A software audit is a revenue motion, not a neutral compliance check. This report reads how often the major vendors audit, what the settlements actually cost, what sets them off, and the buyer side defense that begins long before the letter.
A software audit is a revenue motion, not a neutral compliance check. This report reads how often the major vendors audit, what the settlements actually cost, what sets them off, and the buyer side defense that begins long before the letter arrives.
This report is a directional benchmark, not a price list. Every number is a defensible band drawn from real engagements and public sources. Where a single figure appears, read it as the middle of a range, not a guarantee.
The reason for bands is simple. Audit outcomes vary widely with estate size, contract terms, timing, and leverage. A precise single number would imply a certainty that no honest advisor can offer.
What sits behind the numbers in this report
| Input | What it is | How we use it |
|---|---|---|
| Advisory engagement file | Audits, renewals, and negotiations we supported across more than five hundred enterprise clients | Read as anonymized, aggregated ranges |
| Public vendor programs | The on the record audit and verification programs each vendor publishes | Cited in full through the report |
| Benchmarking panel | A rolling set of comparable enterprise contracts and settlements | Used to separate opening claims from realized cost |
Treat the bands as planning ranges for budgeting and risk, not as quotes. Your own number depends on what you own, what you deploy, and how early you prepare. The point of the report is the pattern, not the decimal.
Because that is how the vendor runs it. The teams that scope, analyze, and settle an audit report into the same organization that owns the renewal. The finding is the opening move in a sale, and the report treats it that way throughout.
We keep that lens consistent across every section. When you read a frequency band, a cost band, or a trigger, ask what commercial outcome it serves the vendor. That question explains the behaviour more reliably than any compliance rationale.
Most large enterprises face a formal audit or license review every 3 to 5 years from at least one major vendor. Across a full portfolio of Oracle, IBM, Microsoft, and SAP, the practical answer is almost every year somewhere in the estate.
Frequency is not random. It clusters around the vendors with the most complex metrics and the most to gain. Oracle License Management Services and the IBM License Metric Tool programs are the two most active engines we see.
Oracle and IBM lead by a clear margin in our engagement data. Microsoft and SAP follow, usually through a partner led software asset management engagement rather than a blunt legal demand. Salesforce and the hyperscalers rarely run a classic license audit.
The ranking is stable across years, not a single snapshot. The vendors with the most complex metrics audit most, because complexity is where unlicensed use hides and where a claim is easiest to build.
Industry matters too. A heavily regulated, Oracle and IBM dominated estate sees more activity than a cloud native company of the same size. Weight your readiness toward the vendors and sectors that draw the most attention.
Plan for at least one formal interaction every 3 to 5 years per major vendor. The interval shortens sharply where you run high value options, complex virtualization, or have recently acquired another business.
The right mental model is a rolling calendar, not a rare event. If you own four major vendors, you should assume one is reviewing you in any given year, and resource your readiness accordingly.
Map each major vendor to a likely review window and a named owner. Treating the cadence as predictable removes the panic premium that vendors rely on when a letter lands without warning.
Run a light annual self review on each major vendor between formal audits. The estate that checks itself rarely fears the letter, because the gaps are already known and already closing.
There is no single number, only a band set by your baseline and your posture. The cost is decided in the negotiation that follows the finding, not by the finding itself.
In our engagements, opening claims commonly ran 2 to 4 times the figure the matter eventually settled at. Defended early, buyers settled at roughly 30 to 50 percent of the opening claim.
A settled audit is rarely a single cheque. It is usually a blend of a forward purchase, a renewal commitment, and a quiet reset of terms. The headline penalty is often the smallest part.
Shortfalls are valued at list price by default, then loaded with back support. Both assumptions are negotiable. No real purchase happens at list, and back support on licenses you were not using is a weak claim.
Insist any genuine shortfall is priced at the discount you would secure on a normal purchase of the same size. The difference between list and your real rate is often the largest single reduction in the settlement.
