Home  ›  Blog  ›  Audit Response — First 30 Days
Audit Defence · Response Playbook

The first 30 days set the magnitude of the eventual claim.

Audit notices arrive on a Friday afternoon, usually by registered mail, sometimes via the account executive's "courtesy heads-up" email. The next 30 days are when the buyer's posture is set, the scope is bounded, the data-collection methodology is agreed, and the executive narrative is framed. Do the first 30 days well and the audit settles for cents on the dollar. Do them badly and the vendor's opening claim becomes the anchor for every subsequent negotiation. This is a day-by-day playbook from 340+ engagements.

Updated: May 2026 Reading time: 9 min Audience: CIO, IT Asset Manager, General Counsel, Procurement Lead
Software Audit Response — First 30 Days
Days 1–3

Acknowledge, contain, brief.

The single biggest mistake in the first 72 hours is responding substantively. The vendor's notice will request a meeting, a kick-off call, an initial data extract. None of these is required to be agreed in 72 hours. The buyer's correct response is a written acknowledgement that the notice has been received, that the buyer will respond on scope and methodology within 14 days, and that all subsequent communications should route through a named single point of contact (typically the General Counsel's designate or an external advisor).

In parallel, contain the internal narrative. The audit notice should be briefed to the CIO, CFO and General Counsel within 24 hours, but not yet escalated to broader IT or procurement teams. The reason is information control — once the audit becomes general knowledge inside the buyer organisation, the vendor's account team starts hearing the customer's anxiety from inside the customer's own building.

Notice received this week?

We respond within 24 hours and stand up the defence within five business days.

Contact Us →
Days 4–14

Audit governance, scope letter, advisor engagement.

By day 14, three things must be in place. First, an audit governance group with named leads from legal, IT asset management, procurement and finance, meeting weekly. Second, an independent advisor with audit-defence track record engaged under privilege where possible. Third, a written scope-and-methodology response to the vendor that bounds what is in scope, contests what is out of scope, and proposes the data-collection method the buyer will support. An independent vendor audit defense partner brought in at this stage is what keeps those first 30 days from setting a precedent the buyer regrets later.

The scope letter — what it must contain

  1. Confirmation of products in scope (only those under the active contract).
  2. Confirmation of legal entities in scope (only those party to the master agreement).
  3. Confirmation of the timeframe (current entitlement period only, no historical look-back beyond contractual right).
  4. Confirmation of methodology (buyer-controlled data extract, no vendor scripts on production systems).
  5. A proposed timeline with named milestones and the buyer's right to suspend on cause.

Download the Vendor Audit Defence Handbook.

Includes the full scope letter template, executive briefing pack and 30-day timeline.

Get the playbook →
Days 15–30

Build the independent ELP before sharing any data.

By day 30, the buyer should have completed a draft Effective Licensing Position internally — independent of the vendor — and made the decision about which data to share, when, and under what conditions. Sharing deployment data before the internal ELP is complete is the single most common mistake in audit defence. Once the data is in the vendor's hands, the buyer's negotiating position is set by the vendor's interpretation of that data, not by the buyer's.

The independent ELP need not be perfect by day 30 — but it must be complete enough that the buyer knows their own exposure number before the vendor does. In our practice across 340+ engagements, buyers who reach day 30 with their own ELP in hand settle for an average 68% below the vendor's opening claim. Buyers who reach day 30 having already shared raw data settle for 41% below — still a reduction, but materially less.

Need an audit defence team on the ground?

Former vendor licensing executives — Oracle, SAP, Microsoft, IBM. Available within 48 hours.

Contact Us →
The mistakes to avoid

What kills a 30-day defence.

Audit notice arrived?
The 30-day clock has already started.

We respond within 24 hours and stand up the audit defence programme within five business days.

The Compliance Brief

The price-book changes, audit triggers, and negotiation levers we see across 340+ engagements, in one short email — before they reach you as a vendor proposal.