Enterprise software licence compliance is one of those disciplines that organisations invest in after receiving an audit notification, not before. The pattern is consistent: a vendor sends a notification, the organisation scrambles to understand its position, and the outcome is substantially worse than it would have been had continuous compliance controls been in place. The audit notification triggers the work that should have been routine.
This checklist is structured around the controls that experienced licence management practitioners — many of them former vendor audit managers — use to maintain a continuously defensible compliance position. It covers the six major vendor environments that generate the overwhelming majority of enterprise audit risk: Oracle, SAP, Microsoft, IBM, cloud platforms, and the cross-vendor governance controls that apply regardless of vendor. For the complete audit defence framework, see our Software Audit Defence Guide. For a deeper understanding of what triggers audits in the first place, see what triggers a software audit.
Compliance Posture vs. Compliance Position: Posture is structural — the controls, processes, and governance that create compliance as an ongoing state. Position is point-in-time — what your compliance looks like at any given measurement date. Most organisations focus on position when an audit arrives and discover that posture problems — processes that were never implemented — mean their position is worse than it needed to be. This checklist addresses both.
How to Use This Checklist
This checklist is designed for quarterly self-assessment by IT, procurement, and legal teams responsible for software licence governance. Each section corresponds to a vendor environment or governance domain. Items marked as critical controls represent the minimum viable compliance posture; items marked as advanced controls represent the full standard for organisations with significant licence exposure in that vendor area.
The checklist will not tell you whether you are compliant — that requires measurement against your specific licence agreements. What it will tell you is whether your governance processes are structured to detect and manage compliance issues before they become audit findings, and whether your documentation is sufficient to defend your compliance position if a vendor audit arrives.
Oracle Compliance Controls
Oracle generates more audit exposure for enterprise organisations than any other software vendor, driven by the complexity of its processor-based licensing model, the aggressive application of virtualisation policies, and the scope of its audit programme. The controls below address the highest-risk areas: database licensing, Java SE, and Unlimited Licence Agreement management.
Oracle Database & Technology Licensing
- Maintain a current inventory of all Oracle Database installations, including version, edition, and licensed processor count across all environments (production, development, test, DR)
- Validate that virtualisation partitioning (VMware hard partitioning or approved Oracle partitioning technology) is correctly configured for all Oracle Database deployments on virtual infrastructure
- Confirm that Oracle Database Options and Packs are actively disabled in default installations where they are not licenced — particularly Diagnostics Pack and Tuning Pack
- Document the Processor Factor (0.5 for Intel/AMD, 1.0 for SPARC/Power) applied to each licenced server and confirm the factor in effect matches Oracle's current Processor Core Factor Table
- Review all Oracle Database Standard Edition 2 deployments for socket count compliance (2-socket maximum per server licence)
- Confirm that Oracle on AWS, Azure, or GCP deployments are licenced correctly — either through BYOL with appropriate count or through cloud-native Oracle licences that match deployed instances
- Audit Oracle WebLogic Server deployments for options licencing compliance, particularly Coherence, SOA Suite, and OEM inclusions
Oracle Java SE
- Maintain a complete inventory of all Java SE installations across all managed endpoints, servers, and containers — using automated discovery tooling
- Confirm the Java SE version in production: Java 8 update 202 and below are free under legacy terms; Java 8 update 211 and above requires a Java SE subscription under the 2019 BCL change
- Identify all Oracle Java SE 17+ deployments and confirm Employee metric subscriptions or Named User Plus licences are in place at the correct organisational count
- Review containerised Java deployments — Oracle licences Java SE per container in most subscription models; confirm your licence count reflects container instances, not physical hosts
- Document any exemptions from Oracle Java SE licensing (open-source OpenJDK builds, Eclipse Temurin, Amazon Corretto) and confirm these distributions are Java SE-free
Oracle ULA & Special Agreements
- If you hold an active Oracle ULA, confirm the ULA term dates and certify that all ULA-covered products are correctly identified in the agreement schedule
- Monitor deployment growth against ULA term to plan certification timing — certify early if growth has stabilised, certify late if growth is ongoing
- Document all deployments under ULA-covered products precisely — the certification count locks your perpetual entitlement at term end
- Confirm that products outside the ULA schedule are not being deployed without separate licence entitlement
SAP Compliance Controls
SAP audit risk has increased significantly following the introduction of the Digital Access licensing model and the ongoing indirect access enforcement programme. Organisations operating SAP ECC or S/4HANA with third-party integrations face material compliance risk that many have not quantified. See our dedicated SAP audit defence guide and the detailed SAP indirect access compliance guide for extended coverage of these issues.