The cash settlement is only part of the bill. Internal time, legal review, and the distraction of senior staff are real costs that a prepared baseline reduces. Panic is expensive long before any money changes hands.
A simple example shows the spread. An opening claim near twenty percent of annual license spend, defended with a clean baseline, commonly lands closer to seven. The work that closes that gap costs a fraction of the difference.
The opening claim is a position, not a measurement. It is scoped to the largest defensible reading of the contract and the broadest interpretation of deployment. Each of those readings can be contested with evidence.
Each inflated layer deflates against the right evidence. A defensible deployment measurement removes the phantom systems. The contract removes the wrong metric reading. A credible alternative removes the list price assumption.
This is why the gap is the negotiation, not an accounting fact. The buyer who can evidence each line controls how far the number falls.
Expect the first draft to read as the worst plausible case. That is its job. Treat it as the opening bid, document your counter for each line, and the headline number rarely survives contact with evidence.
Audits cluster around predictable events. A lapsed true up, a merger, a sharp change in spend, a virtualization shift, or an approaching renewal all raise the odds. Vendors audit when leverage is highest.
Common audit triggers by vendor
| Vendor | Common trigger | What it signals to the vendor |
|---|---|---|
| Oracle | Virtualization change, Java use, dropped support | Likely unlicensed cores or new Java subscription exposure |
| Microsoft | Cloud migration, headcount growth, lapsed true up | Gap between deployed and reported user counts |
| SAP | Indirect access, S/4HANA conversion, named user drift | Digital access exposure and misclassified user types |
| IBM | Sub capacity reporting gaps, missing metric tool data | Full capacity charging risk on the affected servers |
Some triggers are inside your control and some are not. A merger or a public earnings miss is visible to every account team. A lapsed true up or a stale entitlement record is avoidable with discipline.
You cannot stop a vendor from auditing, but you can remove the easy reasons. Keep license records current, file every required report on time, and resolve known gaps on your own terms before a letter forces the question.
One quiet trigger is worth naming: a happy renewal. Vendors often open a review just as a large renewal approaches, because a live compliance question is the most reliable way to raise the renewal number.
Mergers deserve their own watch. When two estates combine, entitlements rarely transfer cleanly, and the gap between the merged deployment and the surviving contracts is a classic, well understood audit opening.
An audit follows a familiar arc. It opens with a friendly notice, moves to data collection, produces a draft finding, and ends in a commercial negotiation. The friendly tone is part of the method.
The goal is rarely the penalty. It is a larger forward commitment, a cloud migration, or a subscription conversion booked under time pressure. The finding is the lever that moves the renewal.
This is why the audit and the renewal should never be negotiated as separate events. The vendor treats them as one motion, and so should the buyer.
A soft review is framed as help. A formal audit is framed as a right. The data they collect and the leverage they create are often the same, which is exactly why the soft version is so effective.
A soft review arrives as a free assessment, a health check, or an optimization workshop. It feels cooperative, carries no legal language, and asks for data outside any contractual scope. The findings still feed the renewal.
A formal audit cites the contract, sets a notice period, and follows the clause. It is more adversarial in tone but more bounded in scope. The formal version is often easier to control because the limits are written down.
Many audits are run by a third party on the vendor's behalf, not by the vendor directly. The auditor is paid to find exposure, so the incentive points toward the largest defensible finding.
A third party auditor is independent in name, but the engagement is funded by the vendor and scoped to its metrics. Treat the analysis as a vendor position to be tested, not as a neutral fact.
Your reseller is not your advocate in an audit. The reseller earns on the resale that resolves the finding, so its interest aligns with the vendor at the moment you most need an independent view.
The practical test is simple. If a vendor offers free help that requires data the contract does not cover, treat it as an audit in friendly clothing and respond with the same discipline.
The first response sets the tone for the whole process. Slow down, acknowledge the letter, and do not send any data until the scope and the clause are clear. Speed favors the vendor.
