Home  ›  Blog  ›  Audit Data Collection Strategy
Audit Defence · Data Collection

Audit data collection — controlling what leaves your environment.

The vendor's audit team has a single goal in the data-collection phase: extract enough deployment information to construct a maximally-expansive license-shortfall claim. The buyer's goal is the inverse: provide exactly the data required by the contractual entitlement question, no more, in a buyer-controlled format. The gap between those two postures is where the majority of audit settlements are won or lost. This article walks through the data-room model, the rejection of vendor scripts, the methodology disputes that move claims by tens of millions, and how to govern the data exchange end to end.

Updated: May 2026 Reading time: 10 min Audience: IT Asset Manager, Security, CIO, External Advisor
The default is too generous

Why buyers over-share by default.

The instinct of most IT teams under audit is to be thorough. Auditors ask for deployment data; IT delivers a CSV with every server, every user, every install. That CSV typically contains products outside the audit scope, environments outside the contractual entitlement (lab, DR, sandbox), historical records predating the current period, and tagging that the vendor will interpret unfavourably. Each over-share is an opportunity for the vendor to assert a finding that the buyer did not need to invite.

In our experience across 340+ engagements, the data the buyer hands over in week three explains roughly 55% of the difference between initial claim and final settlement. The remaining 45% is methodology and contractual interpretation. Controlling the data is the highest-leverage move available to the buyer.

Audit data request on the desk?

We design the data-room protocol before any deployment information leaves the buyer's environment.

Contact Us →
Reject the vendor script

"Just run our discovery tool" — the single most expensive sentence in audit.

Oracle Server Worksheets, the SAP measurement tool, IBM ILMT extracts, Microsoft's MAP toolkit — every major vendor offers a "convenient" data-extraction script. Each is designed to surface gaps the buyer would never volunteer. Oracle's Options Usage Tracking historically over-counts feature usage by an order of magnitude because it counts any instantiation regardless of execution. SAP's measurement tool can classify users into Professional category based on configuration metadata even when those users perform only Limited Professional work. Microsoft MAP scans WMI namespaces and counts virtual cores in ways that often differ from the executed license metric.

The buyer-side position is simple: vendor-supplied scripts are not run on production systems. Data is collected by the buyer using buyer-validated methodology and provided in buyer-defined formats. Where the contract is silent on methodology — and most are — the buyer's methodology stands until the vendor proves otherwise. This is not a contractual reach; it is the default rule of contract construction. Controlling that data exchange end to end is the core of a buyer-side vendor audit defense engagement.

The four refusal positions

  1. No vendor-supplied scripts on production systems.
  2. No vendor-supplied scripts on lab, DR or sandbox systems without scope confirmation.
  3. No real-time access to buyer environments by vendor or vendor agents.
  4. No transfer of raw extracts; only aggregated, validated, scope-limited datasets via a secure data room.

Download the Vendor Audit Defence Handbook.

Includes the full data-room protocol, vendor-script rejection language, and methodology dispute playbook.

Get the playbook →
The data room model

A buyer-governed exchange not a vendor-controlled extraction.

The defensible model is a buyer-administered virtual data room. The buyer assembles datasets validated against the contractual entitlement question. The data room is access-controlled by named individuals, time-bounded to the audit period plus a retention tail, and watermarked. Vendor questions are submitted in writing and answered by the buyer in writing; no live screen-shares, no ad-hoc extracts, no informal email exchanges of CSVs. Every interaction has a record. Every record can be cited at settlement.

The mechanics: a commercial data-room platform (most are inexpensive), a named buyer-side data steward (often the IT asset manager), a written log of every dataset uploaded and every viewer who accessed it, and a single channel for vendor queries. If the vendor asks for a dataset outside scope, the response is "noted — not produced under the current scope." If the vendor objects, the objection goes to the dispute mechanism.

Methodology disputes

Where seven-figure claims shrink or expand.

Once the data is in the room, the next battle is methodology. The vendor will assert a methodology that maximises the claim. The buyer's job is to assert the contractually-grounded methodology that minimises it. The disputes that move the most value:

Vendor data request looks expansive?

Independent review of the data request, scope rebuttal letter and data-room protocol — all within 5 business days.

Contact Us →

Audit data request just landed?
Control the data before you respond.

We design the data-room protocol, draft the scope rebuttal and manage the exchange end to end.

The Compliance Brief

Weekly compliance intelligence for IT leaders.