How to Run an Internal Software Audit
Before the Vendor Does

Why Internal Software Audit Methodology Matters More Than the Audit Itself

Every major software vendor — Oracle, IBM, SAP, Microsoft, Broadcom — has a specialist team whose sole function is to find licensing shortfalls in your environment and convert them into unplanned revenue. Oracle's License Management Services (LMS) team closes hundreds of audit findings per year globally, typically recovering £2–5M per enterprise engagement. IBM's ILMT compliance team focuses specifically on virtualised environments where sub-capacity reporting is poorly managed. An internal software audit, done properly, gives you 90 days to discover what they will find before they arrive.

The methodology matters as much as the intent. Too many organisations approach internal audits as a box-ticking exercise — running one discovery scan, exporting a report, and filing it. That approach misses the nuances that vendors exploit: installation counting versus usage counting, deployment footprint across virtual machines, contractual definitions of "authorised user," and the question of which version of which product is actually licensed. For a proper internal software audit methodology, you need structured discovery, entitlement reconciliation, gap analysis, and a documented remediation plan.

Crucially, the findings from an internal audit can do more than identify risk. A well-executed audit reveals shelfware — unused licences costing 15–30% of your software budget — and creates the factual foundation for negotiating reductions at renewal. As we detail in our guide to building a Software Licence Position document, what you document before renewal directly determines how much leverage you have at the table.

Phase 1 — Scoping the Internal Software Audit

Start by defining the scope explicitly. An enterprise-wide audit covering every vendor simultaneously is rarely practical. Prioritise based on spend concentration and audit risk: typically Oracle, IBM, SAP, Microsoft, and Broadcom account for 80% of enterprise licence spend. Rank them by current annual cost, proximity to renewal, and any signals of vendor audit activity — a routine "partnership health check" call from your Oracle account manager is often a precursor to formal audit engagement.

Define the technical boundaries of the scope: which data centres, which cloud environments (AWS, Azure, GCP), which subsidiaries, and whether contractor-provisioned systems are in or out. Vendors audit the entire legal entity unless your contract explicitly limits scope. Document your decision before starting, because the scope you establish internally will be your first line of defence if a vendor's scope creep extends beyond what your contract permits.

Assign ownership. Internal software audits fail most often not due to technical complexity but because no one owns the process end-to-end. One person must be accountable for the audit from data collection through to sign-off — typically a SAM Manager or IT Procurement Director with authority to compel data from infrastructure, application, and business teams.

Phase 2 — Discovery and Data Collection

Discovery is the technical foundation of any internal software audit methodology. Enterprise environments typically have three categories of software installation that require different collection approaches. Managed endpoints covered by Microsoft SCCM or MECM can be inventoried automatically, but these tools typically miss 20–35% of total software deployment because they do not reach unmanaged servers, remote sites, shadow IT installations, or contractor-provisioned systems.

For complex server environments — particularly those running Oracle Database, IBM Db2, SAP HANA, or WebSphere — manual data collection is non-negotiable. You need processor counts, virtualisation configuration (VMware, Hyper-V, KVM), cluster membership, and the specific edition and version of each product. Oracle's LMS team, for example, counts processors at the physical host level for Standard Edition 2, even if the database instance only runs on two sockets. Getting this wrong internally is the single most common source of a compliance gap.

For SaaS environments — Salesforce, ServiceNow, Workday — discovery is simpler because the vendor controls provisioning. However, you still need to reconcile provisioned users against active users and against contractual commitments. Organisations routinely pay for 20–40% more SaaS seats than they use, but without a structured audit they have no leverage to negotiate reductions. Our software shelfware audit guide covers usage threshold analysis in detail.

Cloud licensing adds another layer. AWS, Azure, and GCP instances running Oracle Database or SQL Server are subject to vendor BYOL (Bring Your Own Licence) rules that are frequently misapplied. Oracle requires specific vCPU-to-processor counting in AWS environments that differs from on-premise rules. Collecting cloud deployment data without understanding the contractual metric is a common audit failure mode.

Phase 3 — Entitlement Reconciliation

Once you have a deployment picture, you must reconcile it against your entitlements — the licences you have actually purchased. This requires a complete, structured entitlement register: every order document, licence agreement amendment, ULA certification report, and subscription confirmation, organised by vendor, product, version, and metric. Most enterprises lack this. Our guide on building a Software Licence Position document provides a framework for creating and maintaining one.

The reconciliation process compares deployment data to entitlement data at the metric level — not at the product level. An Oracle Database Enterprise Edition licence purchased per Named User Plus is a different entitlement from one purchased per Processor. IBM software licensed in PVU units cannot be reconciled against deployment data without knowing the PVU value for each processor type, which requires IBM's Processor Value Unit tables. SAP licences must be reconciled against the specific user classification system in your contract, which may use different categories from what your SAP system reports by default.

The output of reconciliation is a gap analysis: for each product, the difference between what you are entitled to use and what you are actually deploying, expressed in the correct contractual metric. A positive gap (more entitlement than deployment) represents shelfware opportunity. A negative gap (more deployment than entitlement) represents exposure. Both findings have commercial value — one for cost reduction, one for remediation before vendor discovery.

Phase 4 — What to Do With the Results

A compliance shortfall found internally is an asset, not a liability — provided you act on it before the vendor does. If you discover you are out of compliance with Oracle Database licences by 40 processor licences, you have three options: purchase additional licences at list price, negotiate a ULA or PULA to resolve the gap commercially, or reduce deployments to match entitlement before your next audit interaction with Oracle. All three options cost less than a vendor-initiated audit settlement, which historically adds 20–40% on top of the list-price shortfall as a "true-up premium." If you want to understand how to push back once a vendor does issue findings, our guide to disputing vendor audit findings explains the process for Oracle, IBM, SAP, and Microsoft.

Shelfware findings should feed directly into your renewal strategy. If your internal audit reveals that 35% of your Microsoft 365 E5 licences are assigned to users who have never activated Copilot, Defender, or Purview features, that data is the basis for a negotiated downgrade to E3 at renewal — saving potentially £800–£1,200 per user per year across a 10,000-seat estate. Vendors will not volunteer this information; you must present it from a documented internal audit to make the case credibly. Our white papers library includes playbooks for using internal audit results in specific vendor renewal negotiations. For a confidential review of your current audit position, book a call with our team.