White Paper · Multi-Vendor

Vendor Audit Defence Handbook 2026

By Atonement Licensing Advisory · Last reviewed: June 2026

You are registered. Your guide is ready. Read the full 2026 edition below: how Oracle, SAP, and Microsoft build audit claims, and how buyers take them apart.

You are registered. Your guide is ready. Read the full 2026 edition of the Vendor Audit Defence Handbook below.

Prepared by Atonement Licensing · buyer-side advisory · last reviewed June 2026. Figures are list-level or clearly labelled indicative ranges. The $12M opening claim used below is a representative benchmark scenario for illustration, not a quote.

Executive summary

A software vendor audit claim is an opening commercial position, not an invoice, and the buyers who treat it that way settle for a fraction of the first number. Across our audit defence engagements, initial claims fall by 72 percent on average, and the range achieved with structured challenge runs from 40 to 80 percent of the figure first presented. The reason is structural: audit teams at Oracle, SAP, and Microsoft build claims at list, on the vendor's most aggressive reading of the contract, using measurement methods designed to surface the largest possible finding.

On a representative finding, an opening claim that prices every flagged deployment at list, adds backdated support for the full alleged period, and reads every ambiguity in the vendor's favour models near $12M (indicative). The same finding, reconciled against an independent baseline, repriced at the buyer's contracted discount, stripped of unsupported backdated support, and resolved as a forward commitment, settles near $3.4M (indicative) — a reduction consistent with the 72 percent we see across engagements. The difference is not luck; it is structure, sequence, and the discipline to slow the process down.

This handbook explains how Oracle, SAP, Microsoft, IBM, and Salesforce build audit claims and where each one breaks: the Oracle LMS and GLAS process and its virtualisation positions, SAP indirect and digital access claims and the settlement framework that resolves them, Microsoft compliance reviews across Azure, Microsoft 365, and the VLSC record, a 90 day response protocol your team can run from the day the notice arrives, and the settlement structures that convert a backdated penalty into a forward deal a CFO can accept. The single most expensive mistake is moving too fast. Read the protocol in section five before responding to any auditor.

72%Average audit claim reduction across Atonement engagements
$8.6MGap between opening claim and forward settlement on the benchmark finding (indicative)
$2.4B+Contract value negotiated for buyers
500+Enterprise engagements
1

The software compliance audit industry: how claims are built

Vendor audits are a revenue programme, not a policing function. Oracle, SAP, IBM, and Microsoft each run dedicated organisations whose output is measured in closed findings and converted spend. The audit team that contacts you has targets, a playbook, and a settlement authority matrix. Understanding that machinery is the first move in audit defence, because every stage of the process is built to maximise the claim, and every stage can be challenged.

Claims are constructed in three moves. First, measurement: the vendor collects deployment data, preferably with its own scripts, and interprets every ambiguity in its own favour. Second, valuation: findings are priced at list, with backdated support added on top, often for the full period since the alleged deployment. Third, escalation: the claim letter lands with a short deadline and a copy to your executives, manufacturing pressure to settle quickly and badly. Each move has a counter — an independent baseline, a reprice at contracted discount, a single point of contact and a controlled timeline — and the sections that follow apply those counters vendor by vendor.

What puts you on the audit list

Audit selection is not random, and several triggers are predictable events on your own calendar: a reduction or cancellation of support or subscription spend, a move to third-party support, a declining renewal trajectory, merger and acquisition activity that changes entity names or headcount, an Oracle ULA approaching certification, a major migration to public cloud, and licensing questions your own staff raise with vendor support that signal uncertainty about entitlements. Most major vendors also run rotation cycles, so a large account can expect contact every three to four years regardless of behaviour.

Table 1, How the major vendors construct and value audit claims
VendorAudit arm and toolingTypical claim driverCommon inflation point
OracleLMS / GLAS, Oracle-provided scripts (OPS)Database options, virtualisation, Java SEWhole-cluster licensing claims, options enabled but unused
SAPGlobal audit team, USMM and LAW measurementsIndirect and digital access, engine metricsDocument counts attributed to third-party systems
MicrosoftSAM engagements and formal audits via Big Four firmsServer licensing, M365 assignment gapsAzure Hybrid Benefit miscounts, dev and test misclassification
IBMAuthorised auditors, ILMT recordsSub-capacity complianceFull-capacity claims where ILMT history is incomplete
Insider note

Audit letters routinely say "licence review" or "software asset management engagement" rather than the contractual word audit. The distinction matters: a SAM engagement is usually voluntary, with no contractual obligation to participate, while a formal audit invokes the audit clause and its protections. Ask in writing which one you have received before you reply.

