A software audit is rarely a disaster and almost never an accident. It is a business process with a clear aim: the vendor wants to know whether your actual deployment matches the entitlements you have bought. This guide shows how to prepare, what to do when the letter lands, and how to negotiate a fair outcome at the end.

Illustration of preparing for a software audit
A software audit favours the company that knows its own numbers before anyone asks.

Why vendors audit at all

For many software companies an audit is a routine part of the business. It brings in revenue that is otherwise hard to reach: back-payments for usage that has grown over the years while nobody was counting the licences. That is not an accusation, just what happens in a growing company. New staff, an extra server, a test environment that quietly went into production. Each step looks harmless on its own. Together they open a gap.

Audits rarely land by chance. A common trigger is a merger, a visible growth spurt, a contract nearing its end, or simply the fact that you have not bought anything in a while. Once you see that, the whole thing feels less personal and you can approach it as a matter of numbers rather than blame.

Formal audit or soft review

Not every enquiry is an audit. Some arrive in a suit, others in a jumper. The aim is usually the same. What differs is the tone, the legal framing and what is ultimately at stake. Treat both with equal care, even when the second one sounds friendlier.

Formal audit and soft review compared
FeatureFormal auditSoft review
BasisThe audit clause, invoked directly"Advice", a true-up talk, a health check
ToneFormal, often with legal counselCollegial and helpful
ReviewerFrequently an external auditorThe vendor's account team or a partner
Data requestBroad, with deadlinesSeemingly casual, "just a few numbers"
OutcomeA report with a claim to settleAn offer to buy more or upgrade

The soft version is not harmless. The numbers you share in passing end up in the same calculation. So in both cases, share only what you have checked and can prove.

Tip

Set one firm internal rule: no inventory script, no screenshot and no usage figure leaves the building until a named person has signed it off. That protects you from off-the-cuff commitments made in a friendly phone call.

When the letter arrives

The first instinct is often the wrong one. Do not send data straight away, do not freeze in panic, and above all do not admit to anything nobody has checked yet. An audit letter is the start of a process you are allowed to shape. Take control of it.

Acknowledge receipt in a matter-of-fact way. Name a single point of contact through whom all communication runs. That stops different departments from giving conflicting answers. Get the right people around the table early: IT, procurement, legal and management. Then agree the scope. Which products, which period, which sites, which legal entities. Put it in writing before you deliver anything.

Not legal advice

This article is general guidance, not legal advice. Licence agreements, audit clauses and the applicable law differ from case to case. For a real audit, involve qualified legal and licensing advisers before you make any commitment or hand over data.

Entitlement versus deployment: your position

At the heart of every audit is a simple comparison. On one side sits your entitlement, everything you have lawfully bought and had transferred to you. On the other side sits your deployment, what is actually installed and in use. The difference is the result. Whoever draws up that sum before the auditor does holds the initiative.

Build the entitlement side from your records: purchase agreements, invoices, delivery notes, volume-agreement summaries, and for used software the transfer documentation. The deployment side comes from your inventory: installed products, editions, versions, user counts and how the software is used. If the two sides do not match, you want to know before the vendor does, not after.

Setting the entitlement side against the deployment side
Entitlement (what you own)Deployment (what you use)
Invoices and purchase agreementsSoftware installed per device
Volume agreement and order historyActive user accounts and assignments
Transfer proof for used licencesServers, cores and virtual instances
Edition and version rightsThe edition and version actually run
Maintenance and upgrade entitlementsAccess by third parties or other systems

Keeping proof and transfer records

In an audit, what you remember does not count. What you can prove does. An entitlement without paper is, in case of doubt, no entitlement at all. So it pays to put the chain of evidence in order early and keep it that way. Gather purchase records, contract copies and key lists in one place that several people can reach, not just the one colleague who happens to be on holiday.

For used software the transfer documentation is decisive. It shows that the licence reached you lawfully: the unbroken chain from the first owner, confirmation that the seller no longer uses the copy, and the related declarations. Buy cleanly and you hold that paper anyway. If you are unsure here, our guide to legally sound used software is a good place to start.

