A self-declaration is a vendor request for you to report your own usage, while a formal audit is the vendor exercising a contractual right to verify it, and the difference decides what you must hand over: a self-declaration obliges only an honest count, while a formal audit can compel scripts, system access, and a defined verification process. Vendors blur the two on purpose, because a self-declaration that feels like an audit gets the cooperation of an audit without the vendor having to invoke its audit clause. Knowing which one is actually on the table is the first and most valuable move a buyer makes, because it sets the floor and the ceiling on everything that follows.
This guide separates the two clearly: the rights behind each, what the vendor can and cannot demand, and how to respond to protect your position. It is the entry point to the wider software audit defense guide, and it assumes the single most important piece of preparation, your own effective license position, is either in hand or being built before you answer anything.
What each one actually is
A self-declaration, sometimes called a self-assessment or a true-up declaration, is a request that you measure your own deployment and report it. The vendor supplies a template or a questionnaire, you complete it, and the vendor uses your numbers to issue a true-up or to confirm compliance. The obligation is to answer truthfully and completely; the vendor is relying on your measurement, not running its own.
A formal audit is the vendor invoking the audit clause in your agreement, which grants a defined right to verify your usage directly, often through measurement scripts, system inspection, or a third-party auditor acting on the vendor's behalf. The audit clause sets the rules: notice period, scope, frequency, who bears cost, and what access you must provide. A formal audit is a contractual process with contractual limits, and those limits are your protection.
The rights behind each request
The two requests sit on different legal footings, and the table makes the practical difference concrete. Read your own audit clause alongside it, because the clause, not the vendor's cover letter, defines what you owe.
| Dimension | Self-declaration | Formal audit |
|---|---|---|
| Basis | Vendor request, your cooperation | Contractual audit clause |
| Who measures | You, with your own tools | Vendor or its appointed auditor |
| System access | Not required | As the clause defines, often scripts or inspection |
| Scope control | Largely yours | Bounded by the clause, contestable |
| Notice and timing | Flexible, negotiable | Set by the clause, usually 30 to 45 days notice |
| Cost of process | Yours, minimal | Often split per the clause; auditor cost may shift on findings |
| Refusal consequence | Relationship and renewal pressure | Potential breach of contract |
Never let a self-declaration become an audit by accident. If a vendor sends a self-declaration template but then asks to run measurement scripts or inspect systems, it is reaching for audit rights without invoking the audit clause. Ask directly, in writing, whether the vendor is invoking its audit right. If it is not, the scripts are a request you can decline; if it is, the clause and its limits now apply, which is to your advantage.
How to respond to a self-declaration
The discipline for a self-declaration is to control the measurement before you report it. Because you are the one counting, you decide the method, and an accurate, defensible method is your protection against a later dispute. Build your effective license position first, reconcile it against the vendor's metric definitions exactly as written, and resolve every ambiguity in the count before it goes on the template. A figure you cannot defend later is worse than no figure at all.
Two areas demand extra care because they convert a routine declaration into a large claim. The first is indirect or digital access, where systems or users reach the licensed software through an interface rather than directly, an exposure we detail in indirect access risk. The second is non-production and disaster-recovery environments, which many buyers assume are free and many contracts say are not. Get both right in the declaration, because a vendor that finds them wrong afterward treats an honest mistake as a compliance gap.
How to respond to a formal audit
A formal audit is a process to be managed within its own rules, and the rules are mostly in your favor if you hold the vendor to them. Confirm in writing that the audit clause is being invoked and read the clause for its limits: the scope it permits, the notice it requires, the frequency it allows, and the access it actually grants. Vendors and their auditors routinely request more than the clause provides, and a polite, documented insistence on the clause's actual scope is the single most effective control there is.
Run the audit through one channel, give the auditor only what the clause requires and only after your own team has reviewed it, and produce your own effective license position in parallel so you can test every vendor finding against an independent number. The vendor's first assertion is an opening position, not a verdict; reconciling it line by line against your own count is how the average claim falls by the margin our vendor audit defense practice consistently sees. The full sequence, from notice to settlement, is in the software audit defense guide.