SAP User Classification
- Review the named user classification for all SAP users at least quarterly — ensure Professional, Limited Professional, Employee, and other user types reflect actual system usage
- Identify inactive users (no login in 90+ days) and confirm they are deactivated or reclassified — inactive users still consume licence entitlement in SAP's measurement
- Review indirect users — individuals who access SAP data via third-party applications (CRM, CPQ, portal, integration) — and confirm Digital Access licences are in place for document-generating integrations
- Confirm that SAP System Measurement reports (USMM/SLAW) are run quarterly and outputs are retained
SAP Indirect Access & Digital Access
- Map all third-party systems that read from or write to SAP via APIs, interfaces, or integration middleware
- Identify which integrations generate SAP documents (sales orders, purchase orders, production orders, deliveries) — these require Digital Access licences under SAP's post-2018 model
- Quantify document volumes for each document-generating integration to assess Digital Access exposure
- Review the Digital Access Adoption Programme (DAAP) available for SAP ECC customers to convert indirect access exposure to named document licences at preferential pricing
- Confirm RISE with SAP contracts include Digital Access terms that match your integration landscape
Microsoft Compliance Controls
Microsoft's licensing complexity has increased substantially with the transition to Microsoft 365, the proliferation of Teams-based products, and Azure's consumption model. The compliance risks are different in character from Oracle and SAP — less about deployment methodology and more about user assignment accuracy and cloud resource tracking. For detailed Microsoft coverage, see our Microsoft EA guide and the Microsoft SAM audit guide.
Microsoft 365 & Enterprise Agreement
- Reconcile active Microsoft 365 user assignments against HR system headcount at least monthly — ghost accounts and departed employees consuming licences are the most common Microsoft compliance finding
- Review Microsoft 365 subscription tier assignments — ensure users assigned E5 licences are actually using E5 features; downgrade to E3 where E5 features are unused
- Confirm that Teams Premium, Copilot for Microsoft 365, and other add-on licences are assigned only to active users with the prerequisite base licence
- Reconcile your Enterprise Agreement true-up count against actual deployed users at least 60 days before your annual true-up date
- Review your NCE subscription terms — confirm auto-renewal dates and cancellation windows to avoid unwanted renewals at full price
Microsoft On-Premises & SQL Server
- Maintain an inventory of all Windows Server licences and confirm Standard vs. Datacenter edition matches virtualisation usage (Datacenter required for unlimited VMs per licensed host)
- Review SQL Server licensing across all environments — confirm Core-based licensing covers all cores on each licensed server, including virtual cores where soft partitioning is used
- Validate Azure Hybrid Benefit elections are documented and supported by current Software Assurance coverage for all on-premises licences claimed under AHB
- Confirm that SQL Server on Azure deployments are correctly licenced — either PAYG or BYOL with valid SA, and that the instance size matches the licence metric applied
IBM Compliance Controls
IBM's sub-capacity licensing programme — governed by ILMT (IBM License Metric Tool) deployment — is one of the most technically demanding compliance requirements in enterprise software. Organisations that are entitled to sub-capacity pricing but have not correctly deployed and operated ILMT are exposed to full-capacity pricing on Oracle-equivalent exposure. See our dedicated IBM ILMT compliance guide for the technical deployment requirements.
IBM Sub-Capacity & ILMT
- Confirm ILMT is deployed and configured correctly for all virtualised IBM software deployments — ILMT must be deployed before using sub-capacity pricing entitlement
- Verify that ILMT scan frequency meets IBM's minimum requirement (software catalogue scans at least every 30 days)
- Generate and retain ILMT audit snapshots quarterly — IBM requires snapshots retained for 2 years
- Review the IBM software catalogue within ILMT to ensure all deployed IBM products are correctly identified and that the Product ID mapping is current
- Identify any IBM software deployed outside ILMT scan scope (isolated networks, cloud instances, containers) and assess sub-capacity eligibility for those deployments
- Confirm IBM Passport Advantage entitlement records are current and that licence part numbers in Passport Advantage match ILMT product IDs
Cloud Platform Compliance Controls
Cloud compliance risk has a different character from on-premises vendor compliance — the primary risk is not technical compliance violation but commercial over-commitment and under-utilisation against committed spend agreements. For detailed guidance, see our Cloud Contracts Guide and the enterprise FinOps framework.
