A standard audit deliverable has the following table of contents:

Executive summary (1 page). Top 3 risks, top 3 strengths, total remediation cost estimate, recommendation: “buy as-is,” “buy with $X holdback,” “do not buy without remediation,” or “walk away.”

Findings by section (12 sections, 2–6 pages each). Each finding has severity (critical/high/medium/low), impact description, evidence (code snippet, screenshot, log excerpt), and recommended fix.

Remediation plan (2–4 pages). Prioritised list of work, effort estimates per item, suggested order, dependencies, total range.

Appendices. Tool outputs (SonarQube report, Snyk vulnerability scan, dependency tree, infra cost breakdown). Optional: detailed code-snippet annotations.

Total report: 30–60 pages depending on codebase size. Delivered as PDF + machine-readable JSON for integration with the buyer’s due-diligence tooling.

How to brief an external auditor

1. Disclose the trigger scenario. M&A audit, vendor replacement, scaling readiness — each scopes differently. Tell the auditor; do not make them guess.

2. Provide read-only access to everything. Repository (all branches), CI/CD, infrastructure (read-only IAM), monitoring dashboards, billing reports. The auditor cannot find what they cannot see.

3. Provide ICP context. Who are the users, what is the SLA target, what is the regulatory posture. Without this, the auditor cannot judge whether NFR gaps are critical or acceptable.

4. Allow 1 hour with the existing engineering lead. Catches undocumented context the audit would miss. Do not skip this; an audit without engineering interview misses 20–40 % of context.

5. Ensure auditor is independent of vendor being audited. Self-audit by the dev shop being audited is a conflict of interest. Hire a third party.

Red flags that kill an acquisition

1. No source code escrow. If the seller has not deposited code with a third-party escrow agent, recovery on bankruptcy or vendor refusal is uncertain. Acquirer must require escrow setup pre-close.

2. Critical dependencies on consumer-grade SaaS. Production data flowing through Zapier free tier, business logic in a shared Google Sheet, payments through someone’s personal Stripe account. Common in pre-MVP, lethal at acquisition.

3. Single-developer keys-to-the-kingdom. One person knows where the bodies are buried, runs all deploys from a personal laptop, holds all credentials in their head. That person leaving = company stops shipping.

4. PHI/PII in plain text. Logs containing patient names, customer emails, payment card numbers. Trivially detected by trufflehog scan. HIPAA / GDPR / PCI-DSS violation, immediate breach risk.

5. Custom proprietary frameworks. The dev shop wrote their own ORM, framework, or component library, hidden inside the deliverable. Acquirer cannot re-engineer without the vendor; vendor lock-in by another name.

How to scope remediation post-audit

Triage by severity. Critical findings (security holes, compliance violations, single-points-of-failure) ship first — weeks 1–4. High findings (test coverage, monitoring gaps, scalability cliffs) weeks 4–12. Medium and low rounded into a quarterly tech-debt sprint thereafter.

Estimate per finding. Each remediation item gets person-week estimates from the audit’s recommendation. Sum + 15 % buffer = total remediation budget. Typical remediation budget after a comprehensive audit: 15–30 % of the original codebase build cost.

Decide: remediate vs replace. If remediation budget exceeds 50 % of rebuild cost, consider rebuild instead. Audit findings are inputs to this decision; the audit itself does not decide.

Lock change-order discipline. Remediation work proceeds with the change-order process. New scope from remediation discovery is priced individually, signed by both parties before proceeding.

Mini case — $9.7M Series A acquisition saved by audit

An NDA SaaS acquirer engaged us in mid-2025 for a 2-week pre-acquisition audit on a $9.7M Series A target. The seller represented “clean codebase, recent SOC 2 Type 1, US-only customer base.”

What we found in 2 weeks. Three critical findings: (1) a custom proprietary form-building framework that no engineer outside the seller’s 3-person team understood (lock-in); (2) production logs containing customer email addresses in plain text (CCPA violation, breach risk); (3) the SOC 2 Type 1 attestation referenced controls that were not actually present in the codebase — the audit had been gamed.

Outcome. The acquirer used the findings to re-price the deal — reduced offer by $1.2M, added $800k escrow holdback for remediation, and made closing contingent on log-redaction within 60 days. The deal closed at $7.7M instead of $9.7M; remediation completed in 11 weeks. Book a 30-min call if you have a target on the table.

A decision framework — pick audit depth in five questions

Q1. What is the trigger? M&A → full audit. Vendor replacement → full audit. Pre-Series-A scaling → performance + architecture focus. Post-incident → security focus.

Q2. What is the codebase size? <100k LoC: 5–7 days, single auditor. 100k–500k LoC: 10–14 days, two auditors. >500k LoC: 3–5 weeks, team of 3+.

Q3. Compliance posture matters? If regulated (HIPAA, SOC 2, PCI), section 9 expands significantly — budget extra time.

Q4. Is the existing team available? 1-hour interview with engineering lead is non-optional. If they refuse, that itself is a finding.

Q5. What is the urgency? Pre-LOI quick read: 5-day red-flag summary. Pre-close due diligence: 2-week full audit. Post-close remediation planning: 3–4 week deep dive.

Pitfalls to avoid

1. Self-audit by the dev shop being audited. Conflict of interest. Always external auditor.

2. Audit without engineering interview. Misses 20–40 % of context. Always include the 1-hour interview.

3. Tool output as deliverable. SonarQube report alone is not an audit. Tools generate noise; audit interprets and prioritises.

4. No remediation plan attached. Audit findings without effort estimates and prioritisation are complaints, not action items.

5. Trusting the seller’s own SOC 2 attestation. Sometimes attestations are gamed. Audit independently against the controls listed.

KPIs to measure audit value

Quality KPIs. Critical-finding count (the audit’s job is to find them, not avoid them). False-positive rate on findings (target: <10 % retracted after engineering review).

Business KPIs. Audit-driven price changes (M&A): typical $0.5–3M valuation impact. Avoided remediation cost (vendor replacement): typical 2–5× audit fee.

Reliability KPIs. Audit completion within budgeted days (target: 100 %). Remediation effort estimate accuracy at 6 months (target: ±15 %).

When a code audit is overkill

Pre-MVP / hackathon code. The codebase is throwaway by design. Skip audit; rebuild post-PMF.

Continuing with the same vendor. If you are happy with the team and just adding new features, audit is unnecessary — the team owns the codebase.

Pre-acquisition free option exploration. If you are evaluating 30 acquisition targets and only 3 will close, the 1-page red-flag scan is cheaper. Full audit only on closing targets.

FAQ

What to Read Next

Ready to audit a codebase you do not yet trust?

A 2-week code audit costs $20–50k and pays for itself 2–5× in M&A re-pricing or vendor-replacement remediation savings. The 12-section checklist covers everything that kills projects. Pair tool output with judgement; engineer interview is non-optional; remediation plan with effort estimates is the deliverable, not a complaint list.

Five red flags surface in the first 2 days of any audit: source escrow gaps, single-developer dependencies, plain-text PII, custom proprietary frameworks, consumer-grade SaaS as critical infrastructure. Catch them before they catch you.