Above all, resist the urge to look helpful by moving fast. The vendor reads speed as either panic or inexperience, and prices accordingly. A measured, contractual reply signals a buyer who will be expensive to push.
A disciplined response gives the vendor exactly what the contract requires, validated against your own baseline first, and nothing more. Every figure you submit should be one you can defend.
Vendor data requests are routinely broader than the audit clause allows. Map each request to a contractual basis. Where there is none, ask the vendor to cite the clause that requires it.
The widest data requests ask for things the contract never mentions. Recognise the traps and answer only what the clause requires.
Whoever controls the data controls the finding. Raw, unvalidated exports let the vendor scope the largest possible claim. A measured, evidenced response anchors the number to reality from the first exchange.
Document what you send and when. A clean record of every exchange protects you if the vendor later widens the scope or revisits a settled point. The audit file you keep is part of the defense.
A defense baseline is your own independent measurement of what you own and what you deploy. It exists before any vendor claim, so you negotiate against evidence rather than against the vendor numbers alone.
Start with the two or three vendors most likely to audit and work outward. Reconcile entitlements to deployment, document the gaps you find, and decide your position on each one while there is no clock running.
The vendor's own licensing terms are the reference point, not the account team email. A baseline built on the contract holds up; a baseline built on goodwill does not.
Good tooling helps, but it is not the baseline. Discovery and asset management tools measure deployment; only your contracts define entitlement. The baseline is the reconciliation of the two, owned by a person, not a dashboard.
A first baseline for one major vendor typically takes a few weeks, not months, once the contracts and discovery data are in hand. The second is faster, because the method and the templates already exist.
You negotiate down by contesting each layer of the claim with evidence and by linking the settlement to a renewal you would have signed anyway. The two together reset the number.
Most audit settlements take one of a few shapes. Knowing them helps you steer toward the one that serves you.
Stay cooperative and factual, never combative. The aim is a defensible commercial outcome, not a fight. A calm buyer with evidence is far harder to move than an angry one without it.
Use silence and time as tools. A vendor under quarter end pressure will improve an offer to close, while a buyer who must settle today has given away the strongest lever before the talks begin.
Evidence wins when it is contemporaneous, contractual, and reconciled. A vendor claim built on assumptions falls fast against records that show what you bought, what you deployed, and what the contract actually says.
Vendor findings often rest on default assumptions: list pricing, full capacity, and the widest metric reading. Each assumption is a place where your records, not theirs, decide the number. Name the assumption and the burden shifts.
Keep the burden where it belongs. The vendor asserts the shortfall, so the vendor should evidence it. A buyer who quietly accepts that duty ends up proving a negative, which is slow, expensive, and unnecessary.
The standard advice is to cooperate fully and quickly with an audit to show good faith. We disagree as a default. In the audits we have defended, full early cooperation hands the vendor the raw data to scope the largest possible finding, while a measured response anchored to the buyer's own baseline settles far lower. Good faith does not require surrendering scope, methodology, or pace. The buyer side move is to cooperate within the contract, control the data, validate every claim against an independent baseline, and treat the audit as the sales motion it is, not as a neutral compliance check.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
An audit is not the moment the bill is decided. It is the moment the vendor discovers how ready you were to decide it yourself.
Each major vendor audits around a different soft spot. Knowing the soft spot tells you where to harden your baseline first.
Oracle risk concentrates in database options, virtualization counting, and Java. Partitioning rules and the Java subscription model turn ordinary infrastructure decisions into license exposure if the deployment is not measured carefully.
Java is the newer pressure point. The shift to an employee based subscription means an unmanaged install base can produce a claim sized to total headcount, not to actual use. Measure and contain Java first.
IBM risk lives in sub capacity reporting. Missing or late metric tool data can flip a server from sub capacity to full capacity charging, which is the single most expensive IBM finding we see.
