Software Audit Defense Tactics

Laura Kenny – ITAM Consultant for Certero

Laura’s experience spans many different business disciplines, including service asset and configuration management, hardware and software asset management, project coordination, process improvement and automation.


Responding to software vendor audits can cause serious disruption to your year, not to mention the inevitable bill to atone for any licensing shortfalls. Whilst it’s true that software audits are a strategically-timed, revenue-generating activity for software vendors, there are a number of tactics you can use to limit the impact or even prevent the audit altogether.

In this blog, Certero’s software audit defense experts break down the top 10 frequently asked questions around what you can do to reduce the risks of a software vendor audit.

1. Does the software vendor have the right to audit?

As described in our What is the Software Audit Process blog you should assemble a Software Audit Task Force in response to a vendor’s request to audit your business. This task force should include stakeholders from across the business, including Legal, who can be extremely helpful in querying the validity of the vendor audit request – it may be possible to deny the request and avoid the audit.

Your legal team should help to qualify:

  • Does your vendor agreement contain the audit clause?
  • Does your contract include any bespoke clauses that prohibit the request to audit?
  • Is the request to audit against the most recent contract?
  • Is there a potential conflict of interest with the 3rd-party auditor? (i.e. have they audited you recently for another software vendor?)

2. Can you delay a software vendor audit?

Whilst software vendor audits are usually ultimately mandatory, the vendor should respect the fact that an audit presents unplanned additional workload. It is common for the vendor to give you 45 days to issue a receipt acknowledging the request, but they will usually push to arrange an initial kick-off meeting much earlier. There are however, reasons why this could be reasonably delayed, such as:

  • Workload – you could be in the middle of a major new system launch or roll-out, which would impact the business to delay.
  • Personnel – are all the required stakeholders actually available? Temporary delays would usually be accepted, however long-term absences should already be covered.
  • Legal / due diligence – The validation of the audit request could reasonably take some time to qualify through legal, as would a request to sign an None Disclosure Agreement (NDA).
  • Other audits – One software audit tends to follow another as vendors recognize the lack of control. If you’ve recently been through the process with another vendor, it is reasonable to delay the request.

Whilst delaying an audit is reasonable, it is not okay to use this time to correct any licensing problems and this impression should certainly not be given to the software vendor.

3. Can you limit the scope of a software audit?

Once engaged with the vendor, it is essential to define and agree the precise scope of the audit. Understanding scope prevents rival interpretations and any risk of the vendor from claiming later on to have ‘discovered’ any software on systems that you believed were out-of-scope. If unsure, seek external, independent expertise to clarify this.

This is the point that you can potentially negotiate the scope of the audit, either by the vendor’s products, or your business structure if there are specific legal entities, or potentially specific locations and geographic regions.

Also consider that if the vendor refuses to negotiate scope, they usually will negotiate an NDA. Therefore ensure that boundaries that define how information is shared and that it is only data directly applicable to the questions the vendor is allowed to ask.

4. Can you dictate what tools are used in a software audit?

It is general practice to use existing inventory tools you have installed to gather data, however there are some exceptions where this can become problematic.

Having good quality data is critical to audit defense, as the more you can prove, the more you can argue your position successfully.

There are risks where the software vendor stipulates that they will only accept inventory data from their own tools or scripts or from formally-verified 3rd-party solutions, as this can mean you have no knowledge of the information being submitted.

Notable vendors include:

  • Oracle – Oracle License Management Services (LMS) will typically deploy their own scripts in an audit, limiting your visibility of information being submitted. Alternatively, they have a select list of formally verified 3rd party tool vendors, that ‘have been verified to provide information that Oracle will accept whenever accurate measurement data is needed’. Using one of these approved 3rd party toolsets for ‘Oracle Database and Database Options’, ‘Oracle Fusion Middleware’ or ‘Java SE’ gives you visibility of your Oracle deployments and the data submitted to the vendor in an audit (Certero for Oracle is verified for all 3 categories).
  • IBM – Contracts typically stipulate that IBM customers with sub-capacity (virtualized) environments need to have the IBM License Metric Tool (ILMT) installed, or risk becoming out of compliance and losing sub-capacity licensing rights. As ILMT can be a challenge to run and configure, solutions like Certero for IBM can be used to help to validate ILMT deployments and automate complex license reconciliation processes.
  • Microsoft – Microsoft does not have formally verified 3rd party toolsets, common popular misconceptions when certain tools are regularly used by appointed auditors. Tool selections by 3rd party auditors are typically dictated by commercial agreements with the tool vendors, not the software vendor.