Action. The day a notice arrives, classify it — voluntary engagement or contractual audit — and route every vendor contact through one named owner. The first conceded data set is the one used against you.

2

Oracle audit defence: LMS, GLAS, and the virtualisation claim

Oracle audits are run by License Management Services, now operating as Global Licensing and Advisory Services, GLAS. The engagement opens with a request to run Oracle-provided scripts across your estate. Those scripts collect raw configuration data, including options and management packs that are enabled whether or not they were ever used. Oracle prices findings from that raw output at list, using the Oracle Processor Core Factor Table to convert physical cores into licensable processors, typically at a 0.5 factor for Intel x86.

Where Oracle claims inflate

Three patterns generate most of the inflated value. Database options and packs such as Partitioning, Advanced Compression, and Diagnostics Pack are frequently enabled by default or by a DBA action that never reflected a purchase decision. Virtualisation claims assert that an entire VMware cluster, and in older positions an entire vCenter estate, must be licensed because soft partitioning does not limit licensing in Oracle's view. Java SE findings convert a handful of installations into an employee-metric subscription demand under the Java SE Universal Subscription, counting your whole workforce rather than your Java users.

How the claims break

The virtualisation position rests on Oracle's partitioning policy document, which is a statement of policy, not a contract term. Your obligations are defined by the Oracle Master Agreement or OLSA, your ordering documents, and the definitions they incorporate. Where the contract is silent on clusters, the claim is negotiable. Option findings break on usage evidence: feature usage views such as DBA_FEATURE_USAGE_STATISTICS distinguish enabled from used, and findings for options never used are routinely withdrawn or settled at a fraction. Backdated support demands break on the absence of any contractual basis in most agreements.

Insider note. Oracle's standard audit clause requires 45 days written notice, limits audits to no more than once per year, and obliges Oracle to keep findings confidential. It does not oblige you to run OPS scripts on any specific timeline, and it does not entitle Oracle to data from environments outside the agreement's scope. Hold those lines from the first response letter.

The Java SE line deserves its own discipline. The demand is priced on your total employee count, so a 20,000 employee enterprise with a few hundred actual Java installations faces a seven-figure annual ask. The defence runs on facts Oracle does not hold: an installation inventory that separates Oracle JDK from OpenJDK, evidence of which installations predate the subscription metric under older terms such as the Binary Code License, and a migration plan to a no-fee distribution for everything that does not contractually require Oracle Java. Scope it, evidence it, and negotiate the population, never the list price.

Action. Separate enabled from used before any script output leaves the building, and challenge every virtualisation and Java line against the contract, not the policy PDF. The full Oracle sequence is in our Oracle Audit Defense Playbook.

Under Oracle audit now? Our former LMS directors will assess the claim confidentially.

Oracle Audit Defense
3

SAP audit defence: indirect access, digital access, and the settlement framework

SAP audits arrive annually as a contractual measurement, run through USMM on each system and consolidated in the License Administration Workbench, LAW. The routine measurement covers named users and engine metrics. The expensive claims come from elsewhere: indirect and digital access, where third-party systems such as Salesforce, ServiceNow, or a custom web front end create or consume SAP documents without a named SAP login.

The digital access claim

Under the digital access model SAP prices indirect use by counting documents across nine defined types, including sales, invoice, purchase, and material documents. A claim typically attributes every document created through an interface to licensable digital access, at list, sometimes reaching back years. It inflates when documents created by licensed named users through middleware are double counted, when technical users are misclassified, and when counts include test and migration artifacts that were never transactional use.

