An effective licence position is your most important pre-audit asset. It tells you exactly where you stand before the vendor does — and it gives your legal team the foundation to challenge any inflated claim. This is the step-by-step methodology used by experienced audit defense practitioners.
A licence position (also called an effective licence position or ELP) is a formal document that reconciles your software entitlements against your actual deployments to determine whether you are over-licensed, under-licensed, or in compliance for a specific product and period. It is the enterprise equivalent of a personal tax return — a self-assessment of your position before any external body makes a claim.
Preparing a licence position before responding to a software vendor audit is not optional — it is the foundation of any credible defense. A vendor who receives your data without you first knowing your own position is effectively auditing you blind. The software audit defense guide explains the broader strategic context; this article focuses specifically on the mechanics of licence position preparation.
A licence position prepared under the direction of legal counsel may qualify as attorney-client privileged work product, meaning the vendor cannot compel you to disclose it through the audit process. This is a significant advantage: you can understand your actual exposure internally without it becoming a roadmap for the vendor's claim. Engage your legal team before starting the licence position work.
Experienced audit defense practitioners use a consistent methodology for licence position preparation regardless of vendor. The specific data sources and metrics vary by product, but the six-step framework is universal.
Gather every licence agreement, order form, invoice, maintenance renewal, and proof of entitlement for the audited product. This includes purchase orders from all channels — direct vendor, resellers, distributors — and any entitlements acquired through M&A transactions. Many organisations discover "lost" entitlements during this step that reduce their net exposure. Your legal team should be involved to ensure privileged treatment of this collation process.
Convert all entitlements to the licence metric being audited — whether that is processor cores, named users, concurrent users, nodes, or another unit. This sounds straightforward but is often complex: older agreements may use different metrics, bundle licences may need to be disaggregated, and M&A-transferred licences may have different terms. For Oracle, this step involves applying processor core factor tables. For SAP, it involves classifying user types. For VMware, it involves the processor-to-core transition rules.
Identify and document every deployment of the audited software in your environment. This includes production, development, test, disaster recovery, and cloud environments. Use automated discovery tools where possible — SCCM, Flexera, ServiceNow ITAM, or vendor-provided tools — but validate automated output against manual checks in complex environments. Document the discovery methodology, as the vendor may challenge your findings and you will need to demonstrate a rigorous process.
Not every deployment necessarily creates a licence requirement. Apply the contractual licence rules to determine which deployments actually consume entitlements. This is where licence complexity matters most: Oracle's virtualisation rules, SAP's indirect access rules, Microsoft's server/CAL rules, and VMware's core-based rules all have exceptions, grace periods, and special provisions that affect the net licence position. Misapplying these rules — in either direction — is the most common source of discrepancy between your position and the vendor's claim.
Subtract your deployment requirements from your entitlements to determine the net position. A positive number means you are over-licensed. A negative number means you have a potential exposure. Document the gap with a clear explanation for each line item. If there is an exposure, quantify it using your contractual rates (not vendor list price) for the appropriate period. This internal calculation gives your team a ceiling on realistic exposure, which is essential for evaluating the vendor's claim against reality.
Have the licence position reviewed by a second person — ideally a specialist with vendor-specific expertise — before any communication with the auditor. Document the data sources, methodology, and assumptions behind each calculation. This documentation should be reviewed by your legal team. If there are areas of genuine uncertainty, document those explicitly with the range of possible interpretations rather than defaulting to the most conservative (most expensive) reading.
The degree of complexity in a licence position varies substantially by vendor. Here is a reference summary of the most common complexity areas by major vendor:
| Vendor | Key Complexity Areas | Common Traps |
|---|---|---|
| Oracle | Processor core factor tables, virtualisation rules, Java SE entitlements, ULA certification | Soft partitioning on VMware, unauthorised Java deployments, BYOL cloud violations |
| Microsoft | SA benefits, SPLA vs perpetual, true-up reconciliation, Azure Hybrid Benefit | Passive HA licensing, SQL Server editions on VMs, Remote Desktop CAL requirements |
| SAP | Named user classification, indirect access (Digital Access), RISE transition entitlements | Incorrect user type assignment, third-party system integration via RFC/BAPI |
| VMware / Broadcom | Per-core transition, VCF bundle scope, Tanzu entitlements, DR licensing | Unlicensed TKG clusters, vSAN on non-VCF deployments, NSX under-provisioning |
| Salesforce | Active user vs provisioned user, profile-based access, API usage | Platform licence vs full licence entitlement mismatches, Communities access |
| IBM | PVU calculations, full capacity vs sub-capacity, ILMT tool compliance | Sub-capacity eligibility, ILMT tool version, virtualisation platform recognition |
Use this checklist to verify your licence position is complete before engaging the auditor:
The following errors consistently weaken licence position quality and increase the risk of an inflated settlement:
Every day you delay completing your licence position before responding to an audit is a day the vendor has more information than you do. Negotiate an appropriate response timeline with the auditor — 30 to 60 days is reasonable for complex environments — and use that time to complete your internal assessment. Do not submit data piecemeal under pressure.
Preparing a licence position for complex enterprise software environments is a specialist skill. Internal IT and procurement teams often lack the vendor-specific licensing expertise needed to correctly apply virtualisation rules, user classification methodologies, or core factor calculations. If your internal team has not previously managed a licence position for the product being audited, engaging an external specialist is strongly advisable. The top-ranked negotiation consulting firms in our evaluation have deep, vendor-specific licensing expertise and access to benchmarking data that will strengthen your position against any vendor audit claim.
Our network of independent audit defense specialists can build a vendor-specific licence position, challenge the vendor's methodology, and guide your negotiation to a favourable settlement.