How to use this assessment: How to use this assessment: Work through each item and mark it complete once confirmed. Items flagged High Risk represent the most common sources of material overspend. A score of 15 or more indicates a well-governed position.
Section 1: Licence Discovery and Inventory
Enterprise software audits fail not because organisations lack licensing entitlements, but because they cannot demonstrate what software is installed, where, how it is being used, and whether they hold sufficient licences. A real-time, centralised inventory covering on-premise, cloud, and SaaS is the foundation of audit readiness and cost optimisation.
1. You maintain a real-time software asset inventory that covers all on-premise, cloud, and SaaS entitlements across every business unit.
Only 11 percent of enterprises maintain a fully integrated asset inventory spanning all deployment models. Most rely on fragmented spreadsheets or point tools covering only on-premises software. A centralised SAM system with automated discovery agents tracking on-premise, cloud infrastructure, and SaaS subscription activity achieves 40 percent better audit readiness within 12 months. Without this, audit scope negotiation defaults to sample audits covering high-risk business units, leaving you exposed to unexpected findings in other areas.
● High Risk
2. You have documented software procurement policies that define approval workflows, licence terms review, and vendor compliance assessment.
Organisations without documented procurement policies average 18 percent software overspend due to uncontrolled shadow IT and duplicate tool purchases. Best-practice procurement workflows require IT and finance sign-off before purchase, with legal review of volume licensing agreements and compliance audit rights. Implementing structured procurement governance reduces unplanned spend by 22 percent and accelerates vendor audit response. Non-compliant or missing policies leave budget owners free to purchase independently, fracturing inventory data.
● High Risk
3. You perform quarterly or bi-annual software audits that reconcile installed software against licence entitlements and identify unlicensed or under-licensed software.
Enterprises conducting regular internal audits detect 34 percent more licensing gaps than those relying on annual vendor audits alone. Quarterly reconciliation cycles between asset inventory and entitlement records surface drift caused by system migrations, M&A activity, and departing employees retaining software access. Regular audits also establish a pattern of control and diligence that materially reduces vendor audit scope and settlement risk. Absence of documented audit cycles signals poor control to auditors and insurers.
● High Risk
4. You maintain detailed records of software installation locations, deployment dates, version numbers, and named users or device associations for licence compliance verification.
Auditors require granular deployment metadata to trace licences to actual installations. Organisations lacking version control and location mapping struggle to defend licence positions during audits, often agreeing to inflated settlement demands. Enterprises with detailed deployment records reduce audit settlement costs by 31 percent on average. Asset discovery tools that auto-populate location, device, and version data from network scans provide audit-ready evidence and eliminate manual reconciliation overhead.
● Medium Risk
5. You have conducted a formal gap analysis comparing your current software asset management maturity against industry best practices, and produced a documented remediation roadmap.
Gap analysis frameworks identify process and control deficiencies that put your licensing position at risk. Organisations conducting formal gap analysis reduce audit exposure by an average of 44 percent within 24 months. A documented roadmap signals maturity to vendors and provides internal accountability for incremental SAM improvements. Without formal assessment, remediation efforts remain reactive and unfocused, addressing surface symptoms rather than systemic weaknesses.
● Medium Risk
Section 2: Compliance and Audit Readiness
Vendor audits assess not just what software you own, but whether you can prove compliance through documentation, control processes, and reporting. Audit readiness — the ability to respond fully and transparently to vendor information requests within defined SLA windows — is a critical risk mitigation and negotiation lever.
6. You maintain audit evidence repositories organised by software vendor and accessible to audit teams within defined SLA windows.
Poor audit document organisation results in delayed or incomplete vendor responses, triggering penalty clauses and extended audit timelines. Enterprises maintaining indexed, searchable audit evidence repositories reduce response time by 56 percent and cut audit costs by $150K or more per event. Evidence should include signed agreements, change orders, proof of entitlement transfers from M&A or employee moves, and discovery output. Vendors evaluate an organisation's maturity based on response speed and completeness; slow responses invite broader audit scope.
● High Risk
7. You have vendor audit clauses contractually limited in scope, covering sampling methodology, sites audited, frequency caps, and settlement dispute processes, negotiated at purchase time.
Audit scope negotiation during an active audit puts you at a 68 percent disadvantage. Best-practice licensing agreements define upfront caps on audit frequency such as once every two years, exclude low-risk sites, restrict scope to named licensees, and include binding dispute resolution. Organisations with contractually limited audit rights reduce compliance exposure and control costs. Vendors retain broad audit rights in standard terms; negotiating limits at purchase time is critical leverage that is far easier to obtain than after signature.
