Home  ›  Blog  ›  Compliance Controls Framework
Compliance · SAM · Controls

Software compliance controls framework — what auditors actually look for.

A controls framework is the assurance layer underneath a SAM program. It defines the five repeatable, evidence-producing processes that keep entitlement and deployment records reconciled — and it produces the audit-defence baseline buyers need before a vendor audit letter ever arrives. Built right, it cuts audit settlement exposure by 50–70%; built wrong or not at all, it leaves the buyer arguing without evidence.

Updated: June 2026 Reading time: 12 min Audience: CIO, ITAM Lead, Internal Audit, CFO
Controls and assurance framework
The shift

Why activity is not the same as control.

Most enterprises have a SAM team. Far fewer have a controls framework. The difference matters at audit, because the auditor is not looking for activity — they are looking for evidence that the entitlement record, the deployment record, and the consumption record have been reconciled on a defined cadence, with documented remediation. Activity without that evidence trail is interpretation, and interpretation is where the vendor's audit team takes the most ground.

In our experience across 340+ engagements, the buyers who settle audits at the lowest exposure share three traits. They built the controls framework before the audit letter arrived. They produced the same five evidence artifacts every quarter, signed off by the same named owner. They engaged independent advisors before the vendor's auditor closed the data-collection phase. The controls framework is what makes the first two possible. For organisations that bring in that independent layer early, a buyer-side software license compliance assessment is what stress-tests the framework before the vendor's auditor does.

The five controls that do the heavy lifting

A software compliance controls framework can hold dozens of controls, but five do the heavy lifting in every engagement we have run:

  1. Entitlement record completeness. A consolidated, source-of-truth file of every active contract, every active SKU, every licensed metric, and every entitlement quantity — refreshed within 30 days of any contract change.
  2. Deployment-data capture. Automated extraction from the vendor's own admin console, plus discovery tooling, into a normalised deployment file that can be reconciled to the entitlement record.
  3. Change-control on installs and deactivations. A ticketed process for any install, uninstall, user provisioning or de-provisioning that touches a licensed product. Without ticket evidence, deactivations cannot be defended at audit.
  4. Reconciliation cadence against entitlements. Quarterly reconciliation at minimum for audit-active vendors, monthly for cloud and high-consumption SaaS lines, with documented remediation actions for any variance above a defined threshold.
  5. Indirect-access mapping. A current map of every integration, every service account, every batch process and every downstream user population that touches the licensed product without a named-user license.

Building a controls framework from scratch?

Our compliance practice helps buyers stand up the framework before the next audit letter arrives.

Contact Us →

Control 1 — entitlement record completeness

The entitlement record is the foundation. Without a complete, current, source-of-truth entitlement file, every downstream control fails because there is nothing to reconcile against. The common failure pattern: the entitlement file lives in three places (procurement's contract repository, the SAM tool's licence database, the vendor's quote history) and none of them is reconciled. The disciplined approach picks one system as source-of-truth, reconciles the other two against it on a defined cadence, and produces a single signed entitlement record at the end of every quarter.

Control 2 — deployment-data capture

Deployment data has to come from two sources: the vendor's own admin console (the data the vendor will use at audit) and an independent discovery tool (the data the buyer can defend with). Where the two diverge, the buyer has a window to investigate and remediate before the vendor surfaces the gap. Where the framework relies on the vendor's data alone, the buyer has no independent position; where it relies on discovery alone, the buyer cannot anticipate the vendor's audit position. Both are required.

Control 3 — change-control on installs and deactivations

Change-control is the control most often missing from immature programs. It matters because uninstalls and de-provisioning events are the moments where audit exposure is created — a user de-provisioned without a ticket has no defence at audit, and the vendor's auditor will count them. The control should require a ticket for any user provisioning or de-provisioning, any install or uninstall, and any service-account creation that touches a licensed product. Ticket evidence is what makes a deactivation defensible.

