A software audit is rarely a disaster and almost never an accident. It is a business process with a clear aim: the vendor wants to know whether your actual deployment matches the entitlements you have bought. This guide shows how to prepare, what to do when the letter lands, and how to negotiate a fair outcome at the end.
Why vendors audit at all
For many software companies an audit is a routine part of the business. It brings in revenue that is otherwise hard to reach: back-payments for usage that has grown over the years while nobody was counting the licences. That is not an accusation, just what happens in a growing company. New staff, an extra server, a test environment that quietly went into production. Each step looks harmless on its own. Together they open a gap.
Audits rarely land by chance. A common trigger is a merger, a visible growth spurt, a contract nearing its end, or simply the fact that you have not bought anything in a while. Once you see that, the whole thing feels less personal and you can approach it as a matter of numbers rather than blame.
Formal audit or soft review
Not every enquiry is an audit. Some arrive in a suit, others in a jumper. The aim is usually the same. What differs is the tone, the legal framing and what is ultimately at stake. Treat both with equal care, even when the second one sounds friendlier.
| Feature | Formal audit | Soft review |
|---|---|---|
| Basis | The audit clause, invoked directly | "Advice", a true-up talk, a health check |
| Tone | Formal, often with legal counsel | Collegial and helpful |
| Reviewer | Frequently an external auditor | The vendor's account team or a partner |
| Data request | Broad, with deadlines | Seemingly casual, "just a few numbers" |
| Outcome | A report with a claim to settle | An offer to buy more or upgrade |
The soft version is not harmless. The numbers you share in passing end up in the same calculation. So in both cases, share only what you have checked and can prove.
Tip
Set one firm internal rule: no inventory script, no screenshot and no usage figure leaves the building until a named person has signed it off. That protects you from off-the-cuff commitments made in a friendly phone call.
When the letter arrives
The first instinct is often the wrong one. Do not send data straight away, do not freeze in panic, and above all do not admit to anything nobody has checked yet. An audit letter is the start of a process you are allowed to shape. Take control of it.
Acknowledge receipt in a matter-of-fact way. Name a single point of contact through whom all communication runs. That stops different departments from giving conflicting answers. Get the right people around the table early: IT, procurement, legal and management. Then agree the scope. Which products, which period, which sites, which legal entities. Put it in writing before you deliver anything.
Not legal advice
This article is general guidance, not legal advice. Licence agreements, audit clauses and the applicable law differ from case to case. For a real audit, involve qualified legal and licensing advisers before you make any commitment or hand over data.
Entitlement versus deployment: your position
At the heart of every audit is a simple comparison. On one side sits your entitlement, everything you have lawfully bought and had transferred to you. On the other side sits your deployment, what is actually installed and in use. The difference is the result. Whoever draws up that sum before the auditor does holds the initiative.
Build the entitlement side from your records: purchase agreements, invoices, delivery notes, volume-agreement summaries, and for used software the transfer documentation. The deployment side comes from your inventory: installed products, editions, versions, user counts and how the software is used. If the two sides do not match, you want to know before the vendor does, not after.
| Entitlement (what you own) | Deployment (what you use) |
|---|---|
| Invoices and purchase agreements | Software installed per device |
| Volume agreement and order history | Active user accounts and assignments |
| Transfer proof for used licences | Servers, cores and virtual instances |
| Edition and version rights | The edition and version actually run |
| Maintenance and upgrade entitlements | Access by third parties or other systems |
Keeping proof and transfer records
In an audit, what you remember does not count. What you can prove does. An entitlement without paper is, in case of doubt, no entitlement at all. So it pays to put the chain of evidence in order early and keep it that way. Gather purchase records, contract copies and key lists in one place that several people can reach, not just the one colleague who happens to be on holiday.
For used software the transfer documentation is decisive. It shows that the licence reached you lawfully: the unbroken chain from the first owner, confirmation that the seller no longer uses the copy, and the related declarations. Buy cleanly and you hold that paper anyway. If you are unsure here, our guide to legally sound used software is a good place to start.
