You are registered. Your guide is ready. Read the full 2026 edition of the Vendor Audit Defence Handbook below.
Prepared by Atonement Licensing · buyer-side advisory · last reviewed June 2026. Figures are list-level or clearly labelled indicative ranges. The $12M opening claim used below is a representative benchmark scenario for illustration, not a quote.
Executive summary
A software vendor audit claim is an opening commercial position, not an invoice, and the buyers who treat it that way settle for a fraction of the first number. Across our audit defence engagements, initial claims fall by 72 percent on average, and the range achieved with structured challenge runs from 40 to 80 percent of the figure first presented. The reason is structural: audit teams at Oracle, SAP, and Microsoft build claims at list, on the vendor's most aggressive reading of the contract, using measurement methods designed to surface the largest possible finding.
On a representative finding, an opening claim that prices every flagged deployment at list, adds backdated support for the full alleged period, and reads every ambiguity in the vendor's favour models near $12M (indicative). The same finding, reconciled against an independent baseline, repriced at the buyer's contracted discount, stripped of unsupported backdated support, and resolved as a forward commitment, settles near $3.4M (indicative) — a reduction consistent with the 72 percent we see across engagements. The difference is not luck; it is structure, sequence, and the discipline to slow the process down.
This handbook explains how Oracle, SAP, Microsoft, IBM, and Salesforce build audit claims and where each one breaks: the Oracle LMS and GLAS process and its virtualisation positions, SAP indirect and digital access claims and the settlement framework that resolves them, Microsoft compliance reviews across Azure, Microsoft 365, and the VLSC record, a 90 day response protocol your team can run from the day the notice arrives, and the settlement structures that convert a backdated penalty into a forward deal a CFO can accept. The single most expensive mistake is moving too fast. Read the protocol in section five before responding to any auditor.
The software compliance audit industry: how claims are built
Vendor audits are a revenue programme, not a policing function. Oracle, SAP, IBM, and Microsoft each run dedicated organisations whose output is measured in closed findings and converted spend. The audit team that contacts you has targets, a playbook, and a settlement authority matrix. Understanding that machinery is the first move in audit defence, because every stage of the process is built to maximise the claim, and every stage can be challenged.
Claims are constructed in three moves. First, measurement: the vendor collects deployment data, preferably with its own scripts, and interprets every ambiguity in its own favour. Second, valuation: findings are priced at list, with backdated support added on top, often for the full period since the alleged deployment. Third, escalation: the claim letter lands with a short deadline and a copy to your executives, manufacturing pressure to settle quickly and badly. Each move has a counter — an independent baseline, a reprice at contracted discount, a single point of contact and a controlled timeline — and the sections that follow apply those counters vendor by vendor.
What puts you on the audit list
Audit selection is not random, and several triggers are predictable events on your own calendar: a reduction or cancellation of support or subscription spend, a move to third-party support, a declining renewal trajectory, merger and acquisition activity that changes entity names or headcount, an Oracle ULA approaching certification, a major migration to public cloud, and licensing questions your own staff raise with vendor support that signal uncertainty about entitlements. Most major vendors also run rotation cycles, so a large account can expect contact every three to four years regardless of behaviour.
| Vendor | Audit arm and tooling | Typical claim driver | Common inflation point |
|---|---|---|---|
| Oracle | LMS / GLAS, Oracle-provided scripts (OPS) | Database options, virtualisation, Java SE | Whole-cluster licensing claims, options enabled but unused |
| SAP | Global audit team, USMM and LAW measurements | Indirect and digital access, engine metrics | Document counts attributed to third-party systems |
| Microsoft | SAM engagements and formal audits via Big Four firms | Server licensing, M365 assignment gaps | Azure Hybrid Benefit miscounts, dev and test misclassification |
| IBM | Authorised auditors, ILMT records | Sub-capacity compliance | Full-capacity claims where ILMT history is incomplete |
Audit letters routinely say "licence review" or "software asset management engagement" rather than the contractual word audit. The distinction matters: a SAM engagement is usually voluntary, with no contractual obligation to participate, while a formal audit invokes the audit clause and its protections. Ask in writing which one you have received before you reply.
Action. The day a notice arrives, classify it — voluntary engagement or contractual audit — and route every vendor contact through one named owner. The first conceded data set is the one used against you.
2Oracle audit defence: LMS, GLAS, and the virtualisation claim
Oracle audits are run by License Management Services, now operating as Global Licensing and Advisory Services, GLAS. The engagement opens with a request to run Oracle-provided scripts across your estate. Those scripts collect raw configuration data, including options and management packs that are enabled whether or not they were ever used. Oracle prices findings from that raw output at list, using the Oracle Processor Core Factor Table to convert physical cores into licensable processors, typically at a 0.5 factor for Intel x86.
Where Oracle claims inflate
Three patterns generate most of the inflated value. Database options and packs such as Partitioning, Advanced Compression, and Diagnostics Pack are frequently enabled by default or by a DBA action that never reflected a purchase decision. Virtualisation claims assert that an entire VMware cluster, and in older positions an entire vCenter estate, must be licensed because soft partitioning does not limit licensing in Oracle's view. Java SE findings convert a handful of installations into an employee-metric subscription demand under the Java SE Universal Subscription, counting your whole workforce rather than your Java users.
