When Oracle's LMS, Microsoft's VLSC audit team, SAP's LAM, or IBM's ISIG shows up with an audit letter, most enterprises panic and overpay. They don't have to.
Five chapters of expert guidance on how vendors audit your systems β and how to defend yourself.
What your contract actually says. What auditors can and cannot demand. The triggers that put you on a vendor's radar.
Six stages: from the initial letter through scoping, data collection, findings, and commercial negotiation to final settlement.
LMS tools, Java licensing traps, Named User Plus vs Processor, virtualisation policies, and ULA certification defence.
VLSC discrepancies, Effective License Position strategy, SAM engagement risks, and Azure Hybrid Benefit compliance.
LAM audits, IBM sub-capacity licensing, ISIG inspections, Salesforce user audits, and ServiceNow compliance.
Your contract defines what vendors can demand. Most enterprises don't know what's written in theirs.
Oracle's Unlimited License Agreement (ULA) includes audit rights that allow them to conduct audits at no cost to them. The standard clause grants them access to your systems and records during normal business hours. Microsoft's Enterprise Agreement includes similar provisions through the Volume Licensing Service Center (VLSC), though with different scope restrictions. SAP's Software License Maintenance Agreements include direct audit rights, and IBM's agreements vary by product but typically reserve audit privileges for licensed products.
Most Oracle ULAs state: "Oracle may audit your use of the software during the term of this agreement and for a period of three years thereafter." The critical phrase is "at Oracle's expense for the first audit." This means the second audit is on you.
Microsoft reserves the right to audit your use through the Volume Licensing Service Center. They can request reports directly from VLSC or from your systems. The terms allow them access to your systems for verification purposes β but only to the extent necessary to verify compliance.
SAP's contracts allow them to audit systems running SAP software. They often use the License Administration Workbench tool, which can be remotely accessed if you grant permission. This is not mandatory, but SAP's contracts reserve the right to audit if there's a dispute about usage.
Critical: Most audits go beyond their contractual rights. This is where defense starts. Know what your contract says, and push back on requests outside that scope.
Vendors are predictable about when they audit. Watch for these signals:
Six predictable stages. Each has a critical negotiation point.
You receive a formal letter from a vendor's audit team or legal department. It says something like: "Our records indicate a potential compliance gap. Please provide detailed documentation of your use of [Product] within 30 days."
What You Should Do:
This is the most critical leverage point. Before the vendor can collect data from your systems, the audit scope must be defined. What systems will they audit? What data will they collect? What timeframe?
Many enterprises skip this stage and let vendors define scope unilaterally. This is a mistake.
Negotiation Points:
There are two approaches: self-assessment (you provide data) or vendor-run audit (they access your systems).
Self-Assessment Approach: You provide your own SAM tool output (ServiceNow, Flexera, Snow License Manager). This gives you control over what data you present. It's slower but cleaner.
Vendor-Run Audit Approach: The vendor's auditor runs tools like Oracle's LMS or Microsoft's MAP Toolkit on your systems. This is faster but gives them unfettered access. They see things you may not have known about.
Key Tools Used:
The vendor issues a "Findings Letter" with their audit results. This letter typically contains inflated claims. Why? Because vendors build negotiating room into initial findings. They know you'll dispute them.
How Vendors Inflate Claims:
Example: An Oracle LMS audit claims $8M in unlicensed Oracle Database Enterprise Edition because servers have 64 cores each, but you only licensed 16 cores. Vendor counts all 64. Your defence: you partitioned the systems at the hypervisor level and only allocated 16 vCPUs to the partition running Oracle. That's documented in your VMware or Hyper-V configuration. Claim reduces to $0β$200K.
This is where the findings letter becomes a commercial discussion. The vendor will offer a "settlement" in the form of additional license purchases, true-up fees, or both.
What To Do:
A final settlement agreement defines what you owe, what licenses you'll purchase, and any ongoing compliance obligations. Some vendors include a "deemed compliant" clause, which means you're protected from future audits for a specified period.
What a Good Settlement Looks Like:
What Never To Agree To:
Oracle accounts for 35β45% of enterprise audit activity. Know the specific traps.
Oracle's LMS script is the most intrusive vendor audit tool in the market. It collects detailed data about database installations, options enabled, and processor configurations. When you allow LMS access, Oracle gets visibility into your entire Oracle footprint β and often spots usage you didn't know was there.
What LMS Collects:
Defence Strategy: Before you grant LMS access, manually audit your own systems. Create a detailed inventory of what's installed and which options are enabled. This becomes your "source of truth." When LMS runs, compare its output to your inventory. Vendors often claim options are enabled that you actually don't use. Challenge those findings specifically.
