The Six Phases of a Software Audit
Every major software vendor audit follows a broadly consistent arc, regardless of whether the auditing vendor is Oracle, SAP, Microsoft, or IBM. Understanding the six phases — and specifically what your objectives should be at each phase — is the foundation of an effective audit response strategy.
Each phase presents both risks and opportunities. The risks are greatest in the early phases, when enterprises without specialist guidance provide more information than they are contractually obliged to and inadvertently expand the scope and severity of the eventual finding. The opportunities are greatest in the middle and later phases, when a documented counter-analysis can challenge inflated vendor findings before any commercial settlement discussion begins.
The most common mistake enterprises make in a vendor audit is treating phase 1 as routine administration. How you respond to the initial notification — what you say, what you agree to, and what you decline — shapes every subsequent phase. The audit is a negotiation from the moment the notification arrives.
Phase 1: Audit Notification
What Happens
The vendor sends a formal written notification — typically a letter or email from their audit team — stating their intent to exercise their audit rights under your licence agreement. Oracle notifications come from Oracle's Licence Management Services (LMS) team. SAP notifications come from SAP's Global Licence Audit team. Microsoft typically initiates via a SAM (Software Asset Management) engagement letter or, for more serious cases, a Genuine Advantage notification.
The notification typically identifies: the licence agreement under which audit rights are claimed, the scope of products to be reviewed, a proposed timeline, and a request for an initial scoping call or for preliminary deployment data.
Your Objectives at This Phase
Do not respond substantively until you have: (1) read the audit provisions in your licence agreement, (2) verified that the notification meets any formal requirements in your contract (notice period, authorised contacts, required format), and (3) engaged independent specialist advice. Acknowledge receipt with a brief holding response confirming you will review the matter and revert, without committing to any scope, timeline, or data provision. This buys time without triggering any contractual default.
Phase 2: Scoping and Access Agreement
After your initial acknowledgement, the vendor's audit team will request a scoping call to define: which legal entities are in scope, which products will be reviewed, the data collection methodology they propose to use, the timeline for data collection and analysis, and the confidentiality protections that will apply to your data.
This phase is critical because it defines the boundaries of the audit. Every item agreed in the scoping phase becomes the baseline for what the vendor can legitimately examine. Your objectives here are to limit scope to what your contract requires, challenge any proposed methodology that departs from your contractual definitions, and ensure confidentiality provisions are explicitly agreed in writing before data collection begins.
Vendors routinely request broader scope than the contract requires at this stage. Oracle may request data for entities not covered by the licence agreement under audit. SAP may request system data for products not in the scope of the claimed audit right. Politely but firmly limiting scope to the contractual definition at this phase is significantly easier than trying to narrow it after data collection has begun.
Phase 3: Data Collection
Data collection is the technical heart of the audit process. The vendor — or a third-party auditor on the vendor's behalf — collects technical deployment data from your infrastructure. Each major vendor uses a distinct data collection approach.
Oracle LMS runs standardised data collection scripts on your infrastructure to identify Oracle product deployments, enabled options and packs, and configuration details relevant to licence counting (particularly virtualisation configuration for Processor licensing). Oracle may also use its GLAS (Global Licence Advisory Service) platform for cloud-based data collection. You have the right to supervise the execution of these scripts and review what data is collected before it is transmitted to Oracle.
SAP requests licence measurement reports from your SAP systems — specifically the SAP Licence Administration Workbench (LAW) output, which shows named user counts and user types. SAP may also request information about non-SAP systems that interact with your SAP landscape for indirect access assessment. The indirect access data request is the most sensitive: limiting this to what is contractually required is essential.
Microsoft collects deployment data through a combination of its own internal licensing and activation records and a SAM partner's on-site or remote assessment. Microsoft has significant visibility into your environment through its cloud services and activation infrastructure — the SAM engagement typically confirms and formalises data Microsoft already holds.
IBM primarily relies on ILMT (IBM Licence Metric Tool) reports for sub-capacity licensing verification. If you have not been running ILMT, IBM will claim full-capacity pricing going back to the date your sub-capacity licence term began — an exposure that can be enormous for large virtualised IBM software deployments.
Phase 4: Analysis and Preliminary Findings
The vendor's audit team analyses the collected data against your licence entitlements using their counting methodology, producing a licence gap report that shows the claimed shortfall between your deployment and your contracted entitlement. This is the document that will form the basis of the commercial settlement discussion.
