Software Audit Defence: Your Rights and Response Strategy

What a Software Audit Actually Means

A software vendor audit — also called a License Compliance Review (LCR) or Software Asset Verification — is a formal process by which a vendor claims the right to verify that you are using their software within the terms of your licence agreement. In practice, it means the vendor's compliance team (or a third-party auditor they hire) wants access to your deployment data.

The vast majority of enterprise software licence agreements — Oracle, Microsoft, SAP, IBM, Broadcom — contain an audit clause. The language varies, but the effect is the same: the vendor has the contractual right to verify your licence compliance, typically on 30–60 days notice, during normal business hours.

What the audit clause does not give them is unlimited, uncontrolled access to your systems. The scope, methodology, and process of an audit are all negotiable — and that's where most enterprises give up significant leverage before the engagement even starts.

Your Contractual Rights When Audited

Before you respond to any audit notification, read your licence agreement. Specifically, look for the audit clause and understand exactly what it says. Most enterprises have never read this section carefully — and that's exactly what vendors count on.

Right to reasonable notice. Most agreements specify 30 or 60 days advance notice before an audit begins. Vendors will sometimes try to compress this timeline, citing "ongoing concerns." You are entitled to your full notice period.

Right to limit scope. The audit clause typically covers the products and versions licensed under your specific agreement. It does not cover subsidiary entities, products licensed under separate agreements, or systems outside the defined scope. Vendors routinely try to expand scope beyond what the contract allows.

Right to use your own tools. Most agreements do not require you to run vendor-supplied scripts (such as Oracle's LMS scripts or IBM's ILMT). You have the right to produce your own deployment data using your own asset management tools, provided you can demonstrate accuracy. This matters enormously — vendor scripts are designed to identify maximum deployment, not minimum.

Right to legal and advisory representation. You can (and should) have counsel and independent advisors present throughout. Vendors prefer direct access to your IT team without independent oversight. Never allow this.

Right to review and challenge findings. You are not required to accept the vendor's initial findings as fact. Every finding should be reviewed, challenged with counter-evidence, and formally responded to in writing.

What Triggers a Vendor Audit

Software audits are not random. Understanding what triggers them gives you advance warning — and time to prepare. The most common triggers include:

Renewal negotiation. Audits disproportionately occur in the 6–12 months before a major contract renewal. Oracle, SAP, and IBM are particularly notorious for this. The audit creates licence debt that can then be "forgiven" as part of a new, larger deal. Don't mistake an audit in renewal season for coincidence.

Significant change in deployment. Acquisitions, infrastructure changes, cloud migration, or virtualisation projects all trigger licence recalculations — and vendor attention. Oracle's processor metric, for instance, is triggered by any change in physical hardware or virtual machine configuration.

Competitive loss or churn risk. Vendors audit customers who are evaluating competitors or who have significantly reduced their spend. The audit creates switching costs — real or perceived — that make leaving more difficult.

Former employee disclosures. Departing IT staff sometimes disclose licence practices to their new employer or directly to vendors. This is rare but does occur, particularly in large enterprises.

Indirect access (SAP-specific). SAP has pursued hundreds of audit cases based on third-party or custom-built systems accessing SAP data without direct SAP licences — so-called Digital Access exposure. This remains one of the most contentious areas of enterprise software compliance in 2026.

The First 48 Hours: What to Do Immediately

The moment you receive an audit notification, the clock starts. Most enterprises make critical mistakes in the first 48 hours that weaken their position for the entire engagement.

Do not respond immediately to the vendor. Your instinct may be to acknowledge receipt and begin cooperating. Resist it. Take the full time available to read the notification carefully, identify exactly what is being requested, and assemble your response team before saying anything substantive.

Identify your response team. You need legal (ideally with software licensing experience), an independent licensing advisor, your ITAM/SAM team, and executive sponsorship. This is not an IT project — it is a commercial negotiation with significant financial stakes.

Preserve current deployment data. Document your current deployment state before anything changes. If a system is decommissioned or reconfigured after the audit notice, the vendor may argue this was done to reduce compliance exposure. Document what exists, when it was deployed, and the business purpose.

Check your contract. Pull your full licence agreement, order forms, amendments, and any settlement agreements from prior audits. Understand exactly what you've licensed, under what terms, and what the audit clause actually says.

Do not allow system access without a formal scope agreement. Many vendors request direct system access in their initial notification. This is premature. Agree on scope in writing before any data collection begins.

How to Control the Audit Scope

Scope control is the single most important lever in audit defence. The vendor wants maximum scope; you want minimum scope consistent with your contractual obligations. Every time you expand scope beyond what the contract requires, you create additional exposure.

