We asked 500 enterprise clients and contacts which software vendors audited them in the last three years. 118 answered, and the result rewrites the audit league table. Broadcom now leads, Autodesk follows, and not one pure SaaS vendor makes the top twenty. This report reads the ranking and what to do about it.
A buyer side reading of the twenty most active software auditors of 2025 and 2026, from a survey of 118 enterprises, and the five moves that turn the audit wave from an emergency into a managed commercial event.
Broadcom audited 33 percent of the 118 responding organizations in the last three years, making it the most active software auditor in the market. Autodesk follows at 29 percent, then Microsoft at 27, Oracle's Java organization at 25 and SAP at 22.
The two names that defined the audit era for two decades, IBM and Oracle's core licensing teams, now sit sixth and seventh. That ordering is the headline. The audit league table is now led by vendors enforcing subscription transitions, and the audit letter is the enforcement instrument.
The twenty most active software auditors, mid 2023 to mid 2026. Share of 118 responding enterprises reporting at least one formal or soft audit. Respondents could name multiple vendors, so percentages do not sum to 100.
| Rank | Vendor | Share audited | What drives the audits |
|---|---|---|---|
| 1 | Broadcom (VMware, CA, Symantec) | 33% | Subscription bundle enforcement on perpetual VMware estates |
| 2 | Autodesk | 29% | Telemetry driven compliance on incomplete named user transitions |
| 3 | Microsoft | 27% | SAM engagements and reviews timed ahead of EA renewals |
| 4 | Oracle, Java | 25% | Employee metric monetization backed by download records |
| 5 | SAP | 22% | Annual measurement, indirect access, and the 2027 ECC deadline |
| 6 | IBM | 20% | Sub capacity and ILMT compliance at industrial scale |
| 7 | Oracle, database and middleware | 18% | Processor metrics, virtualization counting and ULA positions |
| 8 | Quest Software | 15% | Legacy estate compliance reviews |
| 9 | OpenText (Micro Focus) | 13% | Acquired portfolio enforcement |
| 10 | Adobe | 12% | Genuine software and named user compliance |
| 11 | Cloud Software Group (Citrix) | 11% | Post acquisition repricing and license verification |
| 12 | Siemens (engineering software) | 10% | Design tool estate scans and token model reviews |
| 13 | Dassault Systemes | 9% | CAD and PLM license verification |
| 14 | Red Hat (IBM) | 8% | Subscription compliance across hybrid estates |
| 15 | PTC | 8% | Engineering tool usage reviews |
| 16 | Veritas | 7% | Backup estate licensing reviews |
| 17 | MathWorks | 6% | Network license and toolbox usage compliance |
| 18 | Splunk (Cisco) | 6% | Ingest metric reviews after acquisition |
| 19 | Anaconda | 5% | Commercial use enforcement of open source distribution |
| 20 | Software AG | 4% | Legacy middleware compliance reviews |
Oracle is counted twice deliberately. The Java compliance motion operates separately from database and middleware audits, with its own teams, its own data sources and its own commercial script. Respondents experience them as two distinct enforcement machines, and increasingly the Java one writes first.
Three observations follow from the shape of the list. The top belongs to vendors running model transitions. The engineering software cluster is heavily over represented relative to its share of IT spend. And the database era names have not gone away, they have simply been overtaken.
For a buyer the list is a targeting forecast, not trivia. Every vendor in the top half runs a known enforcement script with a known resolution path, which means the response can be prepared before the letter exists. The rest of this report works through those scripts, vendor by vendor.
Between March and May 2026 we put a single question to 500 organizations across our client base and benchmark network: which software vendors have audited you in the last three years? 118 responded, predominantly enterprises between 2,000 and 50,000 employees across Europe and North America.
Respondents could name any number of vendors. We counted both formal contractual audits and soft audits, meaning compliance reviews, license verification requests and usage inquiries that arrive without invoking the audit clause.
The respondent base skews to the organizations that feel audits most. A profile of the sample:
Soft audits are included deliberately because they are now the dominant opening move. A soft audit carries no contractual obligations, which is exactly why a casual reply is so costly. Treating the friendly review as anything other than an audit is how organizations lose before the process formally begins.