Oracle's preliminary findings typically arrive 4-8 weeks after data collection. SAP's findings may take longer, particularly for complex landscapes. The preliminary finding is not the final position — vendors routinely present a preliminary finding that they expect customers to challenge, with the expectation of settling at a lower number.
Before you receive the preliminary finding, ensure your internal review is complete. You should have your own licence position calculation ready, documented with the same rigour as the vendor's analysis, so you can respond to the preliminary finding with a substantive counter-position rather than a general objection.
Phase 5: Challenging the Findings
This is the most commercially valuable phase for well-prepared enterprises. Your counter-analysis — documenting where the vendor's findings overstate your actual licence obligation — is presented to the vendor's audit team. Common challenge grounds include: incorrect application of virtualisation rules (particularly for Oracle in VMware environments), products claimed as in-scope that are not covered by the relevant licence agreement, deployment counts that exceed actual usage, and historical licence entitlements that the vendor has failed to credit against the deployment total.
Successful challenges at this phase reduce the vendor's claimed shortfall before any commercial settlement discussion begins. Our practice consistently achieves reductions of 40-72% from the preliminary finding through documented technical challenges before any commercial negotiation.
All challenges should be submitted in writing, with supporting evidence, through the agreed audit process. Do not make oral concessions or express agreement with any finding in scoping calls or meetings without first consulting your specialist advisors.
Phase 6: Commercial Settlement
Once technical challenges have been assessed and the vendor's final licence position is established (or a reasonable approximation is reached), the commercial settlement discussion begins. The vendor's account team — not the audit team — typically leads this phase, presenting a true-up proposal that includes: the quantity of additional licences required, the price for those licences, the annual support commitment, and any conditions around future audit rights.
The true-up price is negotiable. Oracle, SAP, and Microsoft all build flexibility into their settlement pricing, and vendors consistently offer better terms to customers who demonstrate they have a credible alternative (or who time their negotiation to a vendor's quarter-end or year-end). See our Audit Negotiation guide for detailed settlement tactics.
The settlement must be documented in a formal executed amendment that confirms the licence quantities being purchased, releases historical audit claims, defines the scope of the release, and includes appropriate confidentiality provisions. A verbal settlement or informal email exchange provides no binding protection.
How the Process Differs by Vendor
While the six-phase framework applies broadly, each major vendor's audit programme has structural differences that require distinct response strategies.
Oracle LMS Audits
Oracle runs the most commercial sophisticated audit programme, with the strongest separation between technical (LMS) and commercial (account team) functions. The LMS team operates with significant autonomy from the account team during data collection and analysis, which means the technical phase can run relatively independently of the commercial relationship. Oracle's preliminary findings are typically the most inflated of any major vendor, with VMware virtualisation exposure frequently accounting for 60-80% of the total claimed shortfall. See our dedicated Oracle Audit Tactics guide for Oracle-specific strategy.
SAP Audit Process
SAP audits have become increasingly focused on digital access and indirect access — areas where SAP's licence definitions remain genuinely contested and where SAP has claimed exposure in court proceedings without consistent success. SAP's audit process is also more closely integrated with its commercial sales motion than Oracle's, meaning that SAP audit discussions and RISE migration proposals frequently occur in parallel. Understanding this integration — and how to separate the audit resolution from the commercial upsell — is essential to effective SAP audit defence. The SAP audit rights guide covers SAP-specific contract analysis in detail.
Microsoft SAM Engagements
Microsoft's Software Asset Management programme is structurally different from Oracle and SAP's audit approaches. Microsoft frames SAM as a voluntary partnership, not an adversarial audit, and uses accredited SAM partners rather than an internal audit team for most assessments. However, the commercial outcome of a SAM engagement — a licence true-up proposal — is structurally identical to an audit finding. Microsoft's focus areas include Microsoft 365 under-licensing (particularly E3 vs E5 tier differences), Azure consumption versus Microsoft Azure Consumption Commitment (MACC) levels, and Windows Server licensing in hybrid cloud environments. Full details in our Microsoft SAM guide.
IBM ILMT and Licence Compliance
IBM's audit programme is distinctive because IBM has access to granular, real-time deployment data through its ILMT and Passport Advantage systems. IBM audits are typically initiated when IBM's data shows sub-capacity licence deployment without ILMT compliance, or when a Passport Advantage renewal discussion flags a significant gap between deployed and contracted quantities. The IBM ILMT compliance guide covers sub-capacity licensing requirements in detail.
For a comprehensive framework covering all phases of audit defence, see the Vendor Audit Defence Handbook. For real-world outcomes, see SAP Audit Defence Case Study and Oracle ULA Restructuring Case Study.