Surviving a Software Audit: What to Do When the Vendor Comes Knocking
An audit letter has landed and the instinct is to start counting installs and bracing for a bill. Slow down. A software audit is rarely the neutral compliance exercise it is dressed up as. It is a commercial event, and how you handle the first few weeks usually decides what it costs you. Here is what an audit looks like from the inside, and how to come out of one without panic buying your way to a settlement.
The first thing to understand is that you are not the only one with a script. The vendor runs audits constantly, has a playbook for exactly this conversation, and knows how most customers react. You will go through this once every few years, if that. That asymmetry is the whole game, and it is the same asymmetry that sits underneath every vendor quote. If you have not read it, the companion piece on how vendors actually build a quote explains the wider mechanics. An audit is that same machine, pointed at your installed base.
First, do not engage on instinct
The most expensive mistakes happen in the first fortnight, before anyone has thought clearly. A nervous administrator runs the vendor's discovery script across the estate, hands back a spreadsheet, and in doing so gives the auditor a far richer picture than the contract ever entitled them to. Now the negotiation starts from the worst possible position, with the vendor holding numbers you helped them assemble.
So the opening move is not to count and confess. It is to acknowledge the letter politely, route it to one owner rather than letting it bounce around the IT team, and buy yourself the time to understand your own position before you share anything. Cooperative and measured is the posture. Eager and exhaustive is not.
What an audit actually is, behind the compliance coat
Vendors describe audits as a routine check that customers are licensed for what they use. That is the framing, not the function. In practice an audit is one of the most reliable ways a vendor has to generate unplanned revenue from an account that is not buying enough on its own. The compliance language is real, but it is wrapped around a commercial objective, and the people who run the process are measured on the revenue it recovers.
This matters because it tells you what the audit is for and therefore how to respond. You are not in a neutral reconciliation. You are at the opening of a negotiation that has been framed to look like an obligation. Treat it as the negotiation it is, and most of the right instincts follow.
Watch the timing. Audits have a habit of arriving twelve to eighteen months before a renewal, or just after a merger, or in a year when your spend has gone flat. None of that is coincidence. A finding gives the vendor a number to fold into the renewal conversation, which is a far stronger place to negotiate from than an empty quote.
What actually triggers an audit
Audits are rarely random, whatever the letter implies. From the vendor side, accounts get selected for reasons, and recognising the reason tells you what they are expecting to find. The common triggers are:
- Telemetry that suggests drift. Modern software phones home. If usage signals point to deployment running ahead of entitlement, that account moves up the list.
- A lapsed or skipped true up. If you have grown but not trued up your licences, the vendor knows the gap is probably there to be found.
- A merger or acquisition. Corporate change almost always breaks licensing assumptions, and vendors know it. M&A activity is one of the strongest audit signals there is.
- A flat or shrinking account. If your spend has stopped growing, an audit is a way to re-monetise an account that has gone quiet, without waiting for you to choose to buy.
- Renewal timing. An audit that lands ahead of a renewal is not separate from the renewal. It is the renewal, opened early and from a position of pressure.
What the vendor is really looking for
An auditor is not hunting for tidy compliance. They are hunting for the findings that convert into a sale. The areas that produce the biggest numbers are predictable: production use of software that was only ever licensed for test or development, environments spun up and forgotten, indirect or digital access where a system talks to the licensed software through middleware, virtualisation and core counting where the metric is defined in the vendor's favour, and users or devices that have quietly multiplied past the entitlement.
Each of those is a place where the rules are complex enough that reasonable people get them wrong, and where the vendor's reading of the rule is rarely the most generous one. The findings then become a pipeline. What started as a compliance report turns into a remediation quote, and the remediation quote turns into a renewal with the gap baked in.
How a true up is calculated, and why it lands at list
When the findings are in, the shortfall gets priced. Here is the part customers are not told plainly: a true up is almost always quoted at full list price, as of today, often with back maintenance stacked on top, and sometimes with penalties the contract may or may not actually support. That list figure is not the settlement. It is the opening position, set high on purpose, so that the discount the vendor then offers feels like generosity and relief rather than the negotiation it is.
If you accept the first remediation number, you are paying the list price for your own mistake, at the worst possible moment, with no competitive tension anywhere in the room. The number is almost always negotiable, because the vendor would far rather close a discounted settlement and a renewal than litigate a contract clause. They are selling, not suing.
