Software audits open with a compliance claim that runs 3 to 5 times the defensible figure, and a disciplined defense reduces the typical first demand by an average of 72 percent before any check is written. The gap between the opening number and the settlement is not luck. It is the product of who controls the measurement, which contractual metric is applied, and how the data reaches the vendor. This playbook sets out how software audits work in 2026, where the claims inflate, and the exact sequence that turns a seven-figure demand into a defensible number, across Oracle, IBM, SAP, Microsoft, and VMware by Broadcom.
Inside This Guide
What a software audit is
A software audit is a contractual review in which a vendor measures your actual deployment against what you are licensed to use and bills the difference. The right to audit sits in almost every enterprise license agreement, usually allowing the vendor to inspect once a year on written notice. What looks like a routine compliance check is in practice a sales motion: the audit team is measured on recovered revenue, and the opening finding is a negotiating position, not a verdict. Treating it as a factual judgment rather than an opening bid is the most expensive mistake a buyer can make.
The defense is not about hiding deployment or refusing cooperation. It is about insisting that the contract, the correct metric, and an independently verified measurement decide the number, rather than the vendor tooling and the vendor reading of the rules. Most buyers concede ground they never had to concede, because they assume the audit finding is authoritative. It is not. It is one party computation under the reading that pays that party best, and it is open to challenge at every step. Our vendor audit defense practice exists to hold that line, alongside our software licensing advisory service.
Why vendors audit
Audits exist because they work. For a mature software vendor, license compliance is a predictable revenue stream that does not require selling anything new, and the cost of running an audit is small against the recoveries it produces. As perpetual license revenue flattens and vendors push customers toward subscription and cloud, the audit becomes a tool to accelerate that migration: a compliance finding is often resolved not with a cash payment but with a commitment to a larger subscription or a cloud contract the buyer had not planned to sign.
The economics favor the vendor heavily, which is why the practice is so widespread. An audit costs the vendor a few weeks of a compliance team and, where used, a third-party firm paid partly on recovery. Against that, a single mid-market finding can return hundreds of thousands of dollars and a multinational finding can run into eight figures. Because the marginal cost is low and the expected return is high, vendors audit a meaningful share of their installed base every year, and they return to the same accounts on a cycle. No buyer should assume a clean prior audit removes the risk of the next one.
This is why the timing of audits so often aligns with renewals, end-of-support deadlines, and the vendor fiscal year end. The audit is rarely about the past for its own sake. It is about reshaping the future contract. Recognizing that motive changes the response, because it means the settlement currency is negotiable and the goal is to convert an open-ended claim into a controlled commercial outcome on your terms.
The audit is a sales motion: Compliance teams are measured on recovered revenue, and findings are frequently settled with a subscription or cloud commitment rather than cash. The opening number is an anchor, not a verdict. Every audit response should treat the claim as the start of a commercial negotiation, not a bill to be paid.
Common audit triggers
Audits are rarely random. Vendors target accounts where the probability of a recovery is high, and a handful of signals raise that probability. The table sets out the triggers that most reliably precede an audit notice and what each one tells the vendor.
| Trigger | What the vendor infers | Typical vendor |
|---|---|---|
| Merger, acquisition, or divestiture | Entitlements no longer match the entity | Oracle, IBM, SAP |
| Rapid virtualization or cloud growth | Sub-capacity or hosting rules likely breached | Oracle, IBM |
| Lapsed or reduced support renewal | Shelf-ware or unlicensed continued use | IBM, SAP |
| Approaching end of support or end of life | Pressure point for migration | SAP ECC, VMware |
| Declining spend after years of growth | Account being optimized down | Microsoft, Oracle |
| Long gap since last review | Drift has accumulated | All major vendors |
The practical lesson is that the events most likely to trigger an audit are knowable in advance. A merger, a data-center virtualization program, or a support reduction should each prompt a self-assessment before the vendor acts, because the worst position is to learn your exposure from the audit notice. The notice mechanics themselves are covered in our audit notice period guide.
Anatomy of an audit
Most audits follow the same arc regardless of vendor. It opens with a formal notice citing the audit clause and naming a measurement period. The vendor then requests data, either through self-reported scripts, a deployment questionnaire, or a tool such as IBM License Metric Tool or Oracle measurement scripts. The vendor analyzes that data, issues a preliminary finding, and the parties enter a negotiation that ends in a settlement, a true-up purchase, or a new contract. Each stage has a different objective for the buyer, and the early stages matter most because they set the data the entire claim is built on.