Download the License Optimization Toolkit.

The full toolkit covering controls framework, reconciliation templates, and audit evidence patterns.

Get the toolkit →

Control 4 — reconciliation cadence

Reconciliation is where the framework either holds or breaks. Annual reconciliation was the historical norm; it is no longer sufficient. For audit-active vendors (Oracle, Microsoft, SAP, IBM, Cisco), reconciliation should run quarterly. For high-consumption SaaS and cloud lines (AWS, Azure, GCP, Salesforce, ServiceNow, Workday, Microsoft 365), reconciliation should run monthly. Each reconciliation produces a variance report, a remediation plan for any variance above the defined threshold, and a sign-off from a named owner.

Control 5 — indirect-access mapping

Indirect access is the single largest source of audit exposure across the major vendors — SAP digital access, Oracle named-user-on-database, Microsoft multiplexing, ServiceNow tables, Salesforce integration users. The control is a current map of every integration, every service account, every batch process and every downstream user population that touches the licensed product. Maps go stale within months; the cadence should be quarterly, with explicit sign-off from the application owner of each integrated system.

Operating the framework

Cadence, ownership and audit evidence.

The framework produces three primary audit-evidence artifacts on every cycle: a signed entitlement record, deployment evidence tied to that record, and a reconciliation log demonstrating quarterly review with documented remediation. These three artifacts together form the audit-defence baseline. When the audit letter arrives, the buyer hands the artifacts to the vendor's auditor and shifts the conversation from "what is the deployment" to "what is the variance against this evidence." That is a buyer-favourable frame, and it can shift the audit settlement number by 50–70%.

Sequencing the build

A controls framework built right takes 90–120 days end-to-end. The sequence we use: weeks 1–2, current-state assessment (where each control sits today); weeks 3–6, entitlement record consolidation; weeks 7–9, deployment-data capture and discovery integration; weeks 10–12, reconciliation cadence and remediation workflow; weeks 13–16, indirect-access mapping; weeks 17–18, evidence-artifact templates and sign-off chain. The framework goes live with the first quarterly reconciliation at week 18.

FAQ

Common questions.

What is a software compliance controls framework?
A controls framework is the set of repeatable, evidence-producing processes that keep entitlement records, deployment records and consumption records reconciled across the software estate. It defines who owns each control, how often each control runs, and what audit evidence each control produces.
How does it differ from a SAM program?
A SAM program is the operating function; a controls framework is the underlying assurance layer. A mature SAM team without a controls framework will produce activity but not audit-ready evidence. A controls framework without a SAM team produces evidence without ongoing remediation. Both are required.
Which controls matter most?
Five controls do the heavy lifting: entitlement record completeness, deployment-data capture, change-control on installs and deactivations, reconciliation cadence against entitlements, and indirect-access mapping. Without all five, the framework has visible gaps an auditor will find.
How often should reconciliation run?
Quarterly at minimum for the audit-active vendors (Oracle, Microsoft, SAP, IBM, Cisco) and monthly for the high-consumption SaaS and cloud lines. Annual reconciliation has been the historical norm; it is no longer sufficient given the pace of change in cloud and SaaS environments.
Who should own the controls framework?
Ownership sits in IT Asset Management or the Vendor Management Office, with executive sponsorship from the CIO and the CFO. The CFO sponsorship is essential because the controls framework produces evidence used in audit settlement negotiations, which sit in the CFO's authority.
What audit evidence does the framework produce?
Three primary artifacts: an entitlement record signed off by the vendor (where possible), deployment evidence tied to the entitlement record, and a reconciliation log demonstrating quarterly review with documented remediation. These three artifacts together form the audit defence baseline.

No controls framework today?
Build it before the next audit letter arrives.

Our compliance practice designs and stands up controls frameworks for buyers. 90–120 day delivery. Buyer-side only. 68% average audit claim reduction.

The Compliance Brief

Weekly compliance intelligence for IT leaders.