Zoomed Image
06 July 2026
Paul Lambert

Assume you will be audited

Software publishers can audit their customers at any time, and this practice is not unusual. Microsoft, Oracle, SAP, IBM and Adobe all run audit programmes. For a large estate this can also be a recurring event. Some vendors including Microsoft accept an annual "true up" audit where the customer runs an integration or discovery tool against its network to show actual coverage.

What triggers an audit?

Audits are rarely random. Something inside the vendor usually flags them. Publishers pick accounts where the return looks worth the effort. The common triggers:

  • A large renewal, or the end of an enterprise agreement, where the vendor wants leverage in the negotiation.
  • A merger, acquisition or divestiture which might leave a licensing gap.
  • A drop in spending, or a decision to stop a subscription.
  • Fast growth in staff, servers, desktops, or virtual machines, that has outrun purchasing.
  • Free, developer or evaluation editions that appear to be running production workloads.
  • A long gap with no true-up, or self-declarations that do not add up.

The Anatomy of a Software Audit

It opens with a letter citing the audit clause in your agreement. The vendor, or an appointed third party, asks for deployment data. That data is often collected by the vendor's own measurement scripts, which report installations, editions, processor and core counts, user counts and feature usage.

The vendor then sets that measurement against your entitlements to produce an effective license position. What you are running against what you have the right to run. Any shortfall becomes a settlement, usually at list price rather than the discount you would get in a normal purchase, sometimes with back-maintenance added. A customer who can check the vendor's numbers against their own records is in a better position than one who cannot.

Therefore it is better to be prepared for a software audit before one is actually requested.

However, audits usually drag out over 3 to 9 months depending on the size of your IT estate. Expect a kick off in 2-6 weeks, data collection in 4-8 weeks, and analysis and negotiation around months 5 to 6 with settlement one or two months beyond that.

A software audit typically runs 3 to 9 months end to endKick-offwk 2-6Data collectionwk 4 to mo 5Analysis & negotiationmo 4-7Settlementmo 7-80123456789Months from the audit notice letter

Your rights and data protection

The vendor might insist that you implement their own discovery tools or scripts, but this could compromise your position on GDPR. For example, all discovery tools will collect the user names and primary owner of a windows device - if that data goes off to a cloud server, you're already in breach. Here you can recall the contract between the vendor and you, and insist that your own discovery and SAM tools are used to collect the data, and insist the data is only shared in a summary form that does not include personally identifiable information.

The vendor cannot reasonably expect to contravene your security policy and data protection policy.

If the vendor asks to run scripts, generally we would recommend that you do not allow this. You have the option of looking at the script source or having AI scan it, but take care that there might be "phone home" or logging logic built in which serialises personal data.

The vendor might also ask to use your SCCM data as an alternative, but this also contains personal data, so the same logic applies. If you hand over personal information to a third-party without a lawful basis, your enterprise faces the regulatory fine, not the vendor.

SQL Server and core-based licensing

Core-based products are counted by the cores available to them. SQL Server Enterprise is licensed per-core, so obviously a 32-core server needs 32 core licenses. A second named instance on the same server does not double that, because the license follows the cores, not the instance. In the xAssets engine a SQL instance inherits its core count from its parent hardware, and each instance is counted against those cores. A publisher counts it the same way.

For virtual machines, a VM with 8 vCPUs running SQL has to be licensed for all the available 8 cores. If that machine moves across a cluster of six hosts through live migration, without license mobility in your agreement, you might need to license every host it could land on. Estates that have never mapped their cluster topology might not find this out until the audit.

Developer and evaluation editions in production

A developer subscription like MSDN or Visual Studio lets you install almost anything, but the license allows for development and testing only rather than production usage. Those rights end if the workload does production work. A UAT database that live users depend on usually needs a production license. So does a reporting instance feeding a live dashboard, or a warm standby that is actually serving traffic. SQL Server Express is free but capped, and paid workloads have a way of growing onto a footprint that was meant to stay free.