In our cost of audit defense research, the matters that settled worst were almost always the ones where substantive information left the building before anyone classified the contact as an audit. The classification decides the behavior, and the behavior decides the outcome.
Pure SaaS vendors such as Salesforce, ServiceNow and Workday were named by almost no respondents and do not appear in the ranking. This is not because they leave money on the table. Their enforcement instrument is the renewal, not the audit clause, and we return to that below.
Each of the top five runs a recognizable commercial script. Knowing the script before the letter arrives is most of the defense, because each script has a known resolution path the vendor is steering toward.
Broadcom ended VMware perpetual license sales and through 2025 escalated from cease and desist letters to formal audit notices against perpetual holders who declined its subscription bundles. In some cases the notice arrived within days of a support contract lapsing, in others with no warning letter at all.
The audits run to a clear script: establish that patches or support were consumed beyond entitlement, then resolve the exposure through a bundle subscription. CA and Symantec estates follow the same pattern. This is not compliance housekeeping. It is the collection mechanism for the VMware repricing, and our Broadcom VMware audit defense guide covers the counter positions in detail.
Autodesk runs one of the most automated compliance operations in the industry. Its products report installation and usage telemetry home, which means Autodesk frequently knows about non genuine, over installed or lapsed deployments before it writes to you.
The letters arrive from its license compliance organization with specific machine level findings. Estates that never fully completed the move to named user subscriptions are the prime target. Design and manufacturing companies in our survey reported Autodesk contact at a higher rate than any vendor except Broadcom. Our Autodesk audit defense guide walks through the response sequence.
Microsoft rarely opens with the audit clause. It opens with a SAM engagement, a cloud usage validation or a licensing review delivered through a partner, framed as helpful and frequently timed ahead of an Enterprise Agreement renewal.
The findings then surface in the commercial conversation, where SQL Server, Windows Server and unmanaged hybrid estates do most of the damage. The resolution on offer is rarely a penalty. It is Azure commitment, M365 uplift or Copilot. The audit is soft, the leverage is not. The remediation sequence is covered in our Microsoft audit defense playbook.
Since moving Java to the employee count metric, Oracle has run what is effectively the broadest soft audit campaign in software history: friendly emails about your Java usage, backed by download and update server records Oracle has retained for years.
The employee metric turns any confirmed usage into an enterprise wide bill. Gartner predicts one in five Java users will face an Oracle audit by 2026, and our data supports it. We rank Java separately at 25 percent because organizations experience the Java and database machines as distinct. Our Oracle Java audit guide sets out the response protocol.
SAP's annual system measurement gives it a standing audit instrument most vendors lack. The enhanced audits layered on top concentrate on indirect access, engine metrics and estates approaching the 2027 ECC maintenance deadline.
The pattern in our engagements is consistent: compliance findings surface in proximity to S/4HANA and RISE proposals, where they function as pricing pressure rather than standalone claims. The audit and the migration quote are one conversation, whichever order they arrive in.
The middle of the table carries two stories: the database era veterans still auditing at industrial scale, and an engineering software cluster that audits far above its weight.
IBM at 20 percent and Oracle's core licensing organization at 18 percent remain two of the most consequential auditors in enterprise software. Sub capacity reporting, ILMT gaps, virtualization counting and ULA certification positions still produce some of the largest single claims we see. They have been overtaken in frequency, not in severity.
Treat the middle of the table as a forecast of your next three years. Acquisition announcements are the leading indicator: when a portfolio changes hands, the audit posture of the acquired products changes with it, usually within 18 months and usually toward enforcement.
Autodesk, Siemens, Dassault Systemes, PTC and MathWorks together hold five of the twenty positions. That concentration is far above the engineering share of enterprise IT spend, and it is not an accident.
The rest of the middle belongs to acquisition driven enforcement. Quest, OpenText with the Micro Focus portfolio, Cloud Software Group with Citrix, Splunk under Cisco and Veritas all audit mature estates with old entitlement records. Anaconda is the newest entrant, enforcing commercial terms on a distribution most users assumed was free.