Prevention beats both
The best response to either request is to have made it routine in advance. A standing license compliance program means a self-declaration is a report you can produce in days from data you already trust, and a formal audit is a process you enter with your own number already built. Both stop being events and become exercises. The buyers who fear these requests are the ones who have never measured themselves; the buyers who handle them calmly are the ones who measure themselves every quarter and know their position before anyone asks for it.
What triggers each request
Neither request is random, and reading the trigger tells you how to respond. A self-declaration often arrives on a schedule tied to a contract anniversary or a true-up clause, or as a soft first step a vendor takes before deciding whether a formal audit is worth the cost. A formal audit is more often triggered by a signal: a sharp change in your deployment, a merger or divestiture, the end of a discount period, a lapsed renewal, or a buyer who has signaled moving to third-party support or a competing product. The trigger is information, because it tells you what the vendor already believes about your account.
The timing of a request is itself a signal worth reading. A measurement request that lands in the middle of a renewal negotiation is rarely a coincidence; it is a way to apply pressure while a commercial deal is open. Recognizing that connection changes the response from a purely technical exercise into a commercial one, handled by the team that owns the negotiation rather than only by the team that owns the data. The request and the renewal are one conversation, and treating them as two is how buyers concede on price to make a compliance question go away.
Mistakes that enlarge a claim
The mistakes that turn a manageable request into a large claim are consistent. Answering fast, before building your own number, hands the vendor the first and only figure on the table. Over-sharing, giving an auditor more data or system access than the clause requires, expands the scope the vendor can examine. Treating a self-declaration as casual, and reporting an estimate you cannot defend, converts an honest error into an apparent compliance gap when the vendor checks. And conceding indirect or non-production usage you were never actually obliged to license adds cost the contract never required.
The discipline that avoids all of these is to slow down, build your own effective license position first, and respond only through one controlled channel with only what the request actually compels. A measured response that reconciles every vendor assertion against an independent number is what reduces a claim, and it is the core of what a structured audit defense delivers. The buyers who get hurt are the ones who treat the request as an administrative chore; the buyers who do well treat it as the negotiation it actually is.
After the request closes
How a request ends matters as much as how it is handled, because the close sets up the next one. A self-declaration that resolves should leave you with a documented, defensible position statement you can reuse, so the next declaration is a refresh rather than a fresh fire drill. A formal audit that settles should produce a clear written record of what was examined, what was found, and what was agreed, so a future auditor cannot reopen the same ground and so any remediation you committed to is bounded and tracked. The close is the moment to convert a stressful event into reusable preparation for the next cycle.
The close is also a negotiation opportunity most buyers miss. A vendor that has just completed an audit or accepted a declaration is often willing to fold any remediation into a forward-looking commercial deal, trading a compliance gap for additional subscription or a renewal commitment on better terms than a standalone purchase would carry. Reading the close as the opening of a commercial conversation, rather than the end of a compliance one, is how a defensive exercise becomes a deal that improves your position rather than simply restoring it. The buyers who do this turn the audit they feared into the renewal they wanted.
Across both kinds of request, one principle holds: the buyer who has measured itself in advance controls the conversation, and the buyer who has not is controlled by it. An effective license position built and refreshed on a standing schedule means a self-declaration is a report you produce in days and a formal audit is a process you enter with your own number already in hand. The cost of that preparation is small and the return is large, because it converts the most stressful events in software licensing into routine exercises. The firms that handle vendor measurement calmly are not the ones with the cleanest contracts; they are the ones that always know their own position before anyone asks for it.
One more decision sits behind all of this: whether the request is connected to a support or renewal dispute, because a vendor sometimes uses a declaration or audit as pressure in a stalled commercial talk, including after a buyer has signaled moving to third-party support, a dynamic we cover in dropping vendor support risks. Reading the request in its commercial context, not just its compliance context, is what turns a defensive exercise into a negotiated outcome. When a request lands, our software licensing advisory and audit-defense teams classify it, hold the scope, and build the number with you.