Define the products in scope. The audit should cover only the specific products listed in your licence agreement with that vendor. If Oracle is auditing your database licences, that does not automatically include Middleware, Java, or any other product family unless specifically licensed under the same agreement.

Define the entities in scope. Your licence agreement is between specific legal entities. Subsidiaries, affiliates, and joint ventures may or may not be covered. Vendors routinely attempt to expand scope to the entire corporate group — this requires explicit contractual authority.

Define the geography in scope. Global deployments are complex. If your licence is US-only, a European subsidiary's deployment is not automatically in scope for a US audit. Check your agreement's geographic coverage carefully.

Get the scope in writing. Before any data collection begins, confirm the agreed scope in a formal Audit Scope Agreement. This protects you from scope creep and gives you a documented basis to challenge findings that fall outside the agreed boundaries.

The Vendor's Playbook During an Audit

Having spent years on the vendor side, our advisory team knows exactly how Oracle, Microsoft, SAP, and IBM approach audits. Understanding their tactics is the first step to countering them effectively.

The urgent timeline pressure. Vendors will often communicate urgency — suggesting that delays increase exposure or that "goodwill" is contingent on fast cooperation. This is a negotiating tactic. Your contractual rights are not affected by timeline cooperation. Take the time you need to respond properly.

The inflated initial finding. First findings are almost always inflated. This is by design. An initial finding of $4M creates anchoring — any settlement for less feels like a win, even if the genuine exposure was $800K. Challenge every line item in the initial finding.

The bundled resolution offer. Vendors frequently offer to "resolve" an audit finding through a new product purchase or contract extension. This is often presented as a generous alternative to paying the compliance gap. In practice, you may be paying for products you don't need at prices you haven't benchmarked, simply to make the audit disappear. Always benchmark any bundled offer independently.

The relationship card. Account executives are often deployed during audits to maintain the commercial relationship — and to remind you of future roadmaps, investment, and partnership. This is a deliberate separation of the audit team (compliance pressure) and the account team (commercial sweetener). Don't let relationship considerations prevent you from defending your position.

How to Challenge Vendor Findings

Every finding in a vendor audit report should be treated as a starting position, not a fact. The basis for challenging findings falls into several categories.

Metric disputes. Vendor tools often apply the most unfavourable metric interpretation. Oracle processor licences, for instance, are affected by virtualisation, partitioning, and hardware topology in complex ways. IBM PVU sub-capacity rules require ILMT to be correctly configured — if it wasn't, you may still be entitled to sub-capacity pricing retrospectively. Detailed technical analysis of how deployment was measured is frequently the most productive challenge area.

Entitlement disputes. You may hold licences from prior agreements, acquisitions, or legacy contracts that the vendor's compliance team has not accounted for. A thorough entitlement review often uncovers licences that reduce or eliminate the reported gap.

Use rights disputes. Many licence agreements include secondary use rights, development and test rights, disaster recovery rights, and virtualisation rights that vendors ignore in initial audit findings. These rights, if documented and applied correctly, can significantly reduce the compliance gap.

Scope disputes. As noted above, any finding that relates to products, entities, or geographies outside the agreed scope should be formally challenged and excluded from the settlement discussion.

Negotiating the Settlement

Once findings have been challenged and a residual compliance gap established, the settlement negotiation begins. This is where many enterprises underestimate their commercial leverage.

Vendors want clean settlements that generate revenue — not drawn-out disputes, litigation, or public exposure. This gives you negotiating power even when there is genuine compliance exposure. Settlement terms worth negotiating include: the value applied to existing licences, the commercial terms of any new licences required to cure the gap, historical back-charge periods (vendors often seek 3-5 years; shorter is better), and the inclusion of enhanced use rights or deployment flexibility in the settlement agreement.

A settlement should always include a formal release from further audit claims for the period covered. Without this, you may resolve the immediate finding only to face the same exposure raised again in a future audit.

Post-Audit: Protect Yourself Going Forward

The best audit defence is preparation. Enterprises that maintain accurate, continuously updated SAM (Software Asset Management) records are significantly harder to audit successfully — and vendors know it.

Invest in a licence baseline following any audit settlement. Understand exactly what you've licensed, how it's deployed, and where the gap risks are. Review your licence positions annually, especially before major infrastructure changes, acquisitions, or cloud migrations.

Consider engaging independent software audit defence support on an ongoing basis, particularly if you have Oracle, SAP, or IBM in your estate. The cost of preparation is a fraction of the cost of an unprepared audit response. And if you ever do face a formal audit, having clean, documented entitlement data is the single most powerful defensive tool available.

Our multi-vendor negotiation service includes ongoing licence position reviews as part of every engagement — ensuring that audit risk is identified and managed before vendors come knocking.