Not one pure SaaS vendor appears in the top twenty, and the absence is the most instructive line in the data. Salesforce, ServiceNow and Workday barely registered with respondents.
A SaaS vendor does not need an audit clause. It meters your usage on its own infrastructure and enforces at renewal, where overage, repackaging and price uplift do the work an audit used to do. The audit, as an instrument, belongs to vendors with software running in your estate, and that is exactly where the activity is concentrated.
The practical consequence: audit defense and renewal negotiation are converging into one discipline. The on premises vendor brings a compliance claim to the renewal. The SaaS vendor brings a usage report. Both are pricing conversations, and both reward the same preparation, an independent baseline and a controlled data flow.
The renewal as audit also explains why SaaS heavy organizations report fewer audits but not lower enforcement cost. The pressure simply arrives as a usage report attached to an uplift proposal. Treating the renewal package with audit grade scrutiny, an independent usage baseline and a challenge to the repackaging, is the equivalent defense.
Audit exposure is not evenly distributed. The survey and our engagement file point to the same conclusion: exposure follows estate composition and transition state, not company size or industry alone. Four profiles carry most of the risk.
Most respondents sat between 2,000 and 50,000 employees, large enough to carry every one of these profiles at once. The practical reading: score your own estate against the four profiles, then sequence baselines by where the transition exposure is largest, not by where spend is largest.
Smaller organizations are not exempt. Telemetry driven programs like Autodesk's and mass campaigns like Oracle Java's scale down efficiently, because the targeting cost per letter is close to zero. The smaller estate gets the automated letter. The larger estate gets the account team with the audit behind it.
Four threads run through the whole list, and together they describe how software audits now work as a system rather than as isolated events.
Two years ago the league table still read like the 2010s: Oracle, IBM, Microsoft and SAP at the top, engineering vendors in the tail. The 2025 to 2026 data shows three structural breaks.
First, Broadcom went from barely registering to first place in under two years, proving an acquired install base can be audited into a new commercial model at speed. Second, Oracle's Java motion now writes more letters than its database organization, a reversal unthinkable in 2020.
Third, soft audits displaced formal ones as the default opening, which moved the decisive moment from the data room to the first reply.
None of these breaks reverse on their own. Subscription transitions end, but each one hands the next acquirer a proven enforcement template, and the targeting data only accumulates.
The standard advice says keep clean SAM records, cooperate fully and the audit will close quickly. We disagree. In roughly 220 audits we defended or supported in 2024 and 2025, speed of cooperation had almost no correlation with outcome, and full early data disclosure reliably anchored the claim at the vendor's number. The settlements that landed 30 to 60 percent below the opening claim were the ones where the buyer baselined first, scoped the data flow deliberately and moved the finding into a renewal negotiation. The buyer side move is to slow the process down at the start, not speed it up. Cooperation is a posture. Control is a strategy.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
The audit is no longer a compliance event. It is a sales motion, and it should be managed like one.
Five moves separate the organizations that absorb the audit wave from the ones that fund it. None of them require new tooling. All of them require the audit to be owned as a commercial process, not an IT incident.
The five moves below mirror the briefing we give clients inside engagements, condensed. Each one removes a specific failure mode we see repeatedly: the casual first reply, the missing baseline, the standalone settlement, the blind script run, and the unbudgeted scramble.
The friendly Java email, the SAM engagement offer, the license review request: route them all to one accountable owner, respond deliberately, and volunteer nothing. Most audit losses happen in the first informal reply, before anyone realizes the process has started. Our first 48 hours checklist covers the immediate sequence.
If you run VMware on lapsed support, incomplete Autodesk subscriptions, unmanaged SQL Server, Oracle Java anywhere, or SAP with indirect access, you are on a targeting list already. An internal baseline under your control turns a vendor's number into a negotiation instead of a verdict.
Every finding has more value inside a commercial negotiation than as a standalone settlement, and vendors know it, which is why audits arrive before renewals. Fold the resolution into the larger deal and take a written release of all historic claims as part of it.
