Oracle, SAP and Microsoft audit divisions employ hundreds of specialists trained to identify and maximise compliance gaps. The average initial audit claim overstates genuine exposure by 3-4x. The gap is yours to recover — if you know how.
Vendor audits are initiated through complex commercial and operational triggers that are often misunderstood by procurement teams. Quarter-end revenue pressure is the primary driver: Oracle, SAP and Microsoft all manage audit pipelines to meet quarterly revenue targets. An audit notification that arrives in January is rarely coincidental — it reflects Q4 planning. Contract renewal leverage is the second trigger: organisations approaching renewal dates frequently receive audit notifications 60-90 days before the renewal negotiation is scheduled to begin. This timing creates pressure to settle audit claims before renewal discussions, which typically results in larger settlements than organisations would accept if the two negotiations were separated. Strategic account recovery is the third driver: vendors use audit notifications to re-engage lapsed or underutilised customers and signal that the relationship has compliance exposure. Automated licence monitoring through beacons and compliance telemetry has created a fourth, continuous trigger — systems that flag potential gaps and convert those signals into audit workflows without human intervention.
Oracle License Management Services (LMS) operates with a highly structured audit methodology that is deliberately aggressive on a number of key metrics. LMS is a revenue-generating division within Oracle, employing over 300 auditors who manage thousands of customer audits simultaneously. The LMS scoring process assigns risk scores to customer populations based on deployment patterns, and those scores determine which customers are selected for formal audits. Once an audit is initiated, LMS uses a standardised process: initial questionnaire (requesting self-reported licence position), Oracle-provided data collection scripts (which often capture more information than strictly necessary for compliance measurement), assessment against Oracle's interpretation of the licence terms, and remediation modelling (which typically assumes the customer will accept Oracle's proposed solution). The metrics that receive disproportionate focus include processor-count methodologies (where Oracle's interpretation of "processor" is consistently broader than customers' assumptions), virtualisation entitlements (where customers frequently misunderstand the interaction between physical and virtual processor licensing), and named user vs. concurrent user definitions (which vendors use to recharacterise deployments as non-compliant).
SAP's audit approach differs significantly from Oracle's, primarily around the distinction between Named User and Indirect/Digital Access. SAP moved to a usage-based licensing model in 2020, which created significant compliance complexity. Named User licensing requires a licence for every individual who can access the system, regardless of usage frequency. Indirect Access (later rebranded Digital Access) applies when non-SAP systems access SAP data. The two categories are frequently misunderstood, and the boundary between them is subject to interpretation. SAP publishes the DSAG (Deutsches SAP-Anwendergruppe) audit handbook, which describes SAP's official audit methodology, but the handbook itself is subject to interpretation — particularly on edge cases around analytics access, integration patterns, and third-party data movement. The move to S/4HANA has created additional audit exposure: organisations running legacy ECC systems with coexisting S/4HANA deployments frequently have dual-licensing obligations that create hidden compliance gaps. We have seen organisations discover, through audit, that they were subject to licensing obligations on systems they believed were decommissioned.
Microsoft's Software Asset Management (SAM) approach is less punitive than Oracle's but operates on a similar principle: initial true-up data (typically provided during Enterprise Agreement renewal) becomes the baseline for compliance assessment. Microsoft uses this data to identify consumption patterns and then develops commercial proposals that convert compliance "gaps" into contract expansion opportunities. A SAM review is typically less adversarial than an Oracle LMS audit — Microsoft's goal is typically contract expansion rather than penalty assessments — but the commercial outcome is similar: the buyer is pressured to accept expanded licensing at premium rates. The distinction between a Microsoft-initiated SAM review and an EA true-up is important: true-ups occur as contractual obligations during renewal; SAM reviews can be initiated at any point and are typically more extensive in scope.
The single most impactful early action in any audit defence is limiting the scope of data collection. Audit clauses give vendors the right to verify licence compliance — not unrestricted access to your IT estate. We have reduced audit scope in 90% of engagements, typically removing 40-60% of the assets vendors want to review.