Key takeaways

  • An audit compares your entitlement with your actual deployment. Draw up that sum yourself before the auditor does.
  • Respond calmly: acknowledge receipt, name a contact, agree the scope, and only then deliver data.
  • Proof beats memory. Keep invoices, contracts and transfer records in order all the time, not just when trouble arrives.
  • The first claim is negotiable. Errors, offsets and used licences all bring the number down.

Common findings

Most audits surface the same patterns. Knowing them lets you steer against them long before any review is on the horizon.

Over-deployment. You use more than you bought. The classic, usually grown over years. Unclear entitlements. You may own the licences but cannot prove it cleanly, because records are missing or edition rights were never documented. Indirect use and multiplexing. One system reaches the software through a middle layer, such as a portal or an interface, and every user behind it still counts. This finding surprises many people, because the usage is not visible.

Common findings and how to prevent them
FindingCausePreventive measure
Over-deploymentGrowth without buying moreRegular entitlement-versus-deployment check
Unclear entitlementsMissing or scattered recordsA central, ordered chain of evidence
Indirect useAccess via portals and interfacesDocument data flows and access paths
Wrong editionA higher edition installed than licensedCheck installations against your rights
Unused licencesDeparted users, old projectsReclaim assignments and offset them

Reducing exposure with ongoing SAM

An audit catches nobody off guard who already knows their licences. That is exactly what software asset management delivers. It is not a one-off project but a quiet routine that keeps entitlement and deployment aligned over time. When you can say at any moment what you own and what is running, the audit loses its sting.

Getting started need not be a big effort. A clean inventory, an orderly place for records, and a fixed date on which the two sides are reconciled already go a long way. Our guide to software asset management shows how to set that up without tool overkill. As a welcome side effect, costs usually fall too, because unused licences become visible.

Responding and negotiating

If a report with a claim does arrive at the end, that is the start of a conversation, not a verdict. Check the findings line by line. Auditors work from assumptions, and assumptions contain errors. Double-counted installations, stale data, misattributed editions: every point you disprove brings the number down.

Then negotiate the rest. Offset unused entitlements against the gap. Negotiate penalties and back-dating, not just the bare licence price. And work out how to close a real gap most cheaply. Sometimes an upgrade makes sense, but often a legally transferred used licence covers the same need at a far lower price. If you want to keep the cost side in check, our guide to reducing software costs has more levers.

Audit readiness checklist

These points can be ticked off in quiet times. That is precisely when they are most valuable.

  • Every audit clause in your contracts read and understood
  • A current inventory of all installed software and users
  • Invoices, purchase agreements and key lists stored centrally
  • Transfer proof held for every used licence
  • Edition and version rights documented per product
  • Indirect access paths and interfaces recorded
  • A named point of contact and an internal response plan
  • Unused licences known and noted for offsetting
  • A fixed date for the regular entitlement-versus-deployment check
Before, during and after the audit
PhaseAimKey steps
BeforeBe readyKeep the inventory, order the records, know your position
DuringControl the processAgree the scope, deliver checked data, coordinate the team
AfterSettle fairlyCheck the findings, offset, negotiate the settlement

Frequently asked questions

Can a vendor simply audit my company?

Usually yes. Almost every licence agreement contains an audit clause that gives the vendor the right to verify compliance. Most clauses require reasonable notice and say the audit should not disrupt your operations. What is actually allowed is written in your contract. Read the clause before you reply.

What is the difference between a formal audit and a soft review?

A formal audit invokes the audit clause directly, often with an external auditor and a fixed process. A soft review arrives more gently, framed as licence advice or a true-up conversation. The goal is much the same: to find out whether you use more than you own. Treat both with the same care.

How quickly must I respond to an audit letter?

Promptly, but not in a rush. Acknowledge receipt, name a single point of contact and agree the scope. Do not hand over any data before the scope is confirmed in writing and you have checked internally what is actually deployed.

Can I negotiate an audit settlement?

Yes. The first number is rarely the last. Check the findings for errors, offset unused entitlements and negotiate penalties, back-dating and future terms. Legally transferred used licences can often close a gap for far less than short-notice new purchases.

Monogram of Carola Muschke, Director

Software-Kontor Cyprus Ltd
We trade in software licences and help companies stay calm in an audit: with clean proof, ordered entitlements and legally transferred used licences. Vendor-neutral, from Cyprus.