Software audits are disruptive. They consume time, tie up internal resources, and if unprepared, can result in significant unbudgeted spend. But with the right approach, audits are manageable and don’t need to result in panic or unnecessary cost.
This article outlines how vendor audits typically work, what to expect, and the practical steps your organization should take now to prepare.
What Is a Software Audit?
A software audit is a formal request by a vendor (or their appointed auditor) to review your software deployments, usage, and entitlements to ensure you are complying with licensing terms.
They can be triggered by events like mergers and acquisitions, rapid growth, expired contracts, or just having the “wrong” product mix. Sometimes, vendors just decide it’s your turn.
Most enterprise license agreements include audit clauses. Ignoring a notification or delaying a response is not commonly a viable option.
It is also important to understand who conducts the audit. The appointed auditor is often one of the Big Three accounting firms (Deloitte, EY, or KPMG). While they are presented as independent third parties, they are paid by the software publisher. Their findings should therefore be viewed with that context in mind. These auditors are not fully neutral, and their work ultimately supports the interests of the vendor.
In some cases, audits are not just a compliance tool but a core part of a vendor’s business strategy. For example, publishers like Micro Focus and Broadcom have acquired software companies with widely deployed products, then aggressively audited existing customers. This approach is often used to quickly recoup the cost of acquisition and drive additional revenue beyond traditional licensing and support fees. Organizations working with such vendors should be especially prepared for audit activity.
How the Audit Process Works
Although every audit is slightly different, most follow a similar structure:
1. Notification
The audit begins with a formal letter, usually from the vendor directly or from a third-party auditor acting on their behalf. You will need to acknowledge the notice and understand the scope and confirm the legality of the request against your contract. Be aware that audit notifications can be sent to anyone in the organization who has accepted a EULA, including former employees. This can result in delays or missed communications if the recipient is no longer with the company or if the agreement was not centrally recorded. This reinforces the need for a proactive SAM program, one that ensures agreements are centrally tracked, and employees are educated to escalate any vendor communications promptly.
It is also important to confirm and agree on the operative contract or license agreement the audit is being conducted under. While most enterprise agreements include audit rights, there have been cases where audits were initiated based on outdated, informal, or inapplicable agreements that did not grant such rights. In some instances, auditors have contacted organizations with no contractual authority to do so. Verifying the legal basis for the audit should be one of the first steps.
Finally, be aware that changes to your IT environment after receiving an audit notice, such as quickly uninstalling software or decommissioning servers can be detected using historical data or system timestamps. These changes may be flagged during the data collection phase. Any modifications should be carefully considered, documented, and justifiable regardless of the audit.
2. Kick-off
An initial meeting is held with the auditor to define timelines, data sources, scope, and deliverables. It is essential to get clarity at this stage to avoid scope creep.
Before this meeting, establish a core audit response team made up of representatives from IT, procurement, software asset management, and legal. The team should agree a single point of contact with the auditor, and all communications should be agreed on by the team.
This team should meet in advance to align the overall audit strategy, especially if there are known compliance risks or plans to significantly increase or decrease usage of the vendor’s products.
If there are any mitigating circumstances that could delay the audit or affect the quality of the data, they should be raised at this stage. Examples include limited availability of key personnel (as was common during the COVID pandemic), ongoing migrations that may distort inventory and usage data, or the need to put a non-disclosure agreement (NDA) in place before sensitive information can be shared. Highlighting these issues early helps set realistic expectations and may allow for adjustments to the audit timeline or scope.
Finally, ensure the single point of contact is briefed to manage all communication with the auditor. This centralizes messaging, avoids conflicting information, and helps maintain control throughout the process.
3. Data Collection
You will be asked to provide inventory reports and usage details for the products in scope. Vendors may also require you to run specific discovery tools or scripts to collect this data.
