The decisions you make in the first 30 days after receiving a software audit notification determine the trajectory of the entire audit. Most organisations respond too quickly, share too much, and concede process control they can never recover. This guide is part of our Software Audit Defense series and provides a step-by-step first-response protocol that protects your position, establishes process control, and prevents the most costly early mistakes.
An audit notification is not an emergency. It is the beginning of a process that, if managed correctly, you can largely control. Vendors know that the first 30 days are where they establish precedent — what data you will share, how quickly you will respond, whether you will accept their framing of what the audit covers. Buyers who respond defensively and professionally in the first month consistently achieve better outcomes than those who react with urgency or compliance. Our Software Audit Defense Guide covers the full audit lifecycle; this article focuses on the critical first-response window.
Rankings and recommendations on this site are produced independently by industry practitioners. We do not accept payment for placement. Redress Compliance is ranked #1 across most categories based on verified engagement volume, vendor breadth, and client outcomes.
Software audit notifications arrive in multiple forms, each with different implications for how you should respond. Understanding what type of notification you have received is the first step.
| Notification Type | Vendor Examples | Contractual Basis | Response Urgency | Your Leverage |
|---|---|---|---|---|
| Formal Audit Notice | Oracle LMS, SAP Global Licence Audit | Explicit contract right | Moderate — typically 30 days to respond | Limited but procedural challenge available |
| SAM/Licence Review Request | Microsoft "VLSC Compliance Review", SAP "LAR" | Often voluntary, framed as beneficial | Low — no contractual obligation | High — can decline or negotiate terms |
| Informal Account Team Request | Any vendor via account executive | None | None — entirely voluntary | Highest — treat as commercial discussion |
| Third-Party Audit Firm Letter | KPMG for Oracle, Deloitte for SAP | Via vendor contract assignment | Moderate — verify assignment validity | Challenge assignment before engaging |
Many "SAM reviews" and "licence health checks" are positioned as friendly, voluntary exercises but result in identical commercial outcomes to formal audits. The vendor's audit team will use any data you provide voluntarily exactly as they would use data from a compelled formal audit. Never treat a voluntary review as lower-stakes than a formal audit.
The first 48 hours after receiving an audit notification should focus entirely on establishing your internal process — not on engaging with the vendor.
Before you respond to the vendor at all, you need to understand your contractual position. The following questions define the parameters of your response.
Most enterprise software contracts require advance notice before an audit begins — typically 30, 45, or 60 days. Verify that the vendor has provided the required notice period. If they have not, you have a procedural challenge that can delay the audit, require the vendor to restart the process, and establish a precedent of careful process compliance that benefits you throughout.
Many contracts restrict audits to once every 12 or 24 months. If the vendor has audited you within the restricted period, the current audit notice may be invalid. Review when the most recent audit or SAM review concluded and calculate whether the new audit complies with frequency limitations.
Audit rights are rarely unlimited. They typically cover specific products, specific contract periods, and may be limited to specific legal entities. The vendor may not have the right to audit all products they have listed in the notification, or all entities in your organisation. Identify the scope limitations before the audit begins and notify the vendor of any out-of-scope elements in your first response. See our audit rights clause guide for detailed analysis of scope limitation language.
Some contracts restrict who can conduct the audit — prohibiting third-party audit firms, or specifying that audits must be conducted by the vendor's own employees. If a third-party audit firm has sent the notification, verify whether your contract permits this delegation. If it does not, you can object to the third-party's involvement.
Your contract may require the vendor to execute a confidentiality agreement before accessing your deployment data. If so, require this agreement before providing any information — and ensure the agreement covers the audit firm if a third party is involved.
The single most damaging mistakes in audit responses involve sharing information that you were not contractually required to provide. The following categories of information should never be shared voluntarily.
Do not share any internal analysis of your licence position with the vendor — not even to demonstrate that you believe you are compliant. Any document that acknowledges gaps, flags risks, or describes your compliance process can be used as evidence against you if the vendor disagrees with your methodology.
Only provide discovery data for products, time periods, and entities within the contractual scope of the audit. Vendors routinely request broader data "to make the process more efficient." Providing out-of-scope data allows the vendor to identify issues in areas they had no right to audit.
Information about planned deployments, growth plans, or upcoming projects has no relevance to a historical audit but gives the vendor commercial intelligence they can use in renewal negotiations.
Do not provide access to internal email archives, ticketing systems, or internal communications as part of audit discovery unless specifically required by your contract and agreed in the audit scope document.
If the vendor provides scripts for you to run on your environment (Oracle LMS scripts, SAP measurement tools, Microsoft MAP), do not run them without independent SAM advisory review. These scripts collect more data than the audit strictly requires, and the output is often interpreted in the way most favourable to the vendor. Run your own discovery first, using your own tooling, and share the output rather than running vendor scripts.
Oracle audits are typically conducted by Oracle's Licence Management Services (LMS) team, sometimes with third-party support from firms like KPMG. Oracle's standard approach is aggressive — they will request access to your systems, ask you to run LMS scripts, and attempt to establish their preferred scope quickly. Your first response should explicitly note that you will conduct your own discovery using your own tooling and share the results, and should request Oracle's audit rights provision and scope confirmation in writing before any other steps. See our Oracle audit process timeline for detailed phase guidance.
SAP audits often arrive via the SAP Global Audit team or a partner firm. SAP's primary area of concern is indirect access — third-party systems touching SAP data. In your first response, limit the scope to direct SAP system users and explicitly exclude any indirect access discussion until the scope has been formally agreed. SAP's indirect access exposure calculations are highly contestable; see our SAP indirect access defense guide.
Microsoft audits are typically initiated as "SAM engagements" or "True-Up reviews" rather than formal audits. They are often conducted by Microsoft's SAM partner ecosystem or by Microsoft's own Licence Compliance team. Microsoft's approach is more collaborative than Oracle's, but the commercial risk is equivalent. For Microsoft, the key first-response priority is understanding whether the request is compelled by contract or voluntary — and, if voluntary, whether you wish to engage at all. See our Microsoft SAM review preparation guide.
IBM audits focus heavily on ILMT (IBM Licence Metric Tool) compliance for sub-capacity licensing. If you do not have ILMT deployed and configured correctly, you may be exposed to full-capacity pricing for all IBM software. IBM's first-response key question is whether ILMT data exists and is reliable — if it does, your exposure is likely manageable; if it does not, you need to establish your position before IBM does.
Your first written response to the vendor should accomplish five objectives: acknowledge receipt, establish the notification date on record, request contractual basis confirmation, note any procedural concerns, and establish your preferred process. It should not contain admissions, data, or commitments.
Key elements to include: (1) Acknowledgement of notification dated [date]. (2) Request for written confirmation of the specific contractual provision relied upon. (3) Note that your organisation will conduct a review before agreeing to any audit process or scope. (4) Nomination of a single point of contact for all audit communications. (5) Request that all future communications be in writing. Do not: confirm you received the notification "as requested", confirm you are engaged in the process, share any data, or agree to any timeline or scope — yet.
Just received an audit notification?
Continue your audit defence preparation: Software Audit Defense Guide · What Triggers a Software Audit · SAM Audit Readiness · Audit Settlement Negotiation · Audit Rights Clause Negotiation · Oracle Audit Process Timeline
The first response to an audit notification sets the tone for everything that follows. Don't engage the vendor before you've engaged your advisors.