If using existing toolsets, you need to be aware of whether your data-gathering solutions are up to the task. The auditor will outline the data that they require, typically:

  • Device names
  • Users
  • Device types (physical or virtual)
  • Environments
  • Hardware details (make, model, cpu, cores, etc.)
  • Operating systems
  • Application details (including version & edition…)

This should also be submitted in approved forms, such as:

  • Exported reports from ITAM / SAM tools
  • License files
  • Log files

The challenge here is to ensure that the data you submit is accurate, as this can introduce risk into the processes.

For example, here are some common pitfalls:

  • ITAM tools – beware that a software inventory provided by an ITAM tool may lack the intelligent Software Recognition to accurately identify what discovered software really is, in terms of licensable versions and editions. If information submitted to a vendor is vague, the vendor would typically err on the side of caution in their own favor. So, if software is discovered and it is unclear whether it is a standard or professional version for example, the vendor would typically assume it is the most expensive option, as you have not provided evidence to the contrary.
  • Microsoft System Centre Configuration Manager (SCCM) – be mindful of potential gaps in coverage, such as with servers or any none-windows environments.

5. Can you challenge the results of a Software Audit?

Not only can you challenge the results, you absolutely should validate the finding against your own Effective License Position (ELP). SAM is difficult to get right and it’s very common for software vendors and their audit partners to make expensive mistakes, as this Certero Case Study demonstrates.

Always be prepared to challenge anything that doesn’t look correct and bear in mind that there is always a degree of assumption when interpreting data. Therefore, the better armed with accurate information you are, and the stronger your licensing knowledge, the better positioned you are to interpret results in your favor; reducing exposures and cost.

If the software vendor is using a 3rd party to audit you, then you may be able to access the audit results before it’s submitted to the vendor.

6. Can you get help with a software vendor audit?

Yes – you can get help before, or even during an audit and it will have two major benefits:

  1. The entire process is FAR less time consuming and disruptive. For example – Certero’s Audit Defense Service provides everything you need in one complete package:

Technology – to accurately discover and identify all the software in scope.

People – a team of licensing experts including dedicated specialists for the most challenging               licensing vendors, like Microsoft, Oracle, IBM and SAP.

Process – Certero guide you through the dialogue with the vendor and ensure you’re           informed and in control.

  1. You can reduce costs. Software audits are revenue generating activities for vendors, and whilst it’s only fair that you rightly pay for the software you’ve had the ability to use, expert audit defense makes sure you’re not paying for any mistakes in the ELP process itself, any unfair interpretations of your contractual rights or anything that should not be in-scope.

As long as you can provide evidence for your license position, you can use the rules in your favor. Therefore, highly experienced SAM experts using the best technology available to get clarity of your software, are in the best possible position to achieve cost-savings and reduce risks.

7. Can you negotiate a software audit settlement?

Yes – you can always negotiate. The best result of an audit for a software vendor is to maneuver you to sign up for another lengthy and profitable contract. So, following an audit, if there is a significant settlement figure to pay, then the vendor will usually leverage this against the cost of signing up to a new agreement and further investing in their products.

Don’t forget that audits are sales activity and salespeople will usually be incentivized to sell new volume licensing agreements, so it’s in their interest to negotiate. Ultimately, there’s no escaping the fact that you owe money and certain vendors are much more likely to demand payment than others, but you can use this to make the most out of the situation and limit the wasted expenditure as much as possible and potentially add-in clauses that reduce the likelihood of another unforeseen audit – typically a no-audit assurance of 2-3years would be accepted.

 8. Can you delete software that is out of compliance?

No – you can not simply delete software that you’ve used but not correctly licensed. Aside from the fact that you’ve deployed the software and therefore entered into the End User License Agreement (EULA) and trying not to pay for it later is essentially theft, you must also bear in mind that if the audit processes ends up in court, any semblance of dishonesty could end up being very costly. Being publicly exposed as dishonest in a court room would also bring your organisation into disrepute.

9. Can you control the data submitted to the software auditor?

Yes – you can and should control any data submitted to the auditor as you will want to make sure it’s accurate and has been rightly approved by your audit task force. This does not mean however, that you should try to manipulate of falsify the data in any way. Again, and suggestion of wrong doing and the issue will go to court.

You need to control the data being submitted so that you understand the landscape and don’t give away anything unnecessary. It is after all; private and confidential company information and all communications should be marked as such.

10. How do you avoid software audits?

Of course, the best way to avoid all of the unnecessary cost and disruption around software audits is to proactively manage software and optimize your licensing. This can be done with either the right tools and expertise developed in-house, or simply and effectively through a SAM Managed Service.