It is important to clearly understand which products are officially in scope and what specific data is required to support the audit. Some requests may go beyond the agreed scope or appear to be fishing for evidence that could inflate deployment figures. This could include dormant installations, legacy environments, or remnants of uninstalled software. Scrutinize these requests and ensure that only relevant and appropriate data is shared.
Additionally, be aware that some audit data, such as usernames or device names, may be considered sensitive from a security or compliance perspective. In such cases, consider masking or anonymizing this information where appropriate, and seek agreement with the auditor on acceptable data handling practices.
4. Initial Findings
Once the auditor reviews your data, they’ll share a draft summary of potential risks or shortfalls.
5. Review and Response
You will have an opportunity to review the auditor’s findings, provide clarification, and contest any incorrect assumptions. The quality, accuracy, and completeness of your internal data will significantly impact your ability to challenge the report and negotiate from a position of strength.
Auditors will often try to rush you into signing off on the report quickly. Do not agree to anything under pressure. Take the time to fully understand what is being presented, carefully review each line item, and gather your responses and objections in a clear, coordinated manner.
Audit reports are often delivered in complex, difficult-to-interpret formats with little or no pricing information. This is intentional. Seemingly minor or unclear figures can represent substantial costs once the vendor applies commercial terms. Always scrutinize the data and question any unexplained metrics or assumptions before accepting the report.
In addition, reports may include entitlement data provided by the publisher. While you might expect this to be accurate, it should not be accepted at face value. This data is often pulled using simple keyword searches in the vendor’s internal systems and can be incomplete, sometimes missing entire business units, historical purchases, or bundled entitlements. Always compare their entitlement view with your own records to ensure nothing has been overlooked.
6. Resolution
If noncompliance is confirmed, the vendor will expect a commercial resolution, typically in the form of a license purchase, contractual amendment, or backdated support agreement.
At this stage, any contentions that were not resolved during the Review and Response process will now need to be negotiated directly with the vendor, but with commercial terms added to the discussion. This can make it more difficult to challenge technical findings, so it is important to remain firm, organized, and backed by clear documentation.
Future requirements, such as planned product adoption, upcoming renewals, or broader vendor relationships can often be used as leverage. Vendors may show more flexibility if they see future commercial opportunities, especially around their quarter-end or fiscal year-end, when they are under pressure to close deals and book revenue. Timing your negotiation with this in mind can help secure more favorable terms.
Once the audit is formally closed, it is good practice to hold a ‘lessons learned’ session with the audit response team. This review should cover what went well, what could be improved, and identify any gaps in processes, tooling, or data quality that need to be addressed to reduce risk and improve audit readiness in the future.
TL;DR
- Conduct regular internal license reviews (such as Effective License Position assessments) to identify and address potential compliance gaps before an audit
- Centralize entitlement management to ensure license records are complete, accurate, and readily available when needed
- Maintain a reliable audit trail of software deployments, removals, and usage activity especially for high-risk or high-value applications
- Educate employees not only to escalate vendor communications or EULA acceptances, but also to understand why software controls exist not to limit productivity, but to protect the organization from financial, legal, and security risks
- Establish a cross-functional audit response team in advance, bringing together IT, procurement, SAM, and legal to coordinate a consistent and informed response
Now that you know what to expect and how to prepare for a software audit, the next step is to ensure you have the right SAM solution in place. Certero’s ITAM and SAM platform gives you complete visibility and control over your software environment. With powerful discovery, licensing intelligence, and advanced reporting, Certero helps you stay compliant and optimize costs, supported by deep licensing expertise to interpret complex vendor terms and reduce audit risk.
Joseph Lobo – Consultant
Consultant at Certero with deep expertise in Software Asset Management (SAM) and IT asset governance. Joe advises clients on navigating high-stakes licensing environments, offering detailed insights into deployment reporting formats, processor capacity definitions, and compliance contracts. His guidance helps organizations align governance strategies with modern SaaS and cloud complexities, transforming compliance risk into strategic advantage.