How the claims break
The virtualisation position rests on Oracle's partitioning policy document, which is a statement of policy, not a contract term. Your obligations are defined by the Oracle Master Agreement or OLSA, your ordering documents, and the definitions they incorporate. Where the contract is silent on clusters, the claim is negotiable. Option findings break on usage evidence: feature usage views such as DBA_FEATURE_USAGE_STATISTICS distinguish enabled from used, and findings for options never used are routinely withdrawn or settled at a fraction. Backdated support demands break on the absence of any contractual basis in most agreements.
The Java SE line deserves its own discipline. The demand is priced on your total employee count, so a 20,000 employee enterprise with a few hundred actual Java installations faces a seven-figure annual ask. The defence runs on facts Oracle does not hold: an installation inventory that separates Oracle JDK from OpenJDK, evidence of which installations predate the subscription metric under older terms such as the Binary Code License, and a migration plan to a no-fee distribution for everything that does not contractually require Oracle Java. Scope it, evidence it, and negotiate the population, never the list price.
Action. Separate enabled from used before any script output leaves the building, and challenge every virtualisation and Java line against the contract, not the policy PDF. The full Oracle sequence is in our Oracle Audit Defense Playbook.
Under Oracle audit now? Our former LMS directors will assess the claim confidentially.
Oracle Audit DefenseSAP audit defence: indirect access, digital access, and the settlement framework
SAP audits arrive annually as a contractual measurement, run through USMM on each system and consolidated in the License Administration Workbench, LAW. The routine measurement covers named users and engine metrics. The expensive claims come from elsewhere: indirect and digital access, where third-party systems such as Salesforce, ServiceNow, or a custom web front end create or consume SAP documents without a named SAP login.
The digital access claim
Under the digital access model SAP prices indirect use by counting documents across nine defined types, including sales, invoice, purchase, and material documents. A claim typically attributes every document created through an interface to licensable digital access, at list, sometimes reaching back years. It inflates when documents created by licensed named users through middleware are double counted, when technical users are misclassified, and when counts include test and migration artifacts that were never transactional use.
The buyer response
Demand the document-level evidence behind the count and reconcile it against interface logs. Classify every integration: human-driven use by licensed users through a non-SAP front end is contestable, batch system-to-system traffic is priced differently, and migration loads are not transactional use. Then evaluate SAP's own programmes — the Digital Access Adoption Program has offered substantial discounts on document licences for customers who convert proactively, and the economics are far better negotiated before a claim is tabled than after. SAP's Software Use Rights document defines the measurable metrics and is the primary source to quote in any dispute. An S/4HANA or RISE evaluation on the table changes the settlement mathematics, because contract and product conversion credits give SAP a reason to resolve findings inside the migration deal, which is usually the cheapest place to settle them. Our SAP Indirect Access Playbook covers the clause language in depth.
SAP settlement practice follows an internal framework its negotiators describe as the licence audit settlement process. It grades customers by relationship value and migration potential, which means an S/4HANA or RISE conversation in flight moves the settlement in your favour. Time the two conversations together, not apart.
Action. Map every interface to a document type and a user before SAP does, and pull any digital-access settlement into your S/4HANA migration negotiation where conversion credits are cheapest.
4Microsoft compliance reviews: Azure, M365, and the VLSC record
Microsoft runs a tiered programme. SAM engagements are framed as collaborative and are generally voluntary. Formal audits invoke the audit clause in the Enterprise Agreement or MBSA and are executed by an independent firm, usually one of the Big Four. The distinction drives your obligations, your timeline, and your disclosure posture, so establish it first, in writing.
Microsoft claims concentrate in predictable places. Azure Hybrid Benefit findings allege that Windows Server or SQL Server licences claimed in Azure lack the Software Assurance the benefit requires, or that the same licences are counted on-premises and in Azure simultaneously. Microsoft 365 findings surface E3 and E5 assignment against departed users, service accounts holding full licences, and unlicensed access to shared workloads. Server findings turn on core counting, failover rights, and dev and test environments running production workloads under Visual Studio subscriptions.
The buyer's structural advantage is the record. The Volume Licensing Service Center, with the Microsoft 365 admin center beneath it, holds the entitlement history, and reconciliation between VLSC, your purchase records, and the auditor's deployment data routinely exposes claim errors: licences bought through a different enrollment, Software Assurance that was active in the relevant period, and double-counted estates. Quoting the applicable monthly edition of the Microsoft Product Terms for the period under review is the fastest way to retire a finding built on current rules applied retroactively. Microsoft resolution practice strongly favours forward spend: findings convert into an EA renewal uplift, an Azure commitment, or an E5 step-up at far below the claimed figure. See the Microsoft Audit Defense Playbook for the full sequence.
The largest, least recoverable losses happen in the first month, when scope is conceded and raw data is shared before an independent baseline exists (indicative).
The reduction range buyers achieve when a backdated penalty is restructured as a renewal, cloud commitment, or edition step-up rather than paid as billed (indicative).