The timeline runs longer than buyers expect, which is an advantage if used well. A typical enterprise audit takes four to nine months from notice to settlement, with the data-gathering and dispute phases consuming most of that time. That window is room to measure properly, build the technical case, and time the commercial close to a vendor period end. Buyers who treat the vendor deadline as immovable surrender that room; buyers who agree a realistic, documented schedule keep it. The single most important structural fact is that the buyer controls the input. The vendor cannot measure what it is not given access to, and the contract usually defines what access is owed.
A point worth holding onto is that the auditor is not a neutral referee. In many engagements the vendor uses a third-party accounting or advisory firm, paid in part on the size of the recovery, so the incentive structure points toward the largest defensible finding rather than the most accurate one. That does not make the auditor dishonest, but it does mean every assumption in the finding deserves scrutiny, because the default assumption is the one that pays. The buyer who understands this reads each line of the finding as a claim to be tested, not a fact to be accepted.
The first 30 days
The response in the first month determines the trajectory of the whole audit. The instinct to be helpful, to answer the friendly opening email with deployment numbers or a quick call, is the instinct to resist. Everything volunteered early becomes the anchor for the claim. The correct first moves are to acknowledge the notice formally, route all contact through a single controlled channel, and say nothing about scope or deployment until you have measured it yourself.
In parallel, the contract should be read closely to confirm what the audit clause actually permits: the notice period, the frequency cap, the scope limits, and any restriction on third-party auditors. Many audits reach beyond what the contract allows, and a calm insistence on the agreed terms narrows the exercise before it gains momentum. The table summarizes the right and wrong first response to each common opening move.
| Vendor opening move | Wrong response | Right response |
|---|---|---|
| Friendly compliance outreach | Share deployment data on a call | Acknowledge, route to one channel |
| Request to run vendor scripts | Run estate-wide immediately | Review scope against contract first |
| Aggressive measurement period | Accept it as stated | Confirm the contractual period |
| Deadline pressure | Rush a self-report | Agree a realistic, documented timeline |
Do not self-report: An informal number given to a vendor representative during a friendly call has anchored more claims than any audit script. Establish the facts through an independent measurement before any figure reaches the vendor, and route every contact through one controlled channel from the first notice.
Controlling the data
The audit is won or lost on the data. The vendor builds its claim from what you provide, so the discipline is to measure your own estate first, reconcile it to your entitlements, and provide only the data the contract requires in a form you have verified. Vendor tooling is built to surface the most expansive reading, counting installations that are inactive, environments that are non-production, and capacity that is available but unused. An independent measurement separates real exposure from tooling artifact before the vendor ever sees a number.
Three categories routinely inflate a raw measurement: non-production and disaster-recovery environments that may be licensed differently or not at all, decommissioned installs that the tool still detects, and capacity counted at full physical scope where a sub-capacity entitlement applies. Each is a defensible reduction, but only if it is identified and documented before the data is submitted. The settlement-stage detail is in our audit settlement negotiation guide.
This is where a mature software asset management capability pays for itself. An organization that already runs its own discovery, holds a reconciled entitlement record, and can produce a verified deployment position does not depend on the vendor tool at all. It arrives at the audit with its own numbers and forces the vendor to argue against verified data rather than building the claim unopposed. Where that capability does not yet exist, an independent advisor supplies it for the duration of the audit, which is the core of our vendor audit defense work.
Where claims inflate
Most of the dollar value in an audit claim comes from a small number of metric disputes, not from genuinely unlicensed use. The vendor applies the reading of the metric that maximizes the count, and that reading is contestable far more often than buyers assume. The table shows the inflation points that recur across vendors and the basis for disputing each.
| Inflation point | How the vendor counts | The dispute |
|---|---|---|
| Virtualization / sub-capacity | Full physical or cluster cores | Sub-capacity rights with valid measurement |
| Indirect or digital access | Every connected user or document | Contractual definition and real usage |
| Non-production environments | Same as production | Separate or exempt licensing terms |
| Named-user counts | Every account ever created | Active users only, deduplicated |
| Bundled or legacy metrics | Most expensive applicable metric | The metric the contract actually specifies |
Sub-capacity is the largest single dispute in capacity-licensed estates, which is why it dominates IBM and Oracle audits. A single virtualization dispute can swing a claim by an order of magnitude, because the difference between counting eight virtual cores and counting a sixty-four-core cluster is eightfold on that product alone. The detail for those vendors sits in our IBM audit defense and Oracle audit defense guides. The principle is constant: the vendor proposes the reading that pays best, and the contract, not the tool, decides which reading is correct.