● High Risk
8. You maintain a documented audit response process including defined roles, communication protocols, evidence preservation, and escalation procedures for managing active vendor audits.
Unstructured audit responses amplify exposure through inconsistent evidence provision, unauthorised admissions, and failure to invoke contractual protections. Documented audit response frameworks reduce time-to-resolution by 41 percent and settlement costs by 27 percent. Response processes should designate a single audit coordinator, define evidence chain-of-custody, require legal review of written responses, and preserve all communications. Absence of process leads to ad-hoc responses that waive contractual defences and establish unfavourable precedents for future audits.
● High Risk
9. You conduct annual licence compliance training for IT operations, procurement, and system administrators covering prohibited uses, reconciliation procedures, and audit obligations.
Employee training drives 33 percent improvement in voluntary compliance and reduces unintentional licence violations. Training should cover the organisation's SAM policy, vendor terms including concurrent user restrictions, data centre deployment rules, and cloud migration policies, plus consequences of non-compliance. Documented training attendance proves due diligence to auditors and insurers. Untrained staff inadvertently expose the organisation to violations through shadow IT, unauthorised deployment, and user account sprawl.
● Medium Risk
10. You maintain active relationships with software vendors and asset management partners, including executive sponsorship, regular business reviews, and proactive compliance communications.
Vendors view organisations with poor relationship management as high-risk audit targets. Proactive vendor engagement — annual business reviews, usage reporting, renewal forecasting — builds trust and often results in audit scope reductions or cost-effective renewal offers. Enterprises conducting regular vendor meetings report 38 percent lower audit intensity and faster dispute resolution. Vendors are more inclined to engage constructively with customers they know and who manage their software professionally.
● Medium Risk
Section 3: Cost Optimisation and Rightsizing
Most enterprises overspend on software by 20 to 40 percent through duplicate tools, underutilised licences, and misaligned purchasing models. Systematic rightsizing and optimisation programmes recapture millions in annual spend while improving user experience and reducing audit exposure.
11. You conduct annual or bi-annual software usage analysis identifying duplicate tools, underutilised applications, and opportunities to consolidate or retire redundant software.
Organisations performing regular usage analysis typically identify 18 to 25 percent of licensed software as underutilised or redundant. Decommissioning unused applications reduces spend, simplifies compliance tracking, and eliminates audit exposure. Usage data collected via user surveys, licence activity monitoring, or vendor-provided telemetry reveals adoption patterns that financial records miss. Without usage discipline, budget owners continue renewing unused licences and procurement teams purchase overlapping tools rather than optimising existing solutions.
● High Risk
12. You have formally evaluated licensing models including perpetual versus subscription, concurrent versus named-user, and on-premise versus SaaS, and selected the most cost-effective structure for each software category.
Licensing model mismatch drives average spend overages of 31 percent per software category. Named-user perpetual licences are optimal for stable, full-time workforces; concurrent licences suit dynamic environments with rotating users; subscriptions reduce upfront capital and shift risk to vendors. Enterprises conducting model evaluations typically identify 12 to 19 percent annual savings through reoptimisation. Model selection should align with deployment location, user tenure, and vendor financial stability.
● High Risk
13. You track software renewal dates, pricing escalation terms, and discount thresholds, and initiate renewal negotiations at least 120 days before expiry to maximise negotiating leverage.
Organisations initiating renewal talks in the final 60 days before expiry forfeit 34 percent of available discounts and lose negotiating position. Early renewal engagement of 120 or more days out enables competitive benchmarking, volume-based discounting, and multi-year agreement negotiations that drive 15 to 22 percent savings. Renewal tracking systems integrate with procurement calendars and trigger alerts 6 to 9 months before expiry. Vendors expect late-stage renewals and exploit time pressure; proactive engagement shifts leverage to the buyer.
● High Risk
14. You benchmark software pricing and terms against industry standards and peer organisations, and use competitive data to inform renewal and procurement negotiations.
Organisations lacking pricing benchmarks accept vendor quotes at face value, overpaying by 17 to 28 percent relative to market rates. Peer benchmarking groups, industry analyst reports, and managed software services providers supply normative pricing for major software categories. Benchmarking data is a credible negotiation lever; vendors recognise that informed buyers reduce scope for margin expansion. Competitive intelligence should cover list pricing, volume discounts, software assurance terms, and support add-ons to model total cost of ownership accurately.