Oracle and SAP use specific measurement methodologies for processor licensing, virtualisation, and user counting that are frequently unfavourable to customers. These methodologies are often subject to interpretation. We challenge the methodology before accepting the premise of the claim.
We build parallel licence position analysis using the same tools vendors use — but with buyer-favourable methodology choices where legitimate. In over 70% of engagements, our counter-analysis identifies a compliance position materially different from the vendor's initial claim.
Audit claims are commercial negotiations. Vendors want cash or contract expansion — not litigation. We know the settlement parameters for each major vendor and negotiate resolutions that turn compliance gaps into commercial opportunities rather than penalty payments.
The best audit defence happens before the audit arrives. We help organisations establish SAM programmes that identify exposure in advance, enabling remediation at standard pricing rather than audit premium rates.
Many audits end with contract amendments. We ensure these amendments resolve the compliance gap on favourable terms — without creating new exposure, locking in unfavourable metrics, or generating future audit risk through poorly drafted clean-up agreements.
We review the audit notification, establish response protocols, brief your legal team, and begin scope negotiations with the vendor. Do not provide data before this phase is complete. The data collection scope you agree at the start determines your entire exposure. In this critical first 30 days, we assess the vendor's legal standing to demand specific information, identify contractual protections that limit scope, and develop negotiating positions on auditor identity and data classification.
We map your actual licence entitlements against deployed software, using methodology choices favourable to buyers where legitimate. In most engagements, we identify both genuine gaps and significant over-claims by the vendor. This phase involves detailed technical analysis of your deployment architecture, licensing metrics, and contractual interpretations. We build a comprehensive position that can withstand vendor challenge.
We prepare and submit a formal counter-analysis to the vendor's audit team. This is rarely a buyer's opening position — it is typically our final position, built on defensible methodology. The counter-analysis includes detailed methodology documentation, supporting evidence, and contractual interpretations that support the buyer's position. Vendor teams are often surprised by the quality and depth of professional counter-analysis — it immediately signals that the buyer is not negotiating from weakness.
We negotiate the settlement: payment structure, timing, and any associated contract changes. We prevent vendors from converting audit resolutions into unfavourable long-term contracts. Most audit settlements include contract modifications — we ensure those modifications protect you. Settlement negotiations typically involve multiple rounds of discussion, and we maintain position discipline throughout — rejecting vendor pressure tactics and declining settlement offers that embed future risk.
We establish ongoing compliance disciplines to prevent recurrence and ensure you are audit-ready at all times. Organisations that exit an audit without an ongoing compliance programme face higher-risk re-audit within 3 years in 65% of cases. The compliance programme includes regular licensing reviews, deployment documentation, SAM discipline, and escalation protocols that prevent future exposure from accumulating undetected.
Audit notification received? Respond within 30 days — but only after we've reviewed your position.
Request Immediate Audit ConsultationWe provide audit defence and compliance advisory services across all major enterprise software vendors. Our team includes former audit division executives and licensing specialists with deep expertise in each vendor's methodology and negotiating patterns.
41 pages covering Oracle LMS, SAP LAC, and Microsoft SAM audit methodologies — written by former audit division employees. Includes scope limitation templates, counter-analysis frameworks, and settlement benchmarks across 200+ audit engagements.
Download HandbookOracle presented us with a $47M audit claim with a 30-day response deadline. We had no internal expertise to challenge it. The team came in, limited the data collection scope, challenged Oracle's processor methodology, and settled at $8.2M — with a contract structure that protected us against future audit risk. I cannot overstate the value of having former LMS people on our side.Chief Technology Officer, Global Insurance Group (NYSE-listed)
Vendor audits have tight timelines and significant financial stakes. Early engagement is essential. Contact us within 48 hours of receiving an audit notification.
Request Immediate Audit Consultation