Oracle offers two licensing models: Processor (per physical processor core) and Named User Plus (NUP, per named user). Many enterprises accidentally trigger Processor licensing by installing software on systems with more cores than their NUP licenses cover.
The Trap: You license Oracle Database with 100 Named User Plus licenses. An LMS audit finds that database is installed on a server with 64 cores. Oracle claims you need Processor licenses for those 64 cores (or you need to reduce the installation to systems with fewer cores). Your 100 NUP licenses become insufficient, and Oracle forces you to buy Processor licenses.
Defence:
Oracle Java Standard Edition licensing is a $2β5B revenue line for Oracle, and it's massively mispriced in audits. The trap: Oracle claims that every desktop, laptop, and server running the Java Runtime Environment (JRE) requires a Java Standard Edition license.
In reality, the JRE is often bundled with other software or platforms that don't require a Java SE license. Examples: the Java compiler (javac) is free; OpenJDK alternatives are free; many applications bundle their own JRE.
Defence: Challenge Oracle to prove actual Java SE usage, not just JRE presence. Document which systems actually run Java SE applications and which systems only have JRE as a dependency. Expect 60β80% of Oracle's Java SE claims to disappear under scrutiny.
This is the most technically complex audit trap. Oracle distinguishes between Hard Partitioning and Soft Partitioning. The difference determines whether you can "cap" your license requirements at the number of vCPUs you allocate to a VM, or whether you need to license the entire physical machine.
Hard Partitioning (Oracle-Certified): You're allowed to license only the vCPUs assigned to a VM. Hard Partitioning requires Oracle-certified hypervisor-level partitioning (VMware vSphere with vMotion disabled, Oracle VM, some Hyper-V configurations).
Soft Partitioning (Not Allowed): Virtual machines that can be migrated, resized, or have dynamic resource allocation. Oracle doesn't permit licensing only the allocated vCPUs in this scenario β you must license the entire physical host.
Defence:
Oracle ULAs include a "True-Up" period where you certify your usage. If you've exceeded the ULA usage rights, you must pay a true-up. The certification process is where vendors inflate claims.
Defence: During ULA true-up, challenge Oracle's scope. Your ULA may have included only specific products (Database, Middleware) but excluded options. If you're being charged for Options you didn't intend to license, dispute that. Document your licensing intent at the time the ULA was signed.
Oracle Database ships with many Options that carry separate licensing costs: Partitioning, Tuning Pack, Diagnostics Pack, Advanced Analytics. These Options are sometimes enabled by default during installation or automatically enabled by patches.
Audit Claim: LMS detects Diagnostics Pack is enabled on your database. You don't license it. Oracle claims $50Kβ$150K per database core for unpaid Diagnostics Pack usage.
Defence: Check Oracle's licensing rules. For some editions and versions, certain options cannot be "accidentally enabled." If you can prove the option was enabled by default (not intentional use), Oracle sometimes backs down. If not, negotiate a retroactive license purchase at a discount, bundled into your maintenance fees.
Our team has settled 200+ Oracle audits. We know Oracle's tactics and their settlement boundaries. Let's assess your risk for free.
Oracle Negotiation ServiceMicrosoft audits differently than Oracle. The exposures are in your cloud and hybrid environment.
Microsoft provides two systems where you can track licenses: the Volume Licensing Service Center (VLSC) for traditional on-premises licenses, and the Microsoft 365 Admin Center for cloud subscriptions. These systems often disagree on what you've actually licensed.
The Problem: You purchase 100 Office 365 licenses through VLSC, but the Microsoft 365 Admin Center shows 120 seats consumed. Or vice versa β the numbers never match because the systems track different license types.
Defence Strategy: Reconcile VLSC and the Admin Center before a Microsoft audit. Export detailed user reports from both systems. Microsoft audits check for "true-ups" β the difference between what you've licensed and what you've consumed. Discrepancies in your own records are what trip you up.
Microsoft uses Effective License Position (ELP) calculations to determine if you're over-licensed or under-licensed. ELP accounts for subscription discounts, Software Assurance benefits, and downgrade rights.
Example: You license 200 Office 2016 Professional Plus seats. Microsoft 365 includes Office desktop licenses. If you have Software Assurance, you can downgrade those seats to Office 2016 and run concurrent instances. Microsoft's ELP calculation may show you're over-licensed by 50 seats.
Defence: Calculate your own ELP before Microsoft does. Use Excel to map every license, subscription, Software Assurance benefit, and downgrade right. When Microsoft claims an under-licensed position, you'll have detailed documentation of your ELP analysis. This often eliminates claims entirely.