Action. Reconcile the auditor's deployment data against VLSC and your purchase history line by line, and price every Microsoft finding as a forward commitment, never as the backdated invoice it arrives as.
The claim letter is the vendor's opening offer. The only number that matters is the one you reach after their measurement has been tested against your own.5
The 90 day audit response protocol
The defence is won or lost in the first month, before any finding exists. The protocol below organises the response from the day the notice arrives. It assumes a formal audit; for a voluntary SAM engagement, the first decision is whether to participate at all, and the answer is often no.
Take command of the process
Acknowledge in writing, confirm the audit clause and its limits, appoint a single point of contact, brief executives, and freeze ad hoc vendor conversations across the estate.
Build your own number first
Run internal discovery, assemble contracts and ordering documents, and produce an independent deployment and entitlement baseline before any vendor script runs or data is shared.
Reconcile, contest, resolve
Test every finding against the baseline line by line, contest measurement, interpretation, and valuation, then negotiate a forward settlement closed with written release language.
| Phase | Days | Actions | Owner |
|---|---|---|---|
| Control | 1 to 15 | Acknowledge in writing, confirm the audit clause and its limits, appoint a single point of contact, brief executives, freeze ad hoc vendor conversations | CIO with legal counsel |
| Baseline | 15 to 45 | Build the independent deployment and entitlement baseline, gather contracts and ordering documents, run internal discovery before any vendor scripts | SAM lead with external advisor |
| Scope and share | 45 to 60 | Agree scope, format, and confidentiality in writing, share only agreed data sets, review every output before release | Single point of contact |
| Challenge | 60 to 75 | Reconcile vendor findings against the baseline, contest measurement, interpretation, and valuation line by line | Advisor with legal counsel |
| Settle | 75 to 90 | Negotiate the commercial resolution, prefer forward structures, close with written release language | CIO, CFO, procurement |
| Protection | Typical contract language | What to enforce in practice |
|---|---|---|
| Notice period | Written notice, often 45 days | The clock starts at proper written notice, not a phone call |
| Frequency | No more than once in any 12 month period | Reject overlapping or repeat engagements within the window |
| Scope | Programs licensed under this agreement | Exclude entities, environments, and products outside the agreement |
| Business disruption | Conducted during normal business hours, minimal interference | Schedule collection windows on your operational calendar |
| Confidentiality | Findings treated as confidential information | No copying of results to executives outside the agreed channel |
Action. Run the control phase in the first 15 days without exception. Every day of delay is a day the vendor sets the scope, the method, and the clock.
6Settlement structures: from backdated penalty to forward deal
Almost no audit settles at the claimed figure, and almost none settles as a simple cheque for past use. The resolution every major vendor actually prefers is forward spend, because a backdated penalty closes one quarter while a forward commitment grows the account for years. That preference is the buyer's settlement currency. A claim restructured as a renewal uplift, a cloud or subscription commitment, an edition step-up, or a migration credit routinely lands far below the number first presented, and it buys protections the cash settlement never would.
The bars above show where reduction comes from on a typical multi-vendor claim, expressed as indicative shares of the opening number; the levers stack, which is how a 72 percent average is reached. The discipline is to negotiate each one explicitly rather than accept a single bundled discount that hides which concessions you actually won.
| Vendor | Preferred resolution | What to secure in the release |
|---|---|---|
| Oracle | Cloud (OCI) commitment or subscription migration | Full release of past claims, fixed metrics, Java population capped |
| SAP | Digital Access conversion inside S/4HANA or RISE | Document baseline frozen, conversion credits, future indirect use defined |
| Microsoft | EA renewal uplift, Azure commitment, or E5 step-up | Written release, corrected entitlement record, no retroactive rules |
| IBM / Salesforce | Sub-capacity true-up or edition expansion at renewal | Release of historic exposure, corrected ILMT or edition record |
Action. Insist on written release language that closes the historic claim in full, corrects the entitlement record, and bars retroactive application of current rules. A settlement that leaves the record uncorrected invites the same finding next cycle.
7Building a standing audit-ready capability
The buyers who lose least are not the ones who respond best to a notice; they are the ones who never meet an auditor with a weak record. The discipline in this handbook extends across the portfolio — IBM, where Passport Advantage sub-capacity rights collapse to full-capacity claims the moment ILMT history is incomplete, and Salesforce, where reviews focus on API consumption, community and portal access patterns, and feature use that belongs to a higher edition such as Unlimited rather than Enterprise. The contractual anchor differs by vendor, but the defence pattern is identical: verify the measurement, anchor on the contract document, and settle forward.
Treat audit readiness as a standing capability, not an emergency response. Maintain an independent deployment-and-entitlement baseline, refreshed quarterly and owned in software asset management; keep contracts, amendments, and ordering documents in one place; and sequence every planned commercial event — a support reduction, a ULA exit, a cloud migration — so the defensible baseline exists before the event, not after it. Buyers who sequence it the other way meet the auditor with their weakest possible record.
Action. Stand up a quarterly entitlement review across your top five vendors now, while no audit is open. The che