Home  ›  Blog  ›  Vendor Audit Defence Guide
Pillar · Audit Defence

The complete vendor audit defence guide.

Software audits are not random and they are not technical. They are commercial events disguised as compliance reviews, designed to convert ambiguity into revenue. This pillar covers how Oracle LMS, Microsoft SAM, SAP, and IBM actually run an audit, the defensive moves that work, and the settlement design that captures the 68% average claim reduction we see across engagements.

Updated: May 2026 Reading time: 20 min Audience: CIO, IT Asset Manager, General Counsel
Audit working documents on a desk
The audit motion

Software audits are commercial events.

A software audit is not a random compliance review. It is a planned commercial event, initiated by a vendor compliance team whose targets are revenue-denominated. The vendor compliance functions — Oracle LMS, Microsoft SAM Engagement, SAP GLAC, IBM IASP — operate as quasi-sales channels. Their incentives align with conversion of compliance ambiguity into licence purchases, support renewals, or cloud commitments. Treating an audit as a neutral verification exercise is the single most common defensive error.

In our experience across 340+ engagements, the audits that produce the best buyer outcomes share three properties: the response is segmented across a legal track and a technical track from day one, the data the vendor receives is bounded to the contractual minimum, and the settlement is structured to separate back-bill from forward-look from any commercial conversion (cloud, ELA, ULA).

The triggers

Audits are not random. They follow patterns. The common triggers are: declined ULA or ELA renewal, public cloud migration (especially competitive cloud), large support reduction request, M&A activity, divestiture, hardware refresh, executive change in IT or procurement leadership, and contract anniversary 12–24 months after any of those. A buyer can predict audit risk by mapping their own actions against these patterns. The audit can be anticipated and prepared for.

Vendor-specific motions

Every vendor runs a different audit motion.

Oracle LMS

Oracle's License Management Services sends a measurement notice with a 45-day window, requesting LMS Collection Tool output. The scripts collect deployment and use data across Database, Middleware, Applications, and Java estates. The audit typically targets virtualization scope (VMware), database options enablement, named-user multiplexing, and Java SE deployment. The settlement conversation invariably ties to a renewal window or includes an OCI conversion proposition.

Microsoft SAM Engagement

Microsoft's compliance motion runs through SAM Engagement (the polite, partner-led variant), Software Asset Management Verification (SAMV — more formal), or full Audit (the rare, contractually-named variant). Most enterprises encounter SAM Engagement first. The findings cluster around Windows Server CALs, SQL Server core licensing, Office activation, and increasingly Azure entitlement vs consumption (Azure Hybrid Benefit misuse).

SAP GLAC

SAP Global License Audit & Compliance runs annual measurement (Licence Audit Workbench / LAW) and triggered audits. The findings cluster around named-user type mismatch (Professional used where Limited Professional could apply), engine over-utilization (Payroll, CRM), and indirect access via non-SAP front-ends or integration buses. Digital Access conversion is now the primary commercial vehicle for resolving historical indirect-access findings.

IBM IASP

IBM IASP audits target sub-capacity licensing compliance, ILMT deployment and reporting accuracy, Cloud Pak entitlement vs deployment, and Passport Advantage estate reconciliation. The ILMT requirement is a notable trap — failure to deploy and report ILMT correctly results in full-capacity licensing claims, which can be many multiples of actual deployment.

Audit notice arrived?

Former vendor auditors on the bench. 72-hour initial review and defensive plan.

Contact Us →
First 30 days

Sequencing the first 30 days determines the next 12 months.

The first 30 days of an audit response disproportionately shape the eventual settlement. The actions taken — and not taken — establish the audit's quantitative ground and the buyer's procedural position. The most important first-30-day actions:

  1. Acknowledge receipt, not scope. The initial response should acknowledge the audit notice without agreeing to any specific scope, timeline, or data submission. Scope is negotiated, not granted.
  2. Engage outside counsel. For Oracle, SAP and IBM audits, outside counsel should be engaged in the first week. The audit is a legal process; counsel's involvement establishes privilege and frames the engagement.
  3. Form the internal team. A dedicated internal team with IT Asset Management, Procurement, Legal, and the relevant business unit. Single-point external communication.
  4. Run vendor scripts internally first. Whatever measurement tooling the vendor requests, run it under buyer control first. Validate the output before transmission.
  5. Define contractual data scope. Review the audit clause in the underlying contract. Most clauses bound the data the vendor is entitled to receive narrower than the data the vendor's audit team requests.
  6. Identify business event coordination. If a renewal, migration, or commercial event is concurrent, those conversations should be ring-fenced from the audit response.

Download the Vendor Audit Defence Handbook.

The full audit defence playbook — first 30 days, evidence handling, settlement design, vendor-specific tactics.