Microsoft often begins with a "SAM (Software Asset Management) Engagement" β a consultative audit where they assess your overall license position. This is softer than a formal audit, but it's Microsoft's way of building a case for a formal audit if they find gaps.
What Happens: A Microsoft SAM specialist interviews your IT and Procurement teams, reviews VLSC, and makes recommendations. Those recommendations become audit findings if you don't implement them.
Defence: Take SAM Engagements seriously. Provide complete, accurate data. But don't assume their recommendations are obligations. Engage your own licensing advisor to review their findings. Many SAM recommendations are aggressive β they assume you'll license more, not less.
Azure Hybrid Benefit lets you use on-premises licenses in the cloud. The rules are complex, and most enterprises misuse them, creating audit exposure.
Common Mistake: You license Windows Server 2019 on-premises with Software Assurance. You move those instances to Azure and claim Hybrid Benefit. But your Software Assurance contract expired last year. Azure doesn't allow Hybrid Benefit without current Software Assurance. Audit exposure: $5Kβ$20K per instance per month for unlicensed Azure consumption.
Defence: Audit your Azure subscriptions for Hybrid Benefit usage. Check your Software Assurance renewal status for every product being claimed. Remove any Hybrid Benefit claims you can't support with current SA coverage. Then negotiate the gap at renewal.
Microsoft bundles licenses in confusing ways. Is Teams included in Office 365? Is Exchange included in Microsoft 365 Business? The answer depends on the SKU, the date you purchased it, and whether you're a government customer.
Audit Claim: You license Office 365 E3 (which includes Teams). You also purchase Teams standalone licenses for contractors. Microsoft audits find 50 teams licenses and claims you owe true-up for those 50 users.
Defence: Check the date of your Office 365 purchase. If it was before Teams was included in that SKU, your Teams licenses might not be redundant. If it was after, those 50 standalone licenses were duplicative. Microsoft might accept a credit of the difference, or accept proof that those licenses were assigned to different users (contractors vs. employees, for example).
When you move Windows Server or SQL Server from on-premises to Azure, the licensing model changes. On-premises uses CAL (Client Access Licenses) + server license. Azure uses user-based or consumption-based licensing.
The Trap: You license Windows Server 2019 with 500 CALs on-premises. You move to Azure with a hybrid benefit. Microsoft counts 600 actual users in your Azure subscription. You're under-licensed by 100 CALs, and hybrid benefit doesn't cover the overage.
Defence: Map your actual user base before and after cloud migration. Sometimes the user count increases because cloud enables new use cases. Budget for that in your migration plan. Don't assume cloud licensing will be cheaper without detailed user-by-user analysis.
We've negotiated 150+ Microsoft audits. VLSC, Azure, Teams, Office 365 β we know the tricks Microsoft uses and how to defend your position.
Microsoft Negotiation ServiceLess common than Oracle/Microsoft, but often more technically complex and more expensive when they hit.
SAP's License Administration Workbench (LAM) is an audit tool that tracks user activity in SAP systems. The most dangerous claim SAP makes is "Indirect Access" β the claim that users access SAP through other systems (middleware, portals, APIs) without direct licenses.
Indirect Access Example: Your manufacturing system pulls product data from SAP through an API. The manufacturing system has 500 users. SAP claims all 500 users are indirect SAP users and must be licensed. You license 100 users directly. Exposure: 400 indirect user licenses at $5Kβ$15K per year per user.
Defence: Challenge SAP's definition of "access." Does your API only READ non-sensitive data? Does it filter data to a subset? Does the manufacturing system have caching so actual SAP queries are rare? These factors determine whether indirect access even applies. Many indirect access claims fail under scrutiny.
SAP often triggers an audit when you migrate from SAP ERP to S/4HANA. They claim the migration requires re-licensing of modules and options.
Defence: Your S/4HANA licenses should include migration rights. Check your purchase order and licensing agreement. If migration to S/4HANA requires additional licenses, that should be negotiated during the upgrade, not discovered during an audit. If SAP is claiming you need new licenses post-migration, push back on the basis of your original contract.
IBM's sub-capacity licensing allows you to license only the processor cores you actually use, not the entire server. This is the most technical audit in the enterprise, and it's also the most error-prone.
How Sub-Capacity Works: You run IBM software on a 64-core server but allocate only 16 cores to the IBM partition. You license those 16 cores. IBM's ILMT (License Metric Tool) tracks your usage and reports actual capacity used. If you exceed 16 cores, you're in breach.