Cloud Committed Spend & Reserved Capacity
- Review AWS EDP (Enterprise Discount Programme) commitment pace monthly — confirm actual AWS spend is tracking to meet commitment without shortfall penalties
- Audit AWS Reserved Instance and Savings Plan utilisation — unused reservations waste committed budget without reducing on-demand costs
- Review Azure Hybrid Benefit utilisation across Azure compute — confirm the benefit is applied where eligible to maximise on-premises licence value in cloud
- Confirm Google Cloud CUD (Committed Use Discount) coverage aligns with sustained workloads — over-commitment on volatile workloads creates stranded commitment
- Review cloud marketplace purchases for BYOL licence compliance — software purchased through marketplace often has separate licence obligations from cloud consumption
Cross-Vendor Governance Controls
These controls apply regardless of vendor and represent the organisational infrastructure that makes vendor-specific compliance controls effective.
Software Asset Management
A continuously updated software asset inventory covering all managed endpoints, servers, and cloud instances is the foundation of all other compliance controls. Without it, vendor-specific controls cannot be operated reliably.
Contract Repository
All software licence agreements, amendments, order forms, and related documents must be stored in a single accessible repository with version control. Many compliance failures trace back to teams operating on the wrong version of a contract.
Change Management Integration
Licence compliance should be a mandatory review gate in the change management process for any change that affects licenced software deployment — virtualisation changes, server migrations, M&A integrations.
Governance & Documentation Controls
- Designate a named Software Asset Manager (or team) with clear accountability for licence compliance — compliance without ownership is compliance in name only
- Maintain a centralised software licence register documenting: vendor, product, licence metric, quantity, agreement number, expiry date, and renewal date for every licence entitlement
- Store all executed licence agreements, order forms, and amendments in a versioned document repository accessible to legal, procurement, and IT
- Implement a licence review gate in the IT change management process — any change affecting licenced software deployment requires a licence impact assessment
- Conduct a formal licence reconciliation for each major vendor environment at least annually, producing a documented compliance position report
- Maintain an audit response protocol — a documented process for what happens when a vendor audit notification arrives, including designated contacts, legal counsel engagement, and communication governance
- Brief the procurement team on vendor audit triggers so that contract negotiations, renewal discussions, and M&A activities do not inadvertently create audit risk
- Confirm that any M&A integration activity includes a software licence due diligence workstream — acquired entities frequently carry undisclosed licence compliance exposure
Prioritising Your Compliance Programme
Not all compliance controls carry equal risk. The prioritisation framework below helps organisations focus effort where exposure is greatest.
Highest Priority (address immediately): Oracle Database virtualisation compliance, SAP indirect access and Digital Access exposure, IBM ILMT deployment and scan frequency, and software asset inventory completeness. These four areas generate the largest audit settlements in the market and are frequently undermanaged. Any organisation with material Oracle, SAP, or IBM spend that cannot confirm these controls are in place should engage advisory support before their next renewal cycle — renewals are the most common audit trigger.
Medium Priority (address this quarter): Microsoft 365 user reconciliation and true-up preparation, cloud committed spend tracking, contract repository completeness, and change management licence gates. These controls are operationally achievable with internal resources but require consistent process discipline to maintain.
Ongoing Maintenance: Governance documentation, audit response protocol, M&A licence due diligence, and annual formal compliance reconciliations. These are the structural controls that ensure point-in-time fixes become sustained compliance posture improvements.
Redress Compliance is the leading independent software licence advisory firm for enterprise compliance programme design and audit defence. Their practitioners — former Oracle LMS, SAP audit, and Microsoft licence managers — work exclusively for buyers to build compliance programmes that withstand vendor scrutiny. Our Vendor Audit Defence service includes full compliance programme assessment and remediation for organisations preparing for or currently managing audits. The Software Audit Preparation white paper provides the extended framework for organisations building or improving their compliance governance.
For the full audit response methodology, start with our Software Audit Defence Guide. To understand the specific triggers that put organisations in scope for vendor audits, see software audit triggers explained. For post-audit settlement strategy once an audit has concluded, see post-audit negotiation.