Telemetry, update pings and download activity are doing the targeting. Govern what your estate reports home, keep installation sources clean, and make sure measurement tools and scripts are only ever run on your terms, reviewed, and never blind.
With the top vendor auditing a third of large estates over three years, audit response is an operating capability, not an emergency. Fund the baseline, the contract intelligence and the response playbook before the letter arrives, because afterwards everything costs more.
The economics are set out in our cost of audit defense report, and the vendor specific audit defense kits carry the response templates.
Redress Compliance is a 100 percent buyer side advisory firm with no vendor affiliations, with audit defense experience against every vendor in this report's top five. We run the baseline, the response and the negotiation as one engagement, quietly and entirely on your side of the table.
We are glad to tie a meaningful part of the fee to delivered value. If a letter or a friendly review request has already arrived, work the audit defense readiness checklist and contact us in parallel. The first reply matters more than any step after it.
A practical sequence for the next 90 days, in priority order.
Broadcom is the most active software auditor of 2025 and 2026, named by 33 percent of the 118 enterprises in our survey. Autodesk follows at 29 percent, Microsoft at 27, Oracle's Java organization at 25 and SAP at 22. The database era leaders, IBM and Oracle's core licensing teams, now sit behind the vendors enforcing subscription transitions.
Very common. Each of the top five vendors audited at least 22 percent of responding enterprises within a three year window, and most respondents named multiple auditors. With the most active vendor reaching a third of large estates, audit response is now a recurring operating event, not an exception, and should be budgeted as one.
Broadcom audits VMware perpetual license holders because the audit is the collection mechanism for its subscription repricing. After ending perpetual sales, Broadcom escalated from cease and desist letters to formal audit notices against estates that declined its bundles, in some cases within days of a support lapse. Findings are then resolved through a bundle subscription.
Counted as one company, Oracle rivals Broadcom for the top spot. We deliberately rank Oracle as two entries because its Java compliance motion at 25 percent operates separately from its database and middleware audits at 18 percent, and respondents experience them as distinct events. Increasingly, the Java machine writes first.
A soft audit is a compliance review, license verification request or usage inquiry that arrives without invoking the contractual audit clause, and it should be treated exactly like a formal audit. Soft contact is now the dominant opening move, and the casual first reply is where most organizations concede the information that decides the outcome.
Pure SaaS vendors do not need an audit clause, so they barely register in audit surveys. A SaaS vendor meters your usage on its own infrastructure and enforces at renewal, where overage, repackaging and price uplift do the work an audit used to do. The audit instrument belongs to vendors with software running inside your estate.
Design tool estates are easy to scan, hard to govern and historically under licensed, which makes them efficient audit targets. Autodesk, Siemens, Dassault Systemes, PTC and MathWorks all appear in the top twenty, a concentration far above the engineering share of IT spend. Telemetry gives these vendors machine level findings before they ever write.
Data selects the targets. Download records, product telemetry, expired support dates and incomplete model transitions identify recipients before any human is involved. The strongest triggers are running VMware on lapsed support, incomplete Autodesk named user transitions, unmanaged SQL Server, confirmed Oracle Java usage and SAP estates approaching migration decisions.
Treat it as the audit it is. Route every soft contact to one accountable owner, respond deliberately and volunteer nothing beyond what the contract requires. Most audit losses happen in the first informal reply, before anyone realizes the process has started. An internal baseline run under your control should precede any substantive answer.
Yes. Never settle an audit as a standalone audit. Every finding has more value inside a commercial negotiation than as an isolated settlement, which is exactly why vendors time audits ahead of renewals. Fold the resolution into the larger deal and take a written release of all historic claims as part of it.
The complete survey briefing with the top twenty ranking, the vendor by vendor enforcement scripts for Broadcom, Autodesk, Microsoft, Oracle Java and SAP, and the exposure baseline checklist our advisors run before any vendor letter arrives.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement, finance, and software asset management leaders preparing for, or responding to, vendor audit contact.
If your estate touches the top five, the question is not whether contact comes, but what arrives first, the audit or the renewal it is built to influence.