The fix is unglamorous: keep the metric tool current and the reports filed. Most expensive IBM findings trace back to a reporting gap, not to genuine over deployment.
Microsoft risk is usually a counting gap between deployed and reported users, surfaced through an asset management review. Cloud migration and headcount change are the usual triggers behind it.
SAP risk centers on indirect or digital access and on named user classification. Both are high value and both are contestable with a clear, evidenced position on how systems actually connect.
Broadcom risk centers on the subscription transition. Entitlement disputes over the new bundles, and reviews tied to the move off perpetual licenses, are the pattern we see most since the acquisition reset the model.
Cloud and subscription models do not remove audit risk; they reshape it. The exposure moves from unlicensed installs to overage, minimum commitments, and entitlement disputes.
Hyperscaler agreements rarely trigger a formal license audit, but commitment shortfall reviews and marketplace pass through disputes do the same commercial work. Read the commitment as carefully as you would read an audit clause.
For a large enterprise, audits do not arrive one at a time. A typical year sees one formal audit, one soft review, and several consumption checks running in parallel across different vendors.
The risk in a busy year is that each event is handled separately, with no shared baseline and no shared owner. The same data gets rebuilt three times, and each vendor sees a different, weaker version of your position.
Handled together, a busy audit year becomes a source of leverage rather than a series of fire drills. A vendor that knows you are disciplined across the estate scopes its claim more carefully from the start.
There is a quiet benefit too. A reputation for disciplined, evidence led responses travels between vendor account teams, and the next review tends to open with a more realistic number.
The expensive mistakes are almost always procedural, not technical. They happen in the first weeks, before anyone has looked at the numbers.
Every one of these errors gives away control of either the data or the timeline. The fix is the same in each case: one owner, a baseline, and a measured pace anchored to the contract.
None of these mistakes require bad luck. They require only a fast, well meaning, uncoordinated response, which is the default in an organization that has not rehearsed. Rehearsal is the cheapest insurance available.
Budget for audit risk the way you budget for any recurring contingency: as a planned reserve sized to your exposure, not as a surprise charge each time a letter arrives.
Anchor the reserve to your highest risk vendors and your license complexity, not to a flat percentage. A heavy Oracle and IBM estate warrants a larger reserve than a cloud native one.
Money spent on a baseline returns more than money held in a reserve. The reserve pays a claim once; the baseline reduces every claim and removes the panic premium that inflates settlements.
Frame the reserve to the board as risk management, not as an admission of exposure. A funded, well governed reserve signals control. An unfunded surprise signals the opposite, and surprises are what vendors price against.
Track realized settlements against the reserve each year. Over time the data tells you whether your readiness spend is working, and gives finance a defensible basis for the size of the line.
Audit readiness belongs to a named owner in IT asset management or procurement, supported by legal and finance, not to a scattered set of spreadsheets and goodwill.
Refresh the baseline on a fixed calendar and rehearse the first response once a year. Readiness that lives in a routine survives staff turnover; readiness that lives in one person's memory does not.
Report audit readiness alongside other enterprise risks, not as an IT footnote. When the board sees vendor compliance as a managed risk with an owner and a reserve, the organization stops treating each letter as a crisis.
Regulated industries face more audits and tighter scrutiny, but they also tend to settle better. The documentation discipline that regulators demand doubles as audit defense.
Financial services, healthcare, and public sector buyers run large, complex estates and cannot easily switch core systems. That mix of scale and stickiness is exactly what draws vendor attention.
The same buyers keep rigorous records because their regulators require it. A clean entitlement trail built for compliance is precisely the evidence that deflates an audit claim. The discipline pays twice.
The lesson generalizes. You do not need a regulator to benefit from regulator grade records. Any enterprise that documents entitlement as if an audit were certain will settle as well as the most scrutinised bank.
This report measures patterns, not your specific exposure. It deliberately avoids precise per vendor settlement figures, because publishing them would imply a certainty the data does not support.
