Defending against software vendor audits: Microsoft, Oracle, Adobe

When the audit letter arrives, you have 30–60 days to assemble the deliverables. Done well, the audit closes neutral or favours you. Done badly, you sign a six-figure true-up. Here's the defensible playbook for each major vendor.

Microsoft, Oracle, IBM, Adobe, SAP, and Autodesk all run formal license audit programs. The right of audit is in your master agreement; refusing isn't really an option. What is optional is whether you arrive prepared or scramble.

The audit shape is consistent across vendors: discovery scan, license entitlement review, gap calculation, true-up offer. The trick is knowing what each vendor looks for and where the negotiable lines are.

The general defense playbook (any vendor)

1. Acknowledge in writing, but don't commit to a timeline yet. Standard language: "We acknowledge receipt and will respond within 10 business days with a proposed schedule."
2. Loop in legal and procurement. Audits are governed by the master agreement; most have notice, scope, and reasonableness clauses. Read them.
3. Form a small audit team: one IT lead, one finance lead, one legal lead. Single point of contact with the vendor.
4. Run your own discovery first. Before letting the vendor scan, know what they'll find. Reconcile against entitlements. Identify gaps and prepare the explanation.
5. Limit scope. The audit clause is rarely as broad as the vendor's first request. Negotiate sample sizes, time periods, and which entities are in scope.
6. Provide what's required, not more. Don't volunteer data. Don't grant access beyond contractual scope.
7. Challenge findings. Raw discovery output is not the final number. Apply contractual entitlements, fair-use clauses, version downgrades, and evidence of decommissioning.
8. Negotiate the true-up. Even a confirmed shortfall is rarely paid at list price. Discounts of 30–60% off the audit-stated true-up are normal if you have leverage.

Microsoft (SAM engagement / SPLA / EA audits)

Microsoft's audits run via certified third parties (Deloitte, KPMG, EY) under the SAM (Software Asset Management) program. They focus on:

• Server licensing — Windows Server, SQL Server, especially core-based licensing miscounts.
• Office 365 / Microsoft 365 user licensing — assigned vs. consumed seats.
• VDI / RDS scenarios where users access desktop software remotely.
• SQL Server Enterprise vs Standard misuse (Enterprise features used on Standard licenses).

Where the gaps usually are

• Hyperthreading and virtualisation: per-core licensing requires counting cores, not VMs. Misunderstanding here drives ~40% of Microsoft findings.
• SQL Server features: features like Always On, In-Memory OLTP require Enterprise; using them on Standard is the second-most-common finding.
• O365 over-assignment: deactivated users still consuming licenses.

The defense lever

Microsoft offers "License Mobility" and downgrade rights. A finding that says you're using Enterprise features can sometimes be remediated by upgrading-then-downgrading, or by reassigning licenses across the estate. Always check whether you have unused Enterprise licenses elsewhere before agreeing to buy new ones.

Oracle (LMS engagement)

Oracle's License Management Services (LMS) audits are the most aggressive in the industry. They focus on:

• Database — Standard Edition vs Enterprise Edition feature usage.
• Java SE — yes, Java is licensed now; assume scrutiny.
• WebLogic, Middleware — feature-based packs.
• Virtualisation — VMware in particular. Oracle's stance: the entire vSphere cluster must be licensed unless physically partitioned. This is contested but expensive to fight.

Where the gaps usually are

• Enterprise Edition features on Standard: partitioning, advanced security, real application clusters.
• Java SE: any Oracle JDK installation post-Jan 2019 likely needs a subscription.
• VMware host counts: the dispute is whether any host that could run an Oracle VM needs to be licensed.

The defense lever

Oracle's findings frequently include disputed positions (especially on virtualisation). Document hard partitioning, vMotion-disabled clusters, and any contractual carve-outs you negotiated. If you don't have ULA (Unlimited License Agreement) coverage, the time to negotiate one might be during the audit — Oracle will trade audit findings for a multi-year ULA in many cases.

Adobe

Adobe's audits target Creative Cloud and Acrobat. They focus on:

• User assignment vs. installation — Adobe sells per-user; you're not allowed to install on more devices than the license allows.
• Concurrent users on shared workstations.
• Educational vs. commercial licensing for organisations that bought edu but use commercially.

The defense lever

Adobe is highly responsive to a "we'll re-up at higher tier" trade. Audit findings frequently get rolled into a renewal at favourable terms.

IBM, SAP, Autodesk — quick notes

Pre-audit hygiene that prevents 80% of findings

1. License entitlement record per vendor: contracts uploaded, entitlement counts extracted, dates valid through.
2. Discovery data refreshed monthly: who has what installed, where, since when.
3. Reconciliation report: entitlement vs. consumption, gaps highlighted with explanations.
4. Decommissioning evidence: when you remove a deployment, document it. Vendors will count anything they can prove was deployed.
5. Contract clauses extracted: notice periods, audit-frequency caps, scope limits.

If you can produce all of the above on demand, an audit becomes paperwork. Without them, it becomes a negotiation starting from the vendor's worst-case math.

How InventorIA helps

InventorIA tracks license entitlements vs. real usage continuously, not just at audit time. Microsoft 365 / Adobe / Oracle / Salesforce integrations feed seat consumption automatically; contract parsing pulls entitlement counts from PDFs. The result: when the audit letter arrives, the reconciliation is already done — you respond from data, not from panic.