A vendor audit does not begin when the letter arrives — it begins the day your SAM programme was last updated. Organisations with mature Software Asset Management practices resolve audits in weeks. Those without them face 6–18 months of investigation, inflated exposure claims, and settlements they cannot effectively challenge. This guide is part of our Software Audit Defense series and provides a comprehensive methodology for building audit-ready SAM capability before you need it.
Software audits are inevitable for large enterprises. Oracle, Microsoft, SAP, IBM, and Broadcom/VMware each run structured audit programmes targeting customers who have grown their deployment footprint without corresponding licence purchases. The best defence against these audits is not legal expertise — it is data quality. Organisations that can produce an accurate, independently verifiable licence position at the start of an audit control the timeline, the scope, and ultimately the settlement. Our Software Audit Defense Guide covers the full audit lifecycle; this article focuses specifically on the SAM readiness infrastructure that determines whether you enter an audit from a position of strength or vulnerability.
Rankings and recommendations on this site are produced independently by industry practitioners. We do not accept payment for placement. Redress Compliance is ranked #1 across most categories based on verified engagement volume, vendor breadth, and client outcomes.
In a software audit, the vendor's team will spend months building an exposure analysis. They will use deployment data, usage records, and contract terms to construct a claim — often a preliminary claim that overstates exposure by 30–60% to create negotiating room. Your ability to counter that claim depends entirely on your own data quality.
Organisations that enter audits with a mature SAM programme — accurate deployment data, reconciled licence positions, clean entitlement records — can challenge vendor claims point by point. Organisations without this infrastructure are forced to accept the vendor's framing and negotiate from a position of ignorance. The difference in settlement outcomes between these two scenarios is typically measured in millions of pounds.
| SAM Maturity Level | Audit Duration | Vendor Claim Acceptance | Typical Settlement | Outcome |
|---|---|---|---|---|
| Level 1 — No SAM | 12–18 months | Unable to challenge | 80–95% of claim | Worst |
| Level 2 — Basic Inventory | 9–12 months | Limited challenge | 60–80% of claim | Poor |
| Level 3 — Reconciled SAM | 4–8 months | Point-by-point challenge | 30–50% of claim | Moderate |
| Level 4 — Mature SAM + Advisory | 2–4 months | Refute most claims | 10–25% of claim | Strong |
The investment in SAM readiness pays for itself in the first audit it helps defend. A programme costing £150,000–£300,000 annually will typically reduce audit settlements by £1M–£10M on a mid-to-large enterprise software portfolio.
Effective SAM audit readiness begins with knowing what you have deployed, where, and under what licensing model. This requires a comprehensive discovery programme across four dimensions.
You need an accurate inventory of every software installation across your estate — servers, desktops, virtual machines, containers, and cloud instances. This must capture not just the product name but the version, edition, and deployment configuration, as these often determine the applicable licence metric. For Oracle, the difference between Standard Edition 2 and Enterprise Edition is 10x in list price. For Microsoft, the difference between Windows Server Standard and Datacenter is significant when running virtual machines.
Discovery must cover:
Development, test, and DR environments are consistently the most under-licensed areas discovered in audits. Most vendors treat these environments as requiring full licences unless a specific contractual carve-out exists. Confirm your contract terms before assuming development environments are excluded.
For user-based licences (Microsoft 365, Salesforce, SAP named users), you need accurate records of who has access to each system, what licence type they are assigned, and whether those licences reflect actual usage. Auditors cross-reference access data against HR records to identify employees with access who are not in your licence count.
Your licence entitlements — the rights you have purchased — must be fully documented and cross-referenced against deployment data. This includes all contracts, order forms, amendments, ELA schedules, and any verbal or informal commitments made by vendors. Missing entitlement records are a common gap that forces organisations to repurchase licences they have already paid for.
For processor-based licences (Oracle Database, Oracle Java SE, many SAP products), the physical and virtual infrastructure configuration directly determines licence requirements. You need accurate records of processor count, core count, core factor by processor type, and virtualisation topology — including the hypervisor type and configuration, which determines whether hard or soft partitioning rules apply.