One discipline underpins every metric dispute: document the basis for your reading at the time you make it. A sub-capacity position supported by dated measurement reports, a named-user count supported by an extract of active accounts, and a non-production exemption supported by the contract clause that grants it are each far stronger than the same argument asserted verbally during negotiation. The vendor will test every reduction, and the reductions that survive are the ones backed by evidence the buyer prepared before submitting anything.
Negotiating the settlement
Once the technical position is established, the audit becomes a commercial negotiation, and the buyer holds more cards than the opening number implies. The vendor wants a clean, fast resolution that books revenue and ideally advances a subscription or cloud commitment. The buyer can trade on that preference: a back-claim is often waived or sharply reduced in exchange for a forward commitment the buyer was willing to make anyway, which converts a punitive cash demand into planned future spend at a negotiated rate.
The strongest settlements separate the past from the future deliberately. Resolve the compliance gap at the lowest defensible figure, then negotiate any new purchase as its own deal on its own merits, rather than letting the vendor bundle a remediation and a sale into one number that obscures both. What the buyer should not concede is a penalty rate on the back-claim, a reset of the audit clock, or list-price treatment on the forward commitment. Timing the close to the vendor fiscal quarter end adds further room, because the same discount discipline that governs renewals governs audit settlements. The mechanics are in our audit settlement negotiation guide.
Contract and legal levers
The audit clause cuts both ways. It grants the vendor a right to inspect, but it also constrains how, how often, and how widely. Reasonable-notice provisions, business-hours limits, confidentiality of the findings, and restrictions on the use of third-party auditors are all enforceable and frequently overlooked. Where an audit overreaches its contractual scope, a measured insistence on the agreed terms, ideally through counsel, resets the exercise without escalating it.
Settlement terms deserve the same legal care as the original contract. A well-drafted settlement closes the specific period cleanly, releases the buyer from further claims on the audited products, and avoids language that resets the audit clock or commits to measurement methods that disadvantage the next review. The aim is not only a lower number but a clean line under the matter, so the same exposure cannot be reopened. Our licensing advisory team handles both the technical and the contractual side.
Vendor-by-vendor notes
The playbook is constant but the pressure points differ by vendor. The table summarizes where each major vendor concentrates its claims and the primary line of defense.
| Vendor | Primary claim driver | Primary defense |
|---|---|---|
| Oracle | Java per-employee, ULA scope, virtualization | Independent measurement, dispute the count |
| IBM | Sub-capacity without valid ILMT | Clean ILMT reports, reconcile entitlement |
| SAP | Indirect and digital access | Document definition, real usage |
| Microsoft | Named-user and SA true-ups | Active-user counts, deployment evidence |
| VMware by Broadcom | Core counts after repackaging | Validated host inventory, edition right-sizing |
Each vendor practice on this site goes deeper: Oracle audit defense, IBM audit defense, and VMware audit defense. The common thread is that the largest claims rest on a metric reading, and the metric reading is where the defense lives.
Preventing the next audit
The best audit defense is the work done before the notice arrives. An organization that measures its own deployment continuously, reconciles it to entitlement, and resolves drift as it appears removes the recovery opportunity that makes it a target. That posture also turns the audit itself into a formality, because the buyer already holds the verified numbers the vendor is trying to establish. Continuous measurement, a current entitlement record, and disciplined change control around mergers, virtualization, and support reductions are the controls that matter.
Prevention also means treating every major change as a licensing event. A virtualization program, a cloud migration, a divestiture, or a support reduction each shifts the compliance position, and each should trigger a self-assessment rather than a discovery at audit. The events that trigger audits, listed above, are the same events that should trigger a proactive review. The organizations that are never surprised by an audit are the ones that treat compliance as a continuous discipline rather than an event, holding a reconciled position they could defend on any given day, so the vendor notice changes nothing about what they already know.
The action plan
For any organization facing or anticipating a software audit in 2026, the sequence is consistent. On notice, acknowledge formally, route contact to one channel, and say nothing about scope until you have measured. Measure independently before the vendor does, separating real exposure from tooling artifact. Dispute the metric where the contract supports a narrower reading, because that is where the value sits. Negotiate the past and the future as separate deals, and close the settlement with a clean release. Then build the continuous measurement that makes the next audit a non-event.
Done in order, these steps are what turn an opening demand into a settlement 72 percent lower. Start with the stage you are in: the notice period, settlement negotiation, or vendor-specific defense for Oracle, IBM, and VMware by Broadcom. For engagement help, our vendor audit defense service runs the whole sequence for you.