Software Audit Risk Assessment

Tier-1 vendors audit enterprise customers on a 3–5 year cycle. Organisations approaching 5 years since their last Oracle or SAP audit face a statistically high probability of notification within the next 12 months. Review your audit history and model exposure before vendors contact you — proactive licence review is always cheaper than reactive audit response.

Regulatory projects — data residency requirements, audit logging expansions, identity management upgrades — frequently add workloads to existing licences without triggering procurement reviews. These undeclared deployments are prime findings in post-regulatory-change vendor audits. Cross-reference all major compliance projects against SAM entitlement records.

Unresolved audit findings are the highest-risk indicator in vendor relationship management. Vendors track remediation commitments across audit cycles. Repeated findings in the same category — virtualisation, deployment counts, user access — indicate a systemic gap rather than a one-off error and attract harsher settlement terms in subsequent audits.

AI governance is the fastest-growing area of software audit risk. Microsoft 365 Copilot, GitHub Copilot, Salesforce Einstein and Oracle AI Services all have specific entitlement requirements. Shadow AI deployments on personal credit cards or departmental budgets create undisclosed licence obligations that surface in audit discovery scans.

Migrating from SAP ECC to S