The buyer response

Demand the document-level evidence behind the count and reconcile it against interface logs. Classify every integration: human-driven use by licensed users through a non-SAP front end is contestable, batch system-to-system traffic is priced differently, and migration loads are not transactional use. Then evaluate SAP's own programmes — the Digital Access Adoption Program has offered substantial discounts on document licences for customers who convert proactively, and the economics are far better negotiated before a claim is tabled than after. SAP's Software Use Rights document defines the measurable metrics and is the primary source to quote in any dispute. An S/4HANA or RISE evaluation on the table changes the settlement mathematics, because contract and product conversion credits give SAP a reason to resolve findings inside the migration deal, which is usually the cheapest place to settle them. Our SAP Indirect Access Playbook covers the clause language in depth.

Insider note

SAP settlement practice follows an internal framework its negotiators describe as the licence audit settlement process. It grades customers by relationship value and migration potential, which means an S/4HANA or RISE conversation in flight moves the settlement in your favour. Time the two conversations together, not apart.

Action. Map every interface to a document type and a user before SAP does, and pull any digital-access settlement into your S/4HANA migration negotiation where conversion credits are cheapest.

4

Microsoft compliance reviews: Azure, M365, and the VLSC record

Microsoft runs a tiered programme. SAM engagements are framed as collaborative and are generally voluntary. Formal audits invoke the audit clause in the Enterprise Agreement or MBSA and are executed by an independent firm, usually one of the Big Four. The distinction drives your obligations, your timeline, and your disclosure posture, so establish it first, in writing.

Microsoft claims concentrate in predictable places. Azure Hybrid Benefit findings allege that Windows Server or SQL Server licences claimed in Azure lack the Software Assurance the benefit requires, or that the same licences are counted on-premises and in Azure simultaneously. Microsoft 365 findings surface E3 and E5 assignment against departed users, service accounts holding full licences, and unlicensed access to shared workloads. Server findings turn on core counting, failover rights, and dev and test environments running production workloads under Visual Studio subscriptions.

The buyer's structural advantage is the record. The Volume Licensing Service Center, with the Microsoft 365 admin center beneath it, holds the entitlement history, and reconciliation between VLSC, your purchase records, and the auditor's deployment data routinely exposes claim errors: licences bought through a different enrollment, Software Assurance that was active in the relevant period, and double-counted estates. Quoting the applicable monthly edition of the Microsoft Product Terms for the period under review is the fastest way to retire a finding built on current rules applied retroactively. Microsoft resolution practice strongly favours forward spend: findings convert into an EA renewal uplift, an Azure commitment, or an E5 step-up at far below the claimed figure. See the Microsoft Audit Defense Playbook for the full sequence.

First-30-day exposureMost of it

The largest, least recoverable losses happen in the first month, when scope is conceded and raw data is shared before an independent baseline exists (indicative).

Forward-deal settlement40 to 80%

The reduction range buyers achieve when a backdated penalty is restructured as a renewal, cloud commitment, or edition step-up rather than paid as billed (indicative).

Action. Reconcile the auditor's deployment data against VLSC and your purchase history line by line, and price every Microsoft finding as a forward commitment, never as the backdated invoice it arrives as.

The claim letter is the vendor's opening offer. The only number that matters is the one you reach after their measurement has been tested against your own.
5

The 90 day audit response protocol

The defence is won or lost in the first month, before any finding exists. The protocol below organises the response from the day the notice arrives. It assumes a formal audit; for a voluntary SAM engagement, the first decision is whether to participate at all, and the answer is often no.

Days 1 to 15 · Control

Take command of the process

Acknowledge in writing, confirm the audit clause and its limits, appoint a single point of contact, brief executives, and freeze ad hoc vendor conversations across the estate.

Days 15 to 60 · Baseline

Build your own number first

Run internal discovery, assemble contracts and ordering documents, and produce an independent deployment and entitlement baseline before any vendor script runs or data is shared.

Days 60 to 90 · Challenge and settle

Reconcile, contest, resolve

Test every finding against the baseline line by line, contest measurement, interpretation, and valuation, then negotiate a forward settlement closed with written release language.

