Most software audits are won or lost long before the audit letter arrives. The position you can defend is the position you can document. License reconciliation — the disciplined matching of contractual entitlement to actual deployment — is the single most leveraged exercise an IT asset team can perform.
Most teams use the words "inventory" and "reconciliation" interchangeably. They are different work. Inventory tells you what is installed and where. Reconciliation tells you whether what is installed is licensed under the entitlement you actually purchased. The difference matters because vendors are not auditing your inventory — they are auditing the gap between entitlement and deployment, and a tidy inventory can mask a six-figure shortfall.
In our experience across 340+ engagements, the customers who survive audits well share one habit: they reconcile against the Ordering Document, not against the marketing description of the product. An Adobe ETLA is not licensed by what the renewal quote says — it is licensed by the Schedule. A Microsoft EA does not entitle you to whatever your tenant is consuming — it entitles you to the SKUs on your true-up roster, with the qualifying-user and qualifying-device definitions exactly as drafted. Reconciliation reads those Schedules first.
A defensible reconciliation produces three reconciled views simultaneously: an entitlement view (what the contracts grant), a deployment view (what is installed or assigned), and a usage view (what is actively consumed). The reason all three matter is that some vendors license deployment (Microsoft, Adobe), some license assignment (Salesforce, ServiceNow), and some license usage or consumption (Oracle Diagnostic Pack, SAP indirect access). A single deployment number cannot serve all three vendor models.
Across the engagements we run, 80% of audit exposure typically sits inside 20% of the estate — specifically, the workloads that crossed an entitlement boundary that the operations team did not know existed. Common examples: a database upgraded from Standard Edition 2 to Enterprise Edition without a licence change, a SQL Server cluster that started using AlwaysOn Availability Groups, an Oracle instance that started writing AWR snapshots after a DBA enabled Diagnostic Pack at the database parameter level. Reconciliation surfaces these crossings; inventory does not.
Bring the work forward by 90 days. Late reconciliation forfeits leverage.
Reconciliation work that survives vendor pushback follows the same sequence regardless of vendor. We have refined this method across hundreds of engagements; the order matters and the shortcuts that look attractive (skipping the entitlement extract, working from the partner portal rather than the Schedule) consistently cost customers money downstream. Where an internal team lacks the bandwidth to run the full sequence, a scoped software license compliance assessment applies the same method across the estate before a renewal window closes.
Reconciliation templates, ELP scaffolds and vendor-specific run-books.
Vendor models diverge enough that a single reconciliation methodology cannot apply uniformly. The high-stakes vendors — Oracle, Microsoft, SAP, IBM, Adobe — each require their own reconciliation rules. Below are the patterns we apply most often.
Oracle reconciliation hinges on options and packs. The deployment is rarely the issue — the database is licensed at scale — but Diagnostic Pack, Tuning Pack, Partitioning, Advanced Security, and Active Data Guard generate disproportionate exposure because they are enabled without explicit purchase. Run the LMS Options Usage script against every production database; reconcile each option to a Schedule line; document any disabled-then-re-enabled history. This work alone has reduced Oracle audit claims by an average of 68% in our practice.
Microsoft reconciliation in an EA world has three moving parts: qualifying user/device count for Enterprise Products, true-up calculation for additive SKUs, and tenant-level consumption for Azure. The qualifying-user definition is the trap — contractors, third-party staff, M&A acquired users and dormant identities all count under most EA definitions, and the partner-portal report rarely reflects this faithfully. Reconcile against Azure Active Directory plus your HR system, not against the licence-assignment report alone.
SAP reconciliation must capture both named-user counts (Professional, Limited Professional, Employee, Developer) and engine measurements (Payroll Accounting, FI, Logistics) plus — critically — indirect/digital access. The Digital Access Adoption Programme reframed indirect use as document-based, but most customers have never reconciled their document volume against the entitled tier. The reconciliation here is finance-led, not IT-led.
Adobe ETLA reconciliation is straightforward in structure but tactical in execution: assigned-named-user counts in the Admin Console reconciled against ETLA entitlement, with deployment of point-products (Acrobat Pro, Photoshop) versus all-apps suites tracked separately. Salesforce reconciliation is similar in shape — active user assignments against entitlement — but layered with the question of feature licences (CPQ, Service Cloud Voice, Sales Cloud Einstein) which carry independent counts.
A reconciliation done once, before an audit or a renewal, captures value once. A reconciliation done continuously — quarterly, against a defined run-book — captures value at every contract event and drives optimisation between events. The discipline that distinguishes mature SAM programmes is not the tool, it is the cadence.
We can share a sanitised version from a current Fortune 500 engagement.
Our consultants are former vendor licence auditors. We run reconciliations that hold up to vendor scrutiny.
Weekly compliance intelligence for IT leaders.