Use the report to rank your risk and to shape your readiness, then test the bands against your own contracts and deployment. The value is in the direction it points, not in any single number.
We expect formal license audits to hold steady while consumption and commitment reviews keep rising, driven by the shift to cloud and subscription. The motion stays the same; the metric changes.
Extend the baseline discipline to your cloud commitments now. The buyers most exposed in 2027 are those treating subscriptions as audit free, when the commercial review has simply moved to a new line on the bill.
Expect vendors to lean harder on automated usage data, where the meter is theirs and the dispute is harder. The buyer side answer is the same baseline discipline applied to consumption, so your record can stand beside theirs.
Audit readiness is a habit, not a project. The estates that settle smallest are the ones that close gaps continuously, so a letter finds little to discover.
Tie license checks to the events that create exposure: migrations, mergers, and renewals. When the check is part of the change, not a separate chore, readiness survives without heroics.
Most large enterprises face a formal audit or license review every 3 to 5 years from at least one major vendor. Across a full portfolio of Oracle, IBM, Microsoft, and SAP, the practical answer is almost every year somewhere in the estate. The hyperscalers rarely run a classic license audit.
Oracle and IBM are the most active formal auditors in our engagement data, followed by Microsoft and SAP. These four drove the large majority of audits we defended in 2024 and 2025. Salesforce and the hyperscalers lean on usage reporting and renewal reviews rather than formal audits.
There is no single number, only a band set by your baseline and posture. Opening claims in our engagements commonly ran 2 to 4 times the eventual settlement. Defended early, buyers settled at roughly 30 to 50 percent of the opening claim. The discovered gap is a starting position, not the cost.
Audits cluster around predictable events. A lapsed true up, a merger, a sharp change in spend, a virtualization shift, or the end of a discount term all raise the odds. Vendors also audit on a calendar when a renewal is approaching and leverage matters most.
Cooperate in good faith, but do not hand over raw data without scoping and validation first. Full early cooperation lets the vendor scope the largest possible finding. A measured response, anchored to your own baseline and contractual rights, consistently settles lower. Control the data and the pace.
Build the baseline before the letter arrives. Keep current entitlement records, deployment data, and a clear position on the contested metrics for each major vendor. Know your contractual audit clause, your true up history, and your usage. Preparation done early is worth far more than any argument made late.
An audit defense baseline is your own independent measurement of what you own and what you deploy, built before any vendor claim. It lets you validate every line of a vendor finding against your own evidence. Without it, you negotiate against the vendor numbers alone.
Engage independent audit defense before you respond to the audit letter, not after the first finding lands. The early position shapes the entire process: data scope, methodology, and which contractual rights you assert. Bringing help in after cooperation has begun forfeits the most valuable moves.
Most enterprise agreements contain an audit or verification clause, so the right usually exists. What varies is the scope, the notice period, and who bears the cost. Read the clause before you respond, because it defines the limits of what the vendor can demand and how often.
No, they change its shape. Cloud and subscription models replace classic audits with usage reporting, consumption true ups, and commitment shortfall reviews. The exposure moves from unlicensed installs to overage, minimums, and entitlement disputes. The discipline of an independent baseline still applies.
The evidence that wins is contemporaneous, contractual, and reconciled. Bring your contracts and orders, dated deployment records, and the architecture facts behind any indirect access claim. Vendor findings rest on default assumptions like list pricing and full capacity, and your records are what overturn them.
Yes, but they often settle better. Financial services, healthcare, and public sector buyers run large, sticky estates that draw vendor attention. The documentation their regulators require doubles as audit defense, so a clean entitlement trail built for compliance is exactly the evidence that deflates a claim.
The vendor by vendor trigger map, the settlement bands, the data response checklist, and the entitlement baseline templates that hold the gap widest.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for IT asset management, procurement, and finance leaders who would rather be ready than surprised.
Treat the audit as the sales motion it is. The buyer who prepares the baseline first decides the number, not the vendor.
