What Vendors Actually Want from an Audit
Overpaying for Audit Defence? We handle software audit defence on a 25% gainshare basis — you keep 75% of every dollar saved. No retainer. No risk.
Get a free Audit Defence savings estimate →Software vendor audits are not compliance exercises. They are revenue generation events. Oracle's LMS (Licence Management Services) team, Microsoft's Software Asset Management team, SAP's STAR/LAW team, and IBM's ILMT audit division exist to identify licence shortfalls that convert into commercial settlement conversations. The auditors are measured on their ability to generate revenue — typically as a multiple of the cost of the audit itself.
Understanding the vendor's commercial objective is the foundation of an effective audit response. The vendor wants to present a maximum exposure figure — often inflated by overly broad interpretations of licence metrics, virtualisation rules, or deployment boundaries — and then negotiate a settlement that resolves the audit with a purchase. Enterprises that accept the vendor's initial exposure figure and negotiate from there consistently overpay. Enterprises that challenge the exposure calculation methodology, contest licence interpretation positions, and present alternative technical evidence settle at a fraction of the initial claim.
Documented outcome: A technology company received an Oracle audit claim for $15M in licence shortfall exposure. With professional software audit defence support, the claim was challenged on three technical grounds — Oracle's virtualisation rules, NUP deployment boundaries, and processor metric definitions. The final settlement was $0. Read the full case study.
Vendors are also highly motivated to resolve audits through product purchases rather than cash settlements. A settlement that involves buying more licences at list price gives the vendor more than cash — it gives them a platform for future upsell. Knowing this commercial logic allows you to structure your response to maximise your position: challenge the exposure calculation, reduce the liability, and if a commercial resolution is appropriate, negotiate hard on the purchase terms.
The First 48 Hours: What NOT to Do
The 48 hours immediately following receipt of a software audit notice are the most dangerous. The most common and damaging mistakes enterprises make during this window:
⚠ Critical mistakes in the first 48 hours:
- Responding directly to the vendor's audit team to express co-operation before reviewing your contractual obligations
- Providing IT infrastructure access or licence usage data before you have conducted your own internal assessment
- Engaging in verbal discussions about deployment scope, usage patterns, or licence positions without written records
- Running any vendor-supplied audit scripts (like Oracle's LMS scripts) without prior legal review of what data they collect
- Agreeing to the vendor's proposed audit timeline without negotiating an extension that gives you adequate preparation time
Your first action should be to notify legal counsel and ITAM leadership of the audit notice. Your second action should be to review your software licence agreement to understand exactly what audit rights the vendor has, what notice periods apply, what data they are contractually entitled to request, and what restrictions apply to the audit scope and methodology. Many enterprises discover during this review that the vendor's initial audit request goes beyond their contractual rights — and pushing back on scope is entirely legitimate.
Just received a software audit notice?
Don't respond until you understand your position. Our software audit defence service provides immediate triage and response strategy for Oracle, Microsoft, SAP, IBM, and Broadcom/VMware audits. We work on a 25% gainshare basis — you only pay if we reduce your liability. Contact us within 24 hours and we'll provide an emergency audit assessment.
Week 1 (Days 1–7): Assemble Your Response Team
A software vendor audit is a cross-functional event. The response team needs to cover legal, ITAM, procurement, IT infrastructure, and finance. Each function plays a distinct role in the audit response and must be briefed on their responsibilities before any engagement with the vendor.
Convene the audit response team
Legal counsel, ITAM manager, procurement lead, CIO/IT director, and CFO (or deputy). Assign a single audit response coordinator — all vendor communications route through this person. Establish a privileged communications channel for all audit-related documentation.
Review contractual audit rights
Pull all signed agreements with the vendor — master licence agreements, order forms, support agreements, cloud subscriptions. Map exactly what audit rights the contract grants: what they can request, what access they can require, what methodology they must use, and what dispute resolution applies to audit findings.
Negotiate audit timeline and scope
Respond formally to the vendor's audit notice. Acknowledge receipt, confirm your co-operation in accordance with your contractual obligations, and request the full 45–60 day preparation period that most software licence agreements entitle you to. Also request clarification of the audit scope — which products, which deployment locations, which metric types are in scope. A narrow scope is always in your interest.