Your rights, and your real exposure
Before you concede anything, read the actual audit clause in your agreement. People assume an audit means the vendor can demand whatever they ask for. It usually does not. The contract defines the scope of the audit right, the notice required, who bears the cost, and crucially what you are and are not obliged to provide. Plenty of audit requests reach well beyond what the clause entitles them to, and a calm reference back to the wording closes a surprising amount of it down.
Your exposure is similarly worth establishing on your own terms rather than theirs. Run your own internal position first, privately, so you know where you genuinely stand before any number is shared. There is a large difference between a real shortfall you should resolve and an aggressive interpretation of an ambiguous metric that you can push back on hard. You cannot tell which you are facing until you have done your own homework, which is exactly why handing over their discovery script on day one is such a costly reflex.
Give only what the contract requires, in a controlled way, on a timeline you set within reason. Validate the auditor's tooling and their numbers before you accept any of them. An audit finding is a claim, not a fact, until you have checked it yourself.
How to respond, without panic buying
The aim is to convert a compliance ambush back into an ordinary commercial negotiation, where you have leverage again. In practice that means a disciplined sequence rather than a scramble.
- Centralise it. One owner, one channel to the vendor. Stop the estate answering questions piecemeal.
- Read the clause. Establish what the audit right actually permits before you agree to any process.
- Run your own numbers first. Understand your true position privately, including the defensible grey areas, before sharing anything.
- Control scope and pace. Provide what is required, not everything that is asked, and do not let an artificial deadline rush you into a settlement.
- Validate their findings. Test the tooling and the assumptions. Reject double counting and over reaching metric interpretations.
- Negotiate the remediation as a deal. Fold any genuine gap into a forward looking commercial conversation, where future commitment, timing and competitive options give you back the leverage the audit was designed to remove.
Done this way, even a real shortfall usually settles for a fraction of the headline number, and often as part of a renewal you would have been negotiating anyway, on better terms than the audit letter implied.
How C4C helps
We have sat on the vendor side, so we know how audits are selected, run and priced, and where the findings are softer than they look. When an audit lands, we help you establish your real exposure privately, hold the process to what the contract actually permits, validate the vendor's numbers, and turn a compliance claim back into a commercial negotiation you can win. We can lead that conversation for you under a Letter of Authority, taking the difficult role so your ongoing relationship with the vendor stays intact, or work alongside your team if you would rather front it yourselves. Our independence is the point. We are not paid by the vendor and we have no incentive to settle quickly, only to settle well.
Facing an audit? Send us the notice.
Forward the audit letter and a short note on the situation, and we will give you a straight, independent read: how exposed you really are, what the vendor is likely after, and the sensible next move. No panic, no vendor on the other side of the table. We have run these from the inside.
Prefer email? Reach us directly at hello@c4cgroup.co.uk.
Frequently asked questions
Can I refuse a software audit?
Usually not entirely, because most enterprise agreements grant the vendor an audit right. But you control the scope, the pace and the method far more than the letter suggests. You can decline to provide data the contract does not require, insist the process follows the clause as written, and set a reasonable timeline rather than accepting an artificial one.
What triggers a software audit?
Rarely chance. The common triggers are telemetry suggesting usage above entitlement, a lapsed true up, a merger or acquisition, a flat or shrinking account the vendor wants to re-monetise, and timing twelve to eighteen months before a renewal when the leverage is highest. The trigger usually tells you what they expect to find.
How is a true up priced?
Almost always at full list price as of today, often with back maintenance added, unless you negotiate. The list figure is the opening position, set high so the discount that follows feels like relief. A compliance finding is a sales opportunity, and the remediation number is nearly always movable.
Should I send the vendor everything straight away?
No. Be cooperative and professional, but measured. Run your own numbers privately first, validate the auditor's tooling and findings before accepting them, and provide only what the contract requires, in a controlled way. Handing over a full discovery export on day one gives away your position before the negotiation has started.
Do I need outside help for an audit?
For a small, clear case, often not. For a large exposure, an aggressive auditor, or a finding that lands near a renewal, an independent partner who knows how audits are selected, run and priced can change the outcome materially, and keep your vendor relationship intact while doing the harder talking for you.
How do I stop this happening again?
Keep entitlement and deployment reconciled continuously rather than once a crisis hits, watch the metrics that actually drive exposure such as core counts, indirect access and non production use, and close any genuine true up on your own terms before it becomes someone else's audit.