Get the handbook →
Evidence handling

What the vendor gets, and what the vendor doesn't.

Most audit clauses entitle the vendor to deployment data and usage data sufficient to verify compliance. They do not entitle the vendor to broader system data, source code, business context, employee information, or commercial information. The vendor's audit team typically requests broader data than they are contractually entitled to receive; buyers who provide the broader data lose negotiation ground without realising it. The defensive posture is rigorous mapping of every vendor data request against the contractual entitlement.

Measurement-tool output review

Oracle's LMS scripts, Microsoft's SAM scripts, IBM's ILMT data, and SAP's USMM extracts all produce raw output that needs interpretation. The raw output frequently includes false positives — instances of options or features that show as "enabled" but are not actually in use, or named users that the system identifies as licensable but who are service accounts or duplicates. Reviewing the output before transmission allows buyers to flag, contextualize, and where necessary correct the data.

Privilege and counsel involvement

For findings of any material size, evidence handling should occur under outside counsel privilege. The privileged channel protects the buyer's ability to develop internal compliance positions without those positions becoming discoverable in subsequent litigation. The cost of counsel involvement is small relative to the negotiation leverage it preserves.

Settlement design

The settlement always has three components.

Vendor audit settlements almost universally include three components: a back-bill for the historical non-compliance, a forward-look licence purchase or subscription that resolves the non-compliance going forward, and a commercial bundling element (cloud commitment, ELA, ULA, multi-year support) that converts the audit into a longer commercial commitment. Customers who segment and negotiate the three components separately consistently outperform those who treat the settlement as a single number.

Back-bill negotiation

Back-bill is typically the most negotiable component. The vendor's claim is computed at list price; buyer-side counter-arguments include disputed scope, partitioning policy interpretation, multiplexing exclusion, and feature-vs-option distinctions. Average back-bill reductions across our portfolio are 70–85% versus initial vendor claim, with the largest reductions concentrated in virtualization-scope and database-option findings.

Forward-look licence design

Forward-look purchases lock the non-compliance into entitlement. The negotiation lever is metric design — buyers should ensure the forward-look is structured at the correct metric (NUP vs Processor, named user type, FUE conversion) for the going-forward operational reality, not for the historical estate.

Commercial bundling resistance

The commercial bundling element (cloud commitment, ULA, ELA) is where the vendor extracts the largest long-term value. Resistance to bundling is appropriate at audit settlement — bundled commitments made under audit pressure routinely produce shelfware and reduce future negotiation leverage. The defensive position is to settle the back-bill and forward-look at audit time and defer the broader commercial conversation to a subsequent, separately-sequenced negotiation.

Settlement number on the table?

Independent claim review and settlement design. Our average reduction is 68% versus initial vendor claim.

Contact Us →

Internal next steps

If you have received an audit notice — or anticipate one — three preparation moves pay back. First, baseline the licensing position from Ordering Documents, not from deployment. Second, run the relevant vendor measurement tooling internally before any external commitment to share output. Third, form the internal audit-response team with single-point external communication. The audit response then becomes a managed commercial process rather than a reactive scramble.

FAQ

Vendor audit defence questions.

How long do we have to respond to an audit notice?
Most enterprise software contracts give 30–45 days for initial response, followed by 90–180 days for data submission. The clock starts on receipt of the formal notice, not on the soft audit letter that often precedes it.
Should we let the vendor's audit team into our environment?
Almost never on day one. Run the vendor's measurement scripts internally first, validate the output, and provide only the data the vendor is contractually entitled to receive — not the broader extract typically requested.
What is the average audit claim reduction?
Across our 340+ engagement portfolio, the average reduction from initial vendor claim to final settlement is 68%. Reductions above 90% are common when the initial claim was driven by virtualization-scope assumptions or option-enablement findings.
Can we refuse a vendor audit?
Refusal of a contractually-permitted audit typically constitutes a breach of contract. The defensive position is not refusal — it is rigorous scoping of what the vendor is contractually entitled to audit, on what timeline, with what data.
Should we have outside counsel involved?
For Oracle, SAP and IBM audits — yes, from the first response. The audit is a legal process as much as a technical one, and the early commercial framing is often the most consequential.
What if the vendor escalates to litigation?
Vendor litigation on audit findings is rare — most vendors prefer commercial settlement to discovery. The threat of litigation is a negotiation tactic; the actual filing is uncommon and almost always preceded by extended commercial deterioration.

Audit notice in hand?
Get a defensive read in 72 hours.

Former vendor auditors on the bench. We run defence on Oracle LMS, Microsoft SAM, SAP and IBM audits across enterprises.

The Compliance Brief

Weekly compliance intelligence for IT leaders.