Week 2 (Days 8–14): Run Your Internal Assessment
Before you provide any data to the vendor, you need to know your own position. An internal licence assessment conducted before the vendor audit gives you three advantages: you understand your exposure before the vendor does, you can identify and remediate straightforward non-compliance issues before the audit window, and you can contest vendor findings from a position of technical knowledge rather than ignorance.
Oracle: what to assess internally
For Oracle, the critical areas are processor licence counts (are you using hard partitioning that qualifies for sub-capacity counting?), Named User Plus minimums (have user counts grown without corresponding licence purchases?), Java SE deployment (is the Java SE Employee Metric being triggered by any deployment?), and ULA certification status if you're under a ULA. Run your own inventory of Oracle software deployments across your estate — not using Oracle's LMS scripts, but using your own ITAM tooling — before the vendor's audit commences.
Microsoft: what to assess internally
Microsoft EA audits focus on Effective Licence Position (ELP) — the delta between licences purchased and licences deployed. For Microsoft 365 deployments, audit your actual assigned and active users versus your EA licence count. For on-premises software, review your True-Up history and identify any products deployed beyond your licence coverage. Pay particular attention to Microsoft Unified Support coverage and whether any deployments fall outside the licensed server environments.
SAP: what to assess internally
SAP's STAR (SAP License Audit Request) audit focuses on Named User types — comparing the user types customers have licensed (Professional, Limited Professional, Employee) against actual user activity recorded in the USMM and LAW measurement tools. Before the vendor runs a measurement, run your own USMM measurement internally. Identify any user reclassification opportunities (users performing limited functions that qualify for a cheaper user type) before SAP's auditors do. Also assess your Digital Access exposure if you have third-party systems calling SAP transactions.
Week 3 (Days 15–21): Build Your Defence Position
The week three objective is to construct the strongest possible technical and contractual defence against the maximum exposure figure the vendor is likely to present. This requires both technical analysis (what does the actual deployment evidence show?) and legal analysis (what does the contract say about the licence metric, the measurement methodology, and the dispute resolution process?).
Challenge licence metric interpretation
Vendors routinely apply the most expansive possible interpretation of licence metrics when calculating audit exposure. Oracle may count processors in a virtual environment where hard partitioning rules should limit their count. SAP may classify users as Professional Users when Limited Professional qualification applies. IBM may apply ILMT non-compliance penalties when your ILMT implementation has a technical deficiency rather than a deliberate sub-capacity avoidance. Each of these positions is challengeable — but only if you've built the technical and contractual evidence to support the challenge.
The virtualisation trap: Oracle's policy on virtualisation and processor counting is the single most frequent source of audit exposure inflation. Oracle takes the position that soft partitioning (VMware, Hyper-V) does not limit licence requirements — all processors in a cluster running Oracle software must be licensed. This position is stated in Oracle's licensing policies but is not universally supported by customer licence agreements signed before 2015. Review your specific agreement language before accepting Oracle's virtualisation interpretation.
Identify remediation options
If your internal assessment has identified genuine non-compliance — deployments that exceed your licence entitlements — week three is the time to assess remediation options. Remediation typically means either purchasing additional licences (at negotiated prices, not list prices) or reducing deployment to bring it within your existing licence position. Voluntary remediation before formal audit findings gives you significantly more commercial leverage in settlement discussions than being forced to address identified shortfalls at the vendor's proposed prices.
Further Reading
- Gartner IT Spending Forecast ↗
- ITAM Review Industry Resources ↗
- FinOps Foundation Cloud Cost Management ↗
Building your audit defence position?
Our former Oracle, SAP, IBM, and Microsoft executives have built these defence positions from the other side. We know exactly which licence interpretation positions are contestable and which settlement approaches create the best outcomes. Our software audit defence service operates on gainshare — 25% of the liability we eliminate. Get emergency audit support before the vendor engagement begins.
Week 4 (Days 22–30): Prepare for Vendor Engagement
With your internal assessment complete and your defence position documented, the final preparation phase focuses on structuring your engagement with the vendor's audit team. The objective is to control the narrative: present your own licence position evidence before the vendor presents theirs, establish your technical interpretation positions clearly and early, and demonstrate that you are prepared to contest any findings that are methodologically unsound.
