We use cookies on our website to analyze website usage and to help secure the website against misuse. Advertising and functional cookies are not used in our site or our web application products.
By clicking “Accept Essential Cookies Only”, you consent to us placing these cookies.
Software publishers can audit their customers at any time, and this practice is not unusual. Microsoft, Oracle, SAP, IBM and Adobe all run audit programmes. For a large estate this can also be a recurring event. Some vendors including Microsoft accept an annual "true up" audit where the customer runs an integration or discovery tool against its network to show actual coverage.
Audits are rarely random. Something inside the vendor usually flags them. Publishers pick accounts where the return looks worth the effort. The common triggers:
It opens with a letter citing the audit clause in your agreement. The vendor, or an appointed third party, asks for deployment data. That data is often collected by the vendor's own measurement scripts, which report installations, editions, processor and core counts, user counts and feature usage.
The vendor then sets that measurement against your entitlements to produce an effective license position. What you are running against what you have the right to run. Any shortfall becomes a settlement, usually at list price rather than the discount you would get in a normal purchase, sometimes with back-maintenance added. A customer who can check the vendor's numbers against their own records is in a better position than one who cannot.
Therefore it is better to be prepared for a software audit before one is actually requested.
However, audits usually drag out over 3 to 9 months depending on the size of your IT estate. Expect a kick off in 2-6 weeks, data collection in 4-8 weeks, and analysis and negotiation around months 5 to 6 with settlement one or two months beyond that.
The vendor might insist that you implement their own discovery tools or scripts, but this could compromise your position on GDPR. For example, all discovery tools will collect the user names and primary owner of a windows device - if that data goes off to a cloud server, you're already in breach. Here you can recall the contract between the vendor and you, and insist that your own discovery and SAM tools are used to collect the data, and insist the data is only shared in a summary form that does not include personally identifiable information.
The vendor cannot reasonably expect to contravene your security policy and data protection policy.
If the vendor asks to run scripts, generally we would recommend that you do not allow this. You have the option of looking at the script source or having AI scan it, but take care that there might be "phone home" or logging logic built in which serialises personal data.
The vendor might also ask to use your SCCM data as an alternative, but this also contains personal data, so the same logic applies. If you hand over personal information to a third-party without a lawful basis, your enterprise faces the regulatory fine, not the vendor.
Core-based products are counted by the cores available to them. SQL Server Enterprise is licensed per-core, so obviously a 32-core server needs 32 core licenses. A second named instance on the same server does not double that, because the license follows the cores, not the instance. In the xAssets engine a SQL instance inherits its core count from its parent hardware, and each instance is counted against those cores. A publisher counts it the same way.
For virtual machines, a VM with 8 vCPUs running SQL has to be licensed for all the available 8 cores. If that machine moves across a cluster of six hosts through live migration, without license mobility in your agreement, you might need to license every host it could land on. Estates that have never mapped their cluster topology might not find this out until the audit.
A developer subscription like MSDN or Visual Studio lets you install almost anything, but the license allows for development and testing only rather than production usage. Those rights end if the workload does production work. A UAT database that live users depend on usually needs a production license. So does a reporting instance feeding a live dashboard, or a warm standby that is actually serving traffic. SQL Server Express is free but capped, and paid workloads have a way of growing onto a footprint that was meant to stay free.
Oracle audits turn on two details. Oracle does not accept VMware as a way to partition its licensing, so capping a database to 4 vCPUs on a large host does not cap what you owe. And database options and management packs are billable once used, so an administrator running a diagnostics pack query for a few minutes can create a liability. Java SE moved to a per-employee subscription, so an organisation of 5,000 staff licenses 5,000 employees even if 50 people use Java.
SAP charges for indirect, or digital, access. A third-party application that reads or writes SAP data can need licensing even though nobody logged in, and the count is based on the documents created rather than the users.
Named-user cloud licensing catches organisations both ways. Microsoft 365 E5 costs more than E3, and seats given to people who only use email waste the difference. The other way, a shared login or a leaver who kept access is a gap. The metric attaches to a person, so it is only as accurate as your current headcount.
Organisations that come through an audit well already know their position when the letter arrives. Getting there splits into two jobs. If the letter has already come, the window is short and the work is tactical. If it has not, you have time to build the standing capability that makes the next audit routine.
Phase 1, tactical: the immediate defence. What to do in the weeks after the notice.
Phase 2, strategic: the continuous model. Set this up once and a future audit needs no special preparation.
The last point pays for itself. Staying ready means you can produce your position on demand, and it saves money, because you see which licenses can be retired or repurposed.
Software compliance is a position that changes as assets move, people join and leave, software is installed and uninstalled, and licenses are bought and retired. A yearly snapshot cannot tell you what your position was in March, or how it changed since.
The xAssets SAM engine records each consumption, license and grant as a transaction on the date it happens. The effective license position can be reported at any point in time. You can show an auditor what you owned on a given date, and how you got there, from the ledger. Once the estate is compliant, staying compliant is routine, and an audit needs no special preparation. The system also includes a report on vendor audit probability, so you can assess risk exposure per-vendor and prioritise the vendors that are most likely to request an audit.
Free instances are free forever and can show demo data or your data.