What Not to Do First
The single most common mistake organisations make when receiving a software audit notification is treating it as an administrative process rather than a commercial negotiation. The notification — whether from Oracle LMS, SAP Global Audit, IBM Asset & License Compliance, or Microsoft VLSC — is the opening move in a structured commercial process that the vendor's audit team has considerable experience managing. Responding in an uncoordinated, reactive manner immediately puts you at a disadvantage.
Do not acknowledge the notification in a way that implicitly accepts the vendor's proposed scope, timeline, or auditor selection. Do not begin collecting and compiling deployment data before understanding what your contract requires you to provide and what it does not. Do not escalate internally in a way that creates panic — software audits are manageable when handled systematically. The complete strategic framework is covered in the Software Audit Defense Playbook. This article addresses specifically the response strategy for the initial notification phase.
Do not accept the proposed timeline or scope in your first response. Vendor audit teams routinely propose aggressive timelines and broad data requests designed to maximise findings before the auditee has time to prepare. Your first response should acknowledge receipt, confirm you are reviewing the notification with appropriate advisors, and request a reasonable extension before formal proceedings begin.
Free Guide
Software Audit Defense Guide
How to respond to a software audit notice, protect your position, and negotiate settlements for less.
Step One: Review Your Contract Rights Before Responding
Before drafting any response, your legal and procurement team must review the licence agreement to understand exactly what audit rights the vendor holds. Audit clauses vary significantly between vendors and between contract generations. Key provisions to review include: the frequency with which audits can be conducted, the notice period required before an audit can commence, whether the vendor may use their own auditors or must use an independent third party, data confidentiality obligations on audit findings, and cost allocation provisions (some agreements require the vendor to pay audit costs if findings fall below a threshold).
Many organisations discover that their contracts contain provisions that substantially limit the vendor's audit rights — but these provisions are only useful if you know about them and exercise them. The audit team at IT Negotiations consistently finds unexploited contractual protections in client agreements, particularly in older enterprise licence agreements where audit scope and frequency limits were negotiated by experienced procurement teams and then forgotten as staff changed over time.
A Structured Response Process
The following sequence reflects best practice for responding to an enterprise software audit notification from any major vendor.
Acknowledge Receipt and Request an Extension
Within 5 business days, send a brief acknowledgement confirming receipt. State that you are reviewing the notification with appropriate advisors and request a 30-day extension before formal proceedings commence. This is standard and almost always granted. Do not accept any scope, timeline, or conditions in this communication.
Stay Ahead of Vendors
Get Negotiation Intel in Your Inbox
Monthly briefings on vendor pricing changes, audit trends, and contract tactics. Unsubscribe any time.
No spam. No vendor affiliations. Buyer-side only.
Assemble an Internal Response Team
Designate a single point of contact for all vendor communications. Include legal, IT, procurement, and finance representatives. Establish that all communications with the vendor's audit team must go through the designated contact — direct contact between the vendor and your technical staff creates risk.
Engage External Audit Defense Advisors
For any audit involving Oracle, SAP, IBM, or Microsoft at enterprise scale, engaging specialist audit defense advisors before responding formally is strongly recommended. Advisors who conduct audit defense as a primary practice understand the vendor's process, the common findings in each environment, and the negotiation levers available at each stage.
Conduct an Internal Licence Position Assessment
Before the vendor begins their data collection, conduct your own internal licence position review to understand where you stand. Knowing your probable exposure allows you to assess settlement options early, challenge vendor findings from a position of knowledge, and avoid inadvertently providing data that creates exposure you did not anticipate.
Negotiate Audit Scope and Conditions
Use the extension period to negotiate scope limitations, data confidentiality agreements, auditor credentials, and the historical period under review. These negotiations happen before the formal audit commences and are significantly easier to conduct at this stage than during active data collection.
Negotiating Audit Scope
Audit scope is one of the most important variables in determining potential exposure. Vendors typically propose the broadest possible scope — all products, all geographies, all historical periods permitted under the contract. Experienced audit defense advisors routinely narrow this scope substantially, limiting the audit to specific product families, specific data centres or geographies, or specific time periods where the client's compliance position is strong.
Scope negotiation is not about obstructing a legitimate process — it is about ensuring the audit is proportionate to the contractual audit rights the vendor actually holds. Contracts that limit audit frequency to once per two years, or that restrict scope to products explicitly named in the order form, provide genuine grounds for scope limitation that should be exercised as a matter of standard practice.
Data confidentiality is equally important. Audit findings — even those ultimately not pursued commercially — can become leverage in subsequent commercial negotiations. Requiring that all audit data and findings be treated as strictly confidential, shared only with named individuals, and destroyed or returned at audit conclusion protects your commercial interests beyond the immediate audit.
Managing Data Requests
Vendor audit teams typically issue formal data requests listing the information they require to conduct the audit — deployment scans, licence entitlement records, order histories, installation scripts, and similar materials. These requests often appear exhaustive and mandatory, but they are negotiating positions, not unconditional legal requirements.
Review each data request item against your contractual obligations. Provide what is contractually required; negotiate or decline what is not. Where you do provide data, ensure it is accompanied by contextual information that presents the most favourable accurate picture of your compliance position — raw deployment data without context routinely produces inflated findings that do not reflect actual licence obligations.
For detailed guidance on the full audit lifecycle beyond the initial notification phase, see the Software Audit Defense Playbook and the article on audit settlement negotiation strategy. IT Negotiations' audit defense services cover the complete process from initial notification through final settlement.
Received an Audit Notification? Act Now.
The first 30 days determine the trajectory of the entire audit. IT Negotiations provides immediate audit notification response support — reviewing your contract rights, managing vendor communications, and setting the most favourable conditions for audit resolution.
Get Audit Response Support →