Certero SAM for example, is about maintain a state of constant compliance and control over software strategy and costs, so when a vendor comes knocking, the information you require is already available and most importantly – proves you’re neither at risk of under-licensing or routinely over-spending on software you don’t need…

If you’d like help with a software vendor audit or any aspect of your IT Asset Management, speak to experts at Certero today.


Follow us on Linkedin for more SAM


Read more like this from

Need help understanding your software use rights?

Certero’s [software-as-a-service] Solution

Certero help organizations transform their outdated operations and technologies in days and weeks not years. All of Certero’s solutions can be delivered as SaaS with no loss of functionality. 

Certero Unified Platform
Learn more about Certero’s truly unique ‘unified’ platform.

Digital Transformation Edition
Transform in days and weeks, not months and years, start your journey now.

Verified Oracle LMS/GLAS Solution
Verified LMS (License Management Services), now GLAS (Global Licensing & Advisory Services) solution.

Cloud Management
Manage Visibility, Cost and Governance of your Cloud Resources 

Enterprise Standard Edition – ITAM / SAM for Wintel
Default solution to manage ITAM/SAM for a Wintel environment. 

Enterprise Premium Edition – ITAM / SAM for Wintel
All you need in one place to manage your ITAM/SAM for a Wintel & Citrix environment. 

Stand-a-lone or holistic solutions for IBM, SAP and Oracle.

Software License Compliance
One Stop Shop, products and services for any solution – all in one

Business Intelligence Solution
See how to turn DATA into INFORMATION then transform into KNOWLEDGE, all in a few clicks. 

IT Asset Visibility
Find out: What do I own? Where is it located? Who is using it?

ITSM & CMDB Integration 
Populating the CMDB with ‘Quality’ asset information is more critical than ever

SaaS Subscription Management
Discover, manage and optimize your SaaS investments.

Everything in One place, True Unification

IT Hardware, Software, SaaS and Cloud Asset Management products that can run ‘stand-a-lone’ or ‘holistically’ and optimally together as a single solution, no dependencies. True unification across all asset and platforms and all delivered as SaaS. All of Certero’s products have the best TTV (Time to Value) by some distance.

Certero for Enterprise ITAM
Networks, printers, routers, Wintel, Mac, Linux, zLinux, Unix, all virtualizations and much more….

Certero for Enterprise SAM
Focused on Wintel software vendors, including automated solutions for Microsoft, Adobe and much more…

Certero App Centre 
Enterprise ‘Application Portal’ for Self-Service application provisioning.

Certero for Mobile
Go beyond standard MDM and deliver full management and security for your mobile workforce.

Certero SRDB (Software Recognition)
Transform raw software inventory data into actionable intelligence about application usage and licensing.

Certero for Oracle 
Optimize your Oracle Database, Middleware and E-Business Suite applications.

Certero for IBM
Discover and manage all IBM software & entitlements across the network. Dual Inventory, ILMT and Certero.

Certero for SAP Applications
Managing and automating the analysis of complex SAP named user and engine licenses across your estate. 

An intuitive self-service password reset solution that can reduce service desk calls by 30%. 

PC Power Management solution. Save money and reduce your carbon footprint. 

Certero Channel Partner Program

Our Partner Program opens up Certero solutions to a global network of partners – enabling customers to work with the trusted solution and service providers that know them best.

Join the Partner Program
Information on tiers and ease of doing business.

Deal Registrations 
Submit your deal-registrations.

Launching the Program
Highest-rated major SAM vendor on Gartner Peer Insights, launch global Partner Program.

Gartner Peer Insights Customers’ Choice

Rated #1 for SAM Customer Satisfaction year after year, after year

For the latest in ITAM, SAM, Cloud and SaaS Asset Management

White Papers and eBooks 
Download the latest white papers and eBooks for key insights and guides.

Read the latest news from Certero and the industry.

Events and Webinars
Keep up to date with Certero’s latest webinars and events.


View our range of product videos, webinars and customer case studies. 

Data Sheets
Download our datasheets which highlight the key benefits and features of our world class products and services. 

Case Studies 
See how organization around the globe change they way they [Do IT].

We think [and do] IT Differently

We don’t believe in claiming to be something we’re not. We will not do mediocre, average, indifferent, or outdated. We are different and will do it differently.

About Us
Get to know us more

Our Story
See how our approach is different

Our Journey
A timeline of events

Our Vision, Mission and Purpose
Mission, Purpose and Values

Browse our current roles

Find our nearest location