Table 2, The 90 day audit response protocol
PhaseDaysActionsOwner
Control1 to 15Acknowledge in writing, confirm the audit clause and its limits, appoint a single point of contact, brief executives, freeze ad hoc vendor conversationsCIO with legal counsel
Baseline15 to 45Build the independent deployment and entitlement baseline, gather contracts and ordering documents, run internal discovery before any vendor scriptsSAM lead with external advisor
Scope and share45 to 60Agree scope, format, and confidentiality in writing, share only agreed data sets, review every output before releaseSingle point of contact
Challenge60 to 75Reconcile vendor findings against the baseline, contest measurement, interpretation, and valuation line by lineAdvisor with legal counsel
Settle75 to 90Negotiate the commercial resolution, prefer forward structures, close with written release languageCIO, CFO, procurement
Table 3, Audit clause protections to confirm and enforce
ProtectionTypical contract languageWhat to enforce in practice
Notice periodWritten notice, often 45 daysThe clock starts at proper written notice, not a phone call
FrequencyNo more than once in any 12 month periodReject overlapping or repeat engagements within the window
ScopePrograms licensed under this agreementExclude entities, environments, and products outside the agreement
Business disruptionConducted during normal business hours, minimal interferenceSchedule collection windows on your operational calendar
ConfidentialityFindings treated as confidential informationNo copying of results to executives outside the agreed channel

Action. Run the control phase in the first 15 days without exception. Every day of delay is a day the vendor sets the scope, the method, and the clock.

6

Settlement structures: from backdated penalty to forward deal

Almost no audit settles at the claimed figure, and almost none settles as a simple cheque for past use. The resolution every major vendor actually prefers is forward spend, because a backdated penalty closes one quarter while a forward commitment grows the account for years. That preference is the buyer's settlement currency. A claim restructured as a renewal uplift, a cloud or subscription commitment, an edition step-up, or a migration credit routinely lands far below the number first presented, and it buys protections the cash settlement never would.

Reprice findings at contracted discount
15 to 30%
Strip unsupported backdated support
10 to 25%
Convert to forward cloud or subscription deal
20 to 40%
Withdraw never-used option findings
Varies

The bars above show where reduction comes from on a typical multi-vendor claim, expressed as indicative shares of the opening number; the levers stack, which is how a 72 percent average is reached. The discipline is to negotiate each one explicitly rather than accept a single bundled discount that hides which concessions you actually won.

Table 4, Forward settlement structures by vendor (indicative)
VendorPreferred resolutionWhat to secure in the release
OracleCloud (OCI) commitment or subscription migrationFull release of past claims, fixed metrics, Java population capped
SAPDigital Access conversion inside S/4HANA or RISEDocument baseline frozen, conversion credits, future indirect use defined
MicrosoftEA renewal uplift, Azure commitment, or E5 step-upWritten release, corrected entitlement record, no retroactive rules
IBM / SalesforceSub-capacity true-up or edition expansion at renewalRelease of historic exposure, corrected ILMT or edition record

Action. Insist on written release language that closes the historic claim in full, corrects the entitlement record, and bars retroactive application of current rules. A settlement that leaves the record uncorrected invites the same finding next cycle.

7

Building a standing audit-ready capability

The buyers who lose least are not the ones who respond best to a notice; they are the ones who never meet an auditor with a weak record. The discipline in this handbook extends across the portfolio — IBM, where Passport Advantage sub-capacity rights collapse to full-capacity claims the moment ILMT history is incomplete, and Salesforce, where reviews focus on API consumption, community and portal access patterns, and feature use that belongs to a higher edition such as Unlimited rather than Enterprise. The contractual anchor differs by vendor, but the defence pattern is identical: verify the measurement, anchor on the contract document, and settle forward.

Treat audit readiness as a standing capability, not an emergency response. Maintain an independent deployment-and-entitlement baseline, refreshed quarterly and owned in software asset management; keep contracts, amendments, and ordering documents in one place; and sequence every planned commercial event — a support reduction, a ULA exit, a cloud migration — so the defensible baseline exists before the event, not after it. Buyers who sequence it the other way meet the auditor with their weakest possible record.

Action. Stand up a quarterly entitlement review across your top five vendors now, while no audit is open. The che

Ready to defend your next audit?

Independent buyer-side advisors. Confidential assessment within one business day.

Book a 30 Minute Call