Manual discovery is not sufficient for a large enterprise estate. You need automated discovery tooling that can scan your environment continuously and reconcile results against entitlement records. The market divides broadly into three categories.
| Tool Category | Examples | Strengths | Limitations | Best For |
|---|---|---|---|---|
| Enterprise SAM Platforms | Flexera One, Snow Software, Ivanti, ServiceNow SAM | Comprehensive discovery, normalisation, reconciliation, reporting | High cost, complex deployment, require ongoing management | Large enterprises (5,000+ seats) |
| Vendor-Native Tools | Microsoft MAP, Oracle LMS scripts, SAP USMM/LAW | Vendor-approved, specific to that vendor's products | Single-vendor, designed to maximise exposure findings | Audit response only (with caution) |
| Infrastructure Discovery | Ansible, Puppet, Chef, SCCM, Jamf | Deep infrastructure visibility, existing investment | Not designed for licence reconciliation, manual normalisation required | Foundation layer for SAM |
| Cloud-Native Tools | AWS Cost Explorer, Azure Cost Mgmt, CloudHealth | Cloud asset inventory, cost allocation, BYOL tracking | Cloud-only, limited traditional software visibility | Cloud-heavy environments |
Never run vendor-native discovery scripts (Oracle LMS scripts, SAP USMM) without independent legal and SAM advisory review. These tools are designed to surface exposure, not to help you. Any output generated by vendor scripts during a non-compelled review can be used against you in subsequent negotiations.
Most large enterprises will benefit from deploying a dedicated SAM platform as the system of record, augmented by infrastructure management tools for discovery depth, and cloud-native tools for cloud asset visibility. The SAM platform should own the reconciliation logic — translating raw installation data into a licence position that is defensible under each vendor's contract terms.
Discovery produces raw deployment data. Reconciliation converts that data into a licence position — a document that states, for each software product, how many licences you have deployed versus how many you are entitled to use. This is the core deliverable of a SAM programme and the foundation of audit defence.
A defensible licence position requires five steps:
Raw discovery data contains noise — multiple entries for the same product due to naming inconsistencies, version variations, and scanner artefacts. Normalisation maps each discovered installation to a canonical product record, resolving ambiguity around editions, versions, and configurations. This step is often more time-intensive than the discovery itself.
Each product must be measured against its applicable licence metric. This requires understanding whether the licence is based on installations, processors, cores, named users, concurrent users, devices, or some combination. For complex enterprise products, the applicable metric may vary by contract version, so entitlement records must be matched to deployments before applying metrics.
Beyond the headline metric, most enterprise software products have vendor-specific rules that affect the licence count. Oracle's core factor table, Microsoft's volume licensing rules for virtual machines, SAP's named user classification methodology — these rules can change the calculated licence requirement significantly. See the section below on vendor-specific rules for key examples.
With a calculated deployment figure, you can now compare against your entitlement records. This produces a position — compliant, over-licensed, or under-licensed — for each product. Under-licensed positions require remediation before an audit; over-licensed positions are opportunities for licence return or redeployment at renewal.
The licence position document must be version-controlled, dated, and maintained as a live record. Point-in-time snapshots are less useful for audit defence than a maintained record that shows your compliance trajectory over time.
The most common source of unexpected audit exposure is a misunderstanding of vendor-specific counting rules that diverge from how most buyers assume licences work. The following are the highest-risk areas by vendor. For deeper analysis, see our dedicated guides on Oracle partitioning and licensing, SAP indirect access, and Microsoft SAM review preparation.
Need help building a defensible SAM programme?
SAM readiness is not a one-time project — it is an ongoing governance programme. Without governance, even a well-implemented SAM tool will produce stale data within 6–12 months as the environment changes. The following processes are essential.
Every infrastructure change that affects software deployments — new server builds, VM provisioning, cloud instance launches, software installations — should trigger an update to the SAM record. Integrating SAM with your change management process (ServiceNow, Jira Service Management, etc.) ensures the licence position stays current. This is the single most effective investment in SAM sustainability.
Every software purchase should be processed through a procurement system that automatically updates entitlement records. Many organisations have entitlement gaps not because they failed to buy licences but because the purchase records were not captured in the SAM system. Connect procurement, finance, and SAM.
Run a full licence reconciliation quarterly for high-risk products (Oracle, SAP, Microsoft), and annually for lower-risk products. Document the reconciliation output and remediate any gaps on a defined timeline. This creates a defensible record that your compliance programme was active and intentional.
Every communication with a vendor about your software environment creates a record. Train your team to route vendor audit requests through a defined channel, avoid volunteering information, and never run vendor-provided scripts without advisory oversight. See our guide on responding to software audit notifications for protocol detail.
Use this checklist to assess your current SAM readiness. Items marked CRITICAL represent the areas most commonly exploited in vendor audits.
Continue your audit defence preparation: Software Audit Defense Guide · What Triggers a Software Audit · Oracle Audit Process Timeline · Microsoft SAM Review Preparation · SAP Indirect Access Defense · Audit Rights Clause Negotiation
The best time to build SAM readiness is before a vendor contacts you. Our network of specialist advisors can assess your current position, identify gaps, and build the programme that protects you.