Prepare a formal licence position document — sometimes called an Effective Licence Position (ELP) — that covers each product category in scope. This document should show your licence entitlements, your deployment counts as measured by your own ITAM tooling, and your rationale for any licence metric interpretations that differ from the vendor's expected position. Presenting this document at the opening audit meeting immediately signals to the vendor's team that you have done your preparation and will not accept inflated exposure figures without challenge.
Also prepare a list of formal questions about the vendor's audit methodology — what tools they will use, what data sources they will rely on, how they will verify their findings, and what the dispute resolution process is if you contest their conclusions. Asking these questions formally at the outset creates a record and signals your readiness to challenge. Vendors settle audits faster and at lower amounts with enterprises that present this level of preparation.
Vendor-Specific Audit Tactics and How to Counter Them
Oracle LMS (Licence Management Services)
Oracle's LMS team is the most aggressive in the industry. Their preferred tactic is to request that you run Oracle's LMS scripts across your environment before you have conducted your own assessment. These scripts collect extensive deployment data that Oracle's auditors then analyse — often using interpretations of Oracle's licence policies that maximise exposure. Counter-tactic: decline to run LMS scripts until you have completed your own internal assessment using ITAM tooling. Consult legal counsel on whether your licence agreement actually requires you to run Oracle's proprietary scripts or merely to provide accurate deployment information.
Microsoft SAM (Software Asset Management)
Microsoft increasingly conducts audits through third-party SAM firms (KPMG, Deloitte, PwC) rather than directly. These firms are paid by Microsoft and have an incentive to identify shortfalls. Counter-tactic: review the SAM engagement letter carefully before agreeing to scope. Third-party SAM engagements often bundle "optimisation recommendations" with audit findings — reject any recommendations that are commercially motivated rather than technically necessary.
SAP STAR (SAP License Audit Request)
SAP's STAR process is triggered by SAP measuring your system usage via USMM (User and System Measurement) and identifying user type mismatches or usage that exceeds your licence order forms. SAP's common inflated exposure areas: Digital Access (third-party systems triggering SAP transactions), user reclassification from Employee to Professional, and BTP usage that exceeds included entitlements. Counter-tactic: run your own USMM measurement before SAP's auditors do, and have a qualified SAP basis consultant review the output before you share it.
IBM ILMT Non-Compliance
IBM requires sub-capacity (PVU) licence customers to deploy ILMT (IBM Licence Metric Tool) and retain 13 months of measurement data. Failure to maintain ILMT compliance results in full-capacity licence requirements rather than sub-capacity — dramatically increasing licence costs. Counter-tactic: address any ILMT deployment or data retention gaps immediately upon receiving an audit notice, and engage an IBM licensing expert to assess whether your ILMT implementation meets IBM's technical requirements before the audit commences.
When to Call Professional Audit Defence Support
In-house ITAM teams can manage straightforward audit preparation competently. But software vendor audits that involve complex licence metric disputes, large claimed exposure ($500K+), virtualisation environment questions, or multi-product scope typically benefit from professional audit defence support — particularly when that support is structured on a gainshare basis rather than a retainer.
The critical decision point is before you engage with the vendor's audit team — not after you've received their preliminary findings. Once the vendor has submitted an initial exposure report, your negotiating position is harder to recover. Every concession made in early audit communications constrains your room to challenge methodology or findings later.
Our audit defence team has resolved over $200M in software compliance exposure across Oracle, Microsoft, SAP, IBM, and Broadcom/VMware. We operate on 25% of the liability we eliminate — if we reduce your audit exposure from $5M to $1M, our fee is 25% of the $4M reduction. If we can't improve your position, you pay nothing. That's not a marketing claim — it's in our engagement agreement. Contact us as soon as you receive an audit notice. The earlier we engage, the more we can do for you.
You can also use our free software audit risk assessment tool to understand your current exposure profile before a formal audit notice arrives. Prevention is always cheaper than cure — and with our proactive audit defence service, we can help you identify and remediate compliance gaps before vendors do.