Home  ›  Blog  ›  Soft-Audit Letters
Audit Defence · Pre-formal

Soft-audit letters — the audit before the audit.

Oracle LMS, Microsoft SAM, SAP and IBM increasingly open audit cycles with a friendly compliance review rather than a formal audit notice. The data buyers volunteer in that phase becomes the formal claim three months later. This article covers how to recognise soft-audit framing, the response template that stalls escalation, and the legal posture that protects leverage for the formal phase.

Updated: May 2026 Reading time: 10 min Audience: CIO, IT Asset Manager, Procurement Director, General Counsel
Soft-Audit Letters
Not every audit is called an audit

The "compliance review" letter is the audit's pre-game.

Oracle, Microsoft, SAP and IBM increasingly open audit cycles with a non-binding "compliance review", "true-up verification" or "deployment data request" rather than a formal audit notice under the contractual audit clause. The framing is deliberately soft — collegial language, no escalation thresholds, no formal timeline. Buyers routinely treat these as casual data exchanges and ship back deployment exports that then become the evidentiary basis for a formal claim three months later. The soft letter is the audit; only the legal posture differs.

In our experience across 340+ engagements, roughly 40% of formal audit findings trace back to data that the buyer voluntarily disclosed during a soft-audit phase. The lesson is operational: every vendor data request, regardless of how it is labelled, should be treated as the first step of an audit and routed through the same governance, the same single channel and the same legal review.

Received a "compliance review" letter?

Treat it as an audit notice. The data you ship back becomes the formal claim.

Contact Us →
Common soft-audit framings

How the soft letters are typically dressed up.

The vendor's commercial reason for using soft language is twofold. First, the formal audit clause usually carries notice periods, scope constraints and procedural requirements; the soft letter sidesteps all of them. Second, buyers respond more openly to a "we want to help you optimise" frame than to a "we are exercising our audit right" frame. Recognising the framings is the first step in resisting them:

The response template

A soft-audit letter should be acknowledged within five business days with a written reply that does three things. First, it confirms receipt without confirming participation. Second, it requests that the request be formalised in writing with reference to the specific contractual clause that authorises the activity. Third, it states that any data sharing will be governed by mutually agreed scope, methodology and timeline. Most soft audits stall at this point because the vendor's account team is unwilling to escalate to a formal audit notice — which is exactly the leverage the buyer is looking for.

Download the Vendor Audit Defence Handbook.

Includes the soft-audit response letter, the data-request governance template and the executive escalation pack.

Get the handbook →
When soft becomes formal

What happens when the vendor escalates and how to be ready.

If a soft-audit request is rebuffed, the vendor will sometimes escalate to a formal audit notice — sometimes within weeks, sometimes after a renewal cycle. Buyers who have run their soft-audit response with discipline are in materially stronger shape for the formal phase: the data has not been disclosed, the scope has not been conceded, and the single-channel rule is already operating. Settlement outcomes for buyers who held the line on the soft audit average 22 percentage points better than those who shipped data early. Treating a soft-audit letter with the same rigour as a formal one is exactly what a buyer-side software license audit defense is built to do.

The other outcome is more common: the soft audit simply lapses. Vendors triage their formal audit pipeline tightly because formal audits are expensive to run; if the buyer has not surfaced obvious exposure, the case rarely converts.

FAQs

Common questions about soft-audit letters.

Are we contractually required to respond to a soft-audit letter?

If the letter does not reference the formal audit clause, you are not contractually required to participate. You should still acknowledge receipt — silence creates other risks — but participation should be conditional on a formal audit notice with defined scope.

Won't refusing to participate damage our vendor relationship?

Mature account teams respect a disciplined response. The signal you send is that data sharing happens through proper governance; that is a professional response, not a hostile one. Account teams that escalate over a measured response usually had escalation planned regardless.

What if our IT team has already started sharing data?

Stop immediately and consolidate. The named contact writes to the vendor confirming that the prior exchange was preliminary and not authoritative, and that further data sharing requires formal scope agreement. Document the correction in writing.

Should we use a SAM tool ahead of a soft audit?

Yes — but the output stays internal until you have an independent Effective Licensing Position. SAM tool data should never be shared with the vendor in its raw form, especially during a soft-audit phase.

Soft-audit letter on your desk?
Respond before week one ends.

The first written response sets scope. We draft it the same day we are engaged.

The Compliance Brief

Weekly compliance intelligence for IT leaders.