Key takeaways
- An audit compares your entitlement with your actual deployment. Draw up that sum yourself before the auditor does.
- Respond calmly: acknowledge receipt, name a contact, agree the scope, and only then deliver data.
- Proof beats memory. Keep invoices, contracts and transfer records in order all the time, not just when trouble arrives.
- The first claim is negotiable. Errors, offsets and used licences all bring the number down.
Common findings
Most audits surface the same patterns. Knowing them lets you steer against them long before any review is on the horizon.
Over-deployment. You use more than you bought. The classic, usually grown over years. Unclear entitlements. You may own the licences but cannot prove it cleanly, because records are missing or edition rights were never documented. Indirect use and multiplexing. One system reaches the software through a middle layer, such as a portal or an interface, and every user behind it still counts. This finding surprises many people, because the usage is not visible.
| Finding | Cause | Preventive measure |
|---|---|---|
| Over-deployment | Growth without buying more | Regular entitlement-versus-deployment check |
| Unclear entitlements | Missing or scattered records | A central, ordered chain of evidence |
| Indirect use | Access via portals and interfaces | Document data flows and access paths |
| Wrong edition | A higher edition installed than licensed | Check installations against your rights |
| Unused licences | Departed users, old projects | Reclaim assignments and offset them |
Reducing exposure with ongoing SAM
An audit catches nobody off guard who already knows their licences. That is exactly what software asset management delivers. It is not a one-off project but a quiet routine that keeps entitlement and deployment aligned over time. When you can say at any moment what you own and what is running, the audit loses its sting.
Getting started need not be a big effort. A clean inventory, an orderly place for records, and a fixed date on which the two sides are reconciled already go a long way. Our guide to software asset management shows how to set that up without tool overkill. As a welcome side effect, costs usually fall too, because unused licences become visible.
Responding and negotiating
If a report with a claim does arrive at the end, that is the start of a conversation, not a verdict. Check the findings line by line. Auditors work from assumptions, and assumptions contain errors. Double-counted installations, stale data, misattributed editions: every point you disprove brings the number down.
Then negotiate the rest. Offset unused entitlements against the gap. Negotiate penalties and back-dating, not just the bare licence price. And work out how to close a real gap most cheaply. Sometimes an upgrade makes sense, but often a legally transferred used licence covers the same need at a far lower price. If you want to keep the cost side in check, our guide to reducing software costs has more levers.
Audit readiness checklist
These points can be ticked off in quiet times. That is precisely when they are most valuable.
- Every audit clause in your contracts read and understood
- A current inventory of all installed software and users
- Invoices, purchase agreements and key lists stored centrally
- Transfer proof held for every used licence
- Edition and version rights documented per product
- Indirect access paths and interfaces recorded
- A named point of contact and an internal response plan
- Unused licences known and noted for offsetting
- A fixed date for the regular entitlement-versus-deployment check
| Phase | Aim | Key steps |
|---|---|---|
| Before | Be ready | Keep the inventory, order the records, know your position |
| During | Control the process | Agree the scope, deliver checked data, coordinate the team |
| After | Settle fairly | Check the findings, offset, negotiate the settlement |
Frequently asked questions
Can a vendor simply audit my company?
Usually yes. Almost every licence agreement contains an audit clause that gives the vendor the right to verify compliance. Most clauses require reasonable notice and say the audit should not disrupt your operations. What is actually allowed is written in your contract. Read the clause before you reply.
What is the difference between a formal audit and a soft review?
A formal audit invokes the audit clause directly, often with an external auditor and a fixed process. A soft review arrives more gently, framed as licence advice or a true-up conversation. The goal is much the same: to find out whether you use more than you own. Treat both with the same care.
How quickly must I respond to an audit letter?
Promptly, but not in a rush. Acknowledge receipt, name a single point of contact and agree the scope. Do not hand over any data before the scope is confirmed in writing and you have checked internally what is actually deployed.
Can I negotiate an audit settlement?
Yes. The first number is rarely the last. Check the findings for errors, offset unused entitlements and negotiate penalties, back-dating and future terms. Legally transferred used licences can often close a gap for far less than short-notice new purchases.