The Problem: Sub-capacity requires precise hypervisor configuration, documented capacity allocation, and continuous monitoring. Most enterprises misconfigure this and discover it during an audit.
Defence: Before an IBM audit, audit yourself using ILMT. Run ILMT for 90 days and review the reports. If you've exceeded your sub-capacity allocation even once, you need to purchase additional capacity. Fix this before IBM finds it. During an audit, negotiate a retroactive license purchase (usually at a 20β30% discount if you're proactive about it).
IBM's ISIG is a specialized audit unit that conducts deep technical investigations. An ISIG audit is rare but expensive when it happens. They take 60β90 days and cost $50Kβ$150K in your employee time.
Why ISIG is Bad: ISIG audits are triggered by large discrepancies (usually detected through ILMT data). ISIG investigators are senior IBM licensing experts who think like auditors. They find things standard audits miss.
Defence: Never trigger an ISIG audit. This means running ILMT quarterly and fixing compliance gaps before IBM discovers them. If ISIG is already initiated, negotiate a fixed settlement amount before they complete their investigation, not after. Once ISIG issues findings, those findings are documented and used in future audits.
Salesforce audits focus on user counts. How many users do you have? Are they active? Are there "zombie" users consuming licenses?
Common Audit Finding: You license 500 Salesforce users. Salesforce audits and finds 550 active users (counted by login in the last 6 months). You're under-licensed by 50 users. Exposure: 50 Γ $165/month (typical Salesforce Professional price) = $8K/month or ~$100K/year.
Defence: Deactivate users aggressively. If a user hasn't logged in for 60 days, deactivate them. Run a quarterly user audit to identify zombies. Before a Salesforce audit, clean your user list. If Salesforce auditors still find more active users than you've licensed, negotiate the difference as a small true-up, not a full-year liability.
ServiceNow has become an enterprise standard platform, and audits are increasing. ServiceNow's licensing model has multiple seat types: Standard, Workflow Automation, and Discovery. The confusion is which users need which licenses.
Workflow Automation Users: Users who interact with ServiceNow only through automated workflows (no direct ServiceNow login) sometimes are exempt from licenses. But ServiceNow's definition is narrow. Audit exposure: if you're not tracking workflow-only users separately, you might be over-licensed or under-licensed depending on your mix.
Discovery Compliance: ServiceNow Discovery is a separate license. If you've enabled Discovery scanning, you need Discovery licenses. Most enterprises enable it and forget, creating audit exposure.
Defence: Map your ServiceNow user base by seat type (Standard, Workflow, Discovery). Document which users are workflow-only and which require direct access. Before an audit, clean this up. ServiceNow is more forgiving than Oracle/Microsoft on audit settlements, so this is lower-risk than other vendors.
Real data from 500+ audits settled over the last 3 years.
Investing in audit readiness now saves millions when vendors come calling.
A mature SAM programme is the best audit defence. It means you have documented software inventory, usage tracking, and compliance processes in place. When an audit letter arrives, you have proof of compliance ready to show.
SAM Programme Components:
You need a tool to track software assets. The three most common choices are:
ServiceNow ITAM: If you're already using ServiceNow, ITAM is a natural extension. It integrates with your IT Service Management processes. Cost: $1Kβ$5K/month depending on scale.
Flexera (formerly Flexera One): The most audit-friendly tool. It's built for compliance tracking and integrates directly with vendor databases (VLSC, Oracle, SAP). Cost: $5Kβ$20K/month.
Snow Software: Strong in endpoint management and cloud usage tracking. Good for hybrid environments. Cost: $2Kβ$10K/month.
Selection Criteria: Choose a tool that covers your environment (on-premises, cloud, endpoints) and integrates with your major vendors. Cheaper is not better β you need audit-grade reporting, not just inventory.
Every 90 days, pull a comprehensive licence position report from your SAM tool. Compare:
If gaps exist, fix them immediately. Either remove software that's not licensed, or purchase licenses for software you need. Never let gaps sit and compound. That's where audits find ammunition.
At renewal time, use your audit readiness as a negotiation point. Tell your vendor: "We've invested in SAM. We audit ourselves quarterly. We're audit-ready. In exchange, we want pricing relief and an audit holiday (2β3 years without vendor audits)."
Vendors like audit readiness because it reduces their risk. They'll often trade favorable pricing or audit protections for the certainty that you're compliant.
We've defended enterprises in 500+ software audits. Average settlement reduction: 40β60% from opening claim. And you pay nothing if we don't save you money.
Get Free Audit Risk AssessmentExplore other resources from our team of former vendor negotiators.