Oracle, Java and soft partitioning

Oracle audits turn on two details. Oracle does not accept VMware as a way to partition its licensing, so capping a database to 4 vCPUs on a large host does not cap what you owe. And database options and management packs are billable once used, so an administrator running a diagnostics pack query for a few minutes can create a liability. Java SE moved to a per-employee subscription, so an organisation of 5,000 staff licenses 5,000 employees even if 50 people use Java.

SAP indirect access and named-user cloud licensing

SAP charges for indirect, or digital, access. A third-party application that reads or writes SAP data can need licensing even though nobody logged in, and the count is based on the documents created rather than the users.

Named-user cloud licensing catches organisations both ways. Microsoft 365 E5 costs more than E3, and seats given to people who only use email waste the difference. The other way, a shared login or a leaver who kept access is a gap. The metric attaches to a person, so it is only as accurate as your current headcount.

How to prepare, in two phases

Organisations that come through an audit well already know their position when the letter arrives. Getting there splits into two jobs. If the letter has already come, the window is short and the work is tactical. If it has not, you have time to build the standing capability that makes the next audit routine.

Phase 1, tactical: the immediate defence. What to do in the weeks after the notice.

  • Form a small internal team to own the response, and give the vendor a single point of contact.
  • Read the contract first. The audit clause sets out your rights, and each agreement only allows certain use. Know both before you share anything.
  • Run your own discovery and SAM tool and produce your own position before you hand any data over. If you can state your Effective License Position (ELP), you can contest the vendor's numbers instead of accepting them.
  • Separate development and test from production, so MSDN and dev/test workloads are not counted as production use.

Phase 2, strategic: the continuous model. Set this up once and a future audit needs no special preparation.

  • Run a discovery tool that scans hardware and software for a complete, current inventory.
  • Adopt a SAM tool, ideally from the same toolset as discovery, that matches entitlements to deployed software continuously and states your ELP on demand.
  • Record the metric next to each product. Per-core, per user, per device and concurrent all count differently, and downgrade rights change the answer again.
  • Reclaim on a monthly cycle. Run the metrics, find unused installations and idle subscriptions, and uninstall or cancel the renewal.

The last point pays for itself. Staying ready means you can produce your position on demand, and it saves money, because you see which licenses can be retired or repurposed.

Continuous compliance beats the annual snapshot

Software compliance is a position that changes as assets move, people join and leave, software is installed and uninstalled, and licenses are bought and retired. A yearly snapshot cannot tell you what your position was in March, or how it changed since.

The xAssets SAM engine records each consumption, license and grant as a transaction on the date it happens. The effective license position can be reported at any point in time. You can show an auditor what you owned on a given date, and how you got there, from the ledger. Once the estate is compliant, staying compliant is routine, and an audit needs no special preparation. The system also includes a report on vendor audit probability, so you can assess risk exposure per-vendor and prioritise the vendors that are most likely to request an audit.

Get a Demo

What’s Included?

  • Demo shaped to your needs
  • Free instance

    Free Instances Explained

    Free instances are free forever and can show demo data or your data.

    IT asset management free instances

    • Single user, 100 endpoints, 1,000 total assets
    • Includes network discovery (optional)
    • SNMP based devices are included free
    • Single Sign On (SSO)
    • Does not support Intune, SCCM, procurement, contracts, barcoding, configuration, or workflow

    Fixed asset management free instances

    • Single user, 1,000 fixed assets
    • Includes all fixed asset register features
    • Single Sign On (SSO)
    • Does not support depreciation, CIP, procurement, barcoding, planned maintenance, configuration, or workflow

    During Evaluation

    • No licensing, integration, or module restrictions
  • Strategic advice
  • All the expert help you need
  • Written proposal and quote
Bmw logo Fujitsu logo Lloyds logo Porsche logo Tdbank logo Volvo logo Panasonic top logo logo Scotamb logo Sjc logo Unc logo Prh logo Mass logo Wpc logo Andersen logo Bma logo Edt-engie logo Essilor logo Floridacrystals logo Fremantle logo Fullcompass logo Globecast logo Healthcareimprscot logo Insight logo Ktc logo Milwaukee logo Morrison-hershfield logo Mtprint logo Newmont logo Samaritanspurse logo Talisys logo Wiley logo Wsp logo