● Medium Risk
15. You have established a chargeback or cost-allocation model attributing software spend to business units, creating accountability and enabling rightsizing by cost centre.
Organisations without chargeback systems fail to surface true cost drivers and lack budget accountability for software spend. Chargeback models allocate licence costs to consuming business units based on user count, headcount, or transaction volume, making cost visibility transparent and incentivising optimisation. Enterprises implementing chargeback typically achieve 16 percent spend reduction within 18 months as budget owners become cost-conscious. Chargeback is also a governance lever: business units challenged with their allocated costs often identify opportunities to consolidate or retire software.
● Medium Risk
Section 4: Governance and Renewal Management
Sustainable licensing compliance requires embedded governance: defined roles, escalation procedures, cross-functional accountability, and regular reporting to senior management. Governance frameworks that tie licensing outcomes to business strategy reduce exposure and enable strategic vendor management.
16. You have established a cross-functional Software Asset Management committee with representatives from IT, finance, procurement, and business units, meeting at least quarterly.
Organisations with formal SAM governance reduce licensing exposure by 41 percent and improve renewal outcomes by 29 percent. SAM committees provide cross-functional visibility on spend trends, highlight emerging compliance risks, and track remediation progress. Quarterly cadence ensures issues escalate before they become audit liabilities. Committee outcomes including spending trends, audit findings, and optimisation initiatives should be reported to CFO and board risk committees to tie software licensing to financial control and risk governance.
● High Risk
17. You maintain executive-level reporting on software licensing metrics including spend, audit status, compliance maturity, and cost-per-user trends, tied to IT leadership scorecards.
Executive visibility drives accountability and signals board-level commitment to SAM maturity. KPI reporting should cover annual spend trends, audit pipeline and costs, compliance metrics such as inventory accuracy and policy adherence, and savings delivered through optimisation. Organisations reporting licensing KPIs to executive leadership achieve 36 percent faster remediation of compliance gaps and 28 percent better control of spending growth. Scorecards tie SAM outcomes to IT budget performance, creating incentives for proactive management rather than reactive audit response.
● High Risk
18. You have defined clear accountability across functions: IT operations owns inventory accuracy, finance owns cost visibility, legal owns audit response, and procurement owns vendor terms negotiation.
Organisations without clear ownership experience accountability gaps: inventory deteriorates, costs escalate unchecked, vendor disputes delay resolution, and terms remain unfavourable. RACI matrices defining roles for each SAM process — discovery, procurement, renewal, and audit response — ensure accountability and prevent finger-pointing. Success requires senior sponsorship from the CIO, CFO, and legal counsel. Accountability gaps allow problems to compound and lead to poor prioritisation and slow remediation.
● High Risk
19. You conduct annual board or audit committee reporting on software licensing risks, audit status, and compliance maturity, tying SAM outcomes to enterprise risk and financial control frameworks.
Board-level reporting elevates software licensing from a tactical IT issue to an enterprise risk and governance matter. Audit committees increasingly scrutinise software licence exposure as a component of financial control and compliance risk. Annual reporting should cover audit history and pipeline, material findings, remediation progress, and SAM maturity trajectory. Organisations achieving board visibility on SAM typically secure additional investment in tools and process, accelerating maturity improvements by 34 to 47 percent.
● Medium Risk
20. You have established a continuous improvement cycle for SAM maturity that includes annual process reviews, vendor and audit findings analysis, and documented updates to SAM policies and procedures.
One-time SAM implementations stall without continuous improvement discipline. Annual reviews of audit findings, vendor feedback, and emerging regulatory requirements enable incremental maturity gains. Organisations updating SAM frameworks annually improve audit outcomes by 22 to 31 percent over three-year cycles. Improvement planning should capture lessons from prior audits, incorporate vendor feedback, and refresh policies to address regulatory changes. Governance without continuous improvement signals stagnation and complacency to audit teams and insurers.
● Medium Risk
Ready to optimise your AI contract and cost position?
Download our AI Platform Contract Negotiation Guide — covering all major vendors, pricing structures, and negotiation tactics.Next Steps
Score your confirmed items against the benchmarks above. If you are in the High Exposure or Partial Governance bands, prioritise the items flagged High Risk — these represent the most common sources of material overspend and are addressable within a single procurement or FinOps cycle.
Redress Compliance works exclusively on the buyer side, with no vendor affiliations. Our GenAI advisory practice has benchmarked AI costs, negotiated enterprise AI contracts, and built governance frameworks across 500+ enterprise engagements. Contact us for a confidential review of your AI cost and contract position.