Home Advisory Services Audit Defense
Portrait placeholder for Morten Andersen, Co Founder
Written byMorten AndersenCo Founder · ex IBM, ex Oracle
PublishedJune 10, 2026
Last updatedJune 10, 2026
Editorial photograph of an audit response meeting with contracts and laptops on the table
Advisory Services · Audit Defense

Software license audit defense. Settle low, concede nothing early.

Independent audit defense across Oracle, IBM, SAP, Microsoft, Broadcom, and more. We control the data flow, challenge the metric read, and negotiate the settlement.

Contact Us Audit Defense Kits
500+Enterprise Clients
$2B+Under Advisory
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent
Open the Audit Defense Cost Report 2026 · What audits really settle for. Buyer side data. Read →
Key Takeaways

The short version.

  • A software audit is a revenue event for the vendor. Treat the opening claim as an opening position, not a bill.
  • Control the data flow. Nothing leaves the building unverified, and nothing beyond the contractual audit clause.
  • The metric read decides the claim. Most opening claims overstate exposure by 30 to 60 percent.
  • Never self disclose before counsel and an independent entitlement read.
  • Across 2024 to 2025 defenses, 9 of 10 audits settled below the opening claim, many at zero.
  • Audit posture is built 12 months before the letter arrives. Renewal leverage and audit exposure are the same file.

What triggers a software license audit?

Audits are triggered by revenue signals, not random selection. Declining spend, a refused cloud migration, an expiring ULA or ELA, and M&A events all raise audit probability. The audit program is a sales motion with a legal letterhead.

  • Renewal proximity: claims surface 6 to 12 months before your renewal to build vendor leverage.
  • Spend decline: dropped support, third party support moves, and shelfware cuts flag the account.
  • Structural events: mergers, divestitures, and virtualization changes break entitlement assumptions.

How should you respond in the first 30 days?

The first 30 days decide the settlement range. Acknowledge, slow down, and take control of scope and data before anything is measured.

Control the clock

The audit clause defines notice, scope, and confidentiality. Hold the vendor to it. Most clauses do not grant the auditor your weekends or your raw estate.

Control the data

Run collection tools in a controlled environment and verify every output line against the contract metric before release. Unverified script output is the single largest driver of inflated claims.

How does audit defense differ by vendor?

Each vendor audits differently, and the defense lever differs with it.

Audit posture by vendor

VendorWho auditsTypical claim driverPrimary defense lever
OracleLMS / GLAS and partnersOptions, virtualization, Java metricMetric read, partitioning policy status, defense playbook
IBMKPMG or DeloitteILMT gaps, full capacity PVUILMT remediation, settlement negotiation
SAPSAP GLACIndirect access, named user classesUsage reclassification, digital access strategy
MicrosoftSAM partnersM365 overuse, server CALsScope control, EA trade
Broadcom VMwareDirectCore counts, lapsed subscriptionsContract continuity, exit alternative

Vendor audit terms are published in their own agreements, for example the Microsoft product terms and Oracle contract documents. The clause you signed, not the auditor's template, governs.

What does a good settlement look like?

A good settlement resolves the claim at or near zero cash, converts unavoidable exposure into products you would have bought anyway, and lands inside the renewal where discount absorbs it. The worst settlement is a fast one.

Termination and compliance terms sit in vendor published paper, such as IBM's terms and SAP's agreements. Read yours before the auditor reads them to you.

The settlement trade

Vendors prefer future revenue to penalties. A claim traded into a renewal at proper discount routinely costs 10 to 30 cents on the claimed dollar.

Where the common advice on audit response is wrong

The common advice is to cooperate fully and fast to show good faith. We disagree. In roughly 6 of 10 defenses Morten Andersen reviewed in 2024 to 2025, early voluntary disclosure widened the claim because unverified data conceded interpretations the contract never required. The buyer side move is to comply with the clause, exactly the clause, and nothing beyond it, with every data point verified before release. Good faith is contractual compliance, not volunteering your estate.

Close detail of a settlement calculation on a desk with calculator and contract
Most audit claims are settled as renewal trades. The cash number on the letter is rarely the number that gets paid.
9 of 10
Audits closed below the opening claim
10 to 30c
Typical settlement per claimed dollar
60+
Defenses run 2024 to 2025

Source: Redress Compliance advisory engagement file, 2024 to 2025.

The opening claim is a negotiating position wearing a compliance costume. Treat it accordingly.

What to do next

  1. On notice receipt, acknowledge within the contractual window and request the audit clause basis in writing.
  2. Freeze voluntary disclosures. Route all auditor contact through one named owner.
  3. Commission an independent entitlement and metric read before any data leaves.
  4. Verify every script output line against contract metrics. Challenge aggressive reads in writing.
  5. Build the settlement strategy around your renewal calendar, not the auditor's deadline.
  6. Open the vendor field manuals for the specific playbook.

Frequently asked questions

What is software license audit defense?

Software license audit defense is the controlled response to a vendor compliance audit: managing scope and data flow, challenging the metric interpretation, and negotiating the settlement. Run well, most audits settle far below the opening claim.

Should we just run the vendor's audit scripts?

Run them only in a controlled environment and verify output before release. Unverified script output is the largest single driver of inflated claims.

Can an audit claim really go to zero?

Yes. Where the metric read is wrong or the claim trades into a planned renewal, zero cash settlements are common. Our case studies include claims from $500K to $20M resolved at zero.

How long does an audit take?

A defended enterprise audit typically runs 6 to 12 months from notice to settlement. Speed favors the vendor; process favors you.

Do we need lawyers or licensing specialists?

Both, in sequence. Licensing specialists build the technical position; counsel formalizes it where the dispute escalates. Most audits settle commercially without litigation.

Does refusing the audit work?

No. Refusal breaches the clause and escalates to legal. The defense is controlled compliance, not refusal.

How do we reduce audit risk permanently?

Maintain a live entitlement baseline, keep measurement tools clean, and review audit clauses at every renewal. Audit posture is built before the letter arrives.

Score your audit exposure with the spend health check.
Open Tool →
Continue Reading

More on audit defense.

Stack of vendor field manualsKits
Audit Defense Kits
Twelve vendor field manuals, buyer side.
Oracle audit strategy sessionOracle
Oracle Audit Defense
The Oracle LMS playbook end to end.
Charts of audit settlement dataReport
Audit Defense Cost Report
What audits actually settle for in 2026.
Talk to us · Oracle

Engage Oracle licensing experts.

Engage our Oracle licensing experts for a ULA exit, a Java audit, or a database renewal. We rebuild the entitlement position and reset the deal on a buyer side basis.

Independent. Buyer side. Zero reseller margin, zero referral fee, zero vendor influence.

Open the Oracle ULA Decision Framework

Open the buyer side paper in your browser. Corporate email only.

Open the Paper →