Home  ›  Blog  ›  Audit Evidence Management
Audit Defence · Methodology

Audit evidence management — what to hand over, and what not to.

Every audit becomes an evidence-handling exercise within the first 30 days. The vendor sends a data request — scripts to run, exports to collect, lists of users to verify — and the answers shape the rest of the engagement. In our experience across 340+ engagements, 60% of the eventual claim value is set in this evidence phase, before the negotiation even starts. This article walks through the disciplines that keep evidence accurate, scoped, and defensible.

Updated: May 2026 Reading time: 13 min Audience: CIO, SAM Manager, Legal, Procurement
Audit documentation and records
Why evidence is the audit

Evidence is the audit — not a preamble to it.

Software audits do not turn on legal arguments. They turn on what the vendor's scripts return, what your engineers volunteer in interviews, and how the contract is read against that data. Once the evidence is in vendor hands, the legal positions are mostly written into the corners. The implication for buyers: control the evidence phase tightly, or be prepared to negotiate from whatever it produces.

Audit teams at Oracle LMS, Microsoft SAM Engagement, SAP GLAS, and the equivalents at IBM and VMware all follow comparable methodologies. They request a defined set of artefacts — inventory exports, ULN evidence, user lists, deployment maps — and reconcile against contract entitlements. The reconciliation produces the Effective Licensing Position (ELP), which becomes the claim. Every deduction is evidence-derived; every offset is evidence-derived; every escalation is evidence-derived.

The four evidence categories

Scoping evidence requests

Narrow the scope before producing a single artefact.

The first script the vendor sends will request more than the contract entitles them to. This is not deception — it is standard practice, and over-scoping is rational on the auditor's side. The defence is to read the audit clause carefully and respond with a scoped data request reflecting only what the clause requires. Most audit clauses specify the systems in scope, the data formats, the timeline, and the named entity. All four are levers.

The four scope levers

  1. Entity scope. The audit applies to the contracting entity. Subsidiaries acquired post-contract may or may not be in scope depending on assignment clauses.
  2. System scope. Production and non-production may be separately treated. DR systems, test environments, and embedded software each carry contract-specific rules.
  3. Time scope. Audits cover a defined period. Data older than the audit window should not be furnished.
  4. Format scope. Vendors prefer scripts; contracts typically allow exports in equivalent formats from existing SAM tools.

Audit notice received in the last 60 days?

The first 30 days are the leverage window. Our team has run hundreds of these.

Contact Us →

The single-source-of-truth practice

All evidence flowing to the vendor should pass through one named coordinator on the buyer side. No engineer should respond to vendor data requests directly. No interview should be unaccompanied. Vendors learn quickly which estates have central control and which do not; the negotiation tone shifts accordingly.

Defensible records

Build the evidence in a form that survives challenge.

The buyer's evidence is at least as important as the vendor's. Effective Licensing Position rebuttals turn on whether the buyer can demonstrate alternative deployment counts, contractually permitted exclusions, and offsets the vendor would not surface unprompted. The evidence has to be reproducible, time-stamped, and prepared in a form the vendor cannot easily dismiss.

Reproducibility

Every evidence artefact should carry a documented derivation. If a deployment count comes from SCCM, the SCCM query, run time, and source database should be recorded. If a user count comes from Active Directory, the LDAP filter and group structure should be recorded. Vendors challenge unsupported numbers; they accept reproducible ones. Reproducible, contract-tied evidence is the backbone of any buyer-side software license audit defense.

Time-stamping and versioning

Evidence runs change. A user count at week 4 of the audit is not the same as at week 8. Each run should be archived, version-tagged, and not overwritten. If the vendor challenges a number, the buyer should be able to produce the underlying export with full metadata.

Privileged review

Evidence prepared under legal privilege protects the buyer from later use. Engaging counsel and structuring the evidence-collection effort as legal-led can preserve privilege for sensitive artefacts (internal memos, valuation models, escalation correspondence). The mechanics vary by jurisdiction; the discipline is worth the time.

Download the Vendor Audit Defence Handbook.

The full audit defence playbook — evidence, escalation, settlement — in one document.

Get the handbook →
Common evidence traps

Five evidence mistakes that drive claims up.

  1. Volunteering scope. Engineers volunteer information about systems outside the audit clause. Once in vendor hands, it is in scope.
  2. Running unverified scripts. Vendor scripts can pull data beyond what the contract allows. Each script should be reviewed before execution.
  3. Conceding interpretations. Statements like 'we count it that way too' bind the buyer to interpretations they have not validated against the contract.
  4. Missing offsets. Unused entitlements, shelfware, and contractual exemptions are buyer-side evidence the vendor will not surface.
  5. Single-source vendor data. Letting the vendor's discovery output stand as the only data point removes the buyer's ability to challenge.

Multi-vendor audit running in parallel?

Evidence discipline scales — but only with central coordination. We have built that structure many times.

Contact Us →

Three actions to take now

First, name a single audit coordinator with authority to gate every evidence response. Second, build a contract-driven scope document before running any vendor script. Third, version and archive every evidence artefact under legal privilege where possible. The Vendor Audit Defence Handbook walks through each step.

FAQ

Common questions.

How long should an audit last?
Standard audit clauses allow 90–120 days. Vendor-driven extensions are negotiable; buyers should not concede extensions without scope or claim-value implications.
Should I run the vendor's audit script?
Not without contract review. The script's scope should be checked against the audit clause. Equivalent SAM-tool exports often satisfy the same requirement with tighter scope.
Can audit findings be challenged?
Yes. Effective Licensing Position findings are negotiable in scope, methodology, and pricing. Most claims reduce by 30–70% from initial position through evidence-based rebuttal.
Do I need legal counsel for an audit?
For material exposures, yes — both for privilege preservation and for negotiating against vendor counsel. Routine compliance reviews can often be handled by internal SAM with advisory support.
Are vendor auditors independent?
Generally no. Oracle LMS, Microsoft SAM Engagement and SAP GLAS are vendor revenue functions, not independent reviewers. Third-party auditors hired by the vendor are paid by the vendor.
What is the typical claim reduction with proper defence?
In our 340+ engagements, the median audit claim reduces by 68% from initial position to final settlement — driven by evidence challenge, scope contest, and offset surfacing.

Audit notice in hand?
Run the first 30 days with experienced counsel.

Our team includes former vendor auditors. 68% average claim reduction across 340+ engagements.

The Compliance Brief

Most teams learn a metric changed when the audit letter lands. Subscribers learn the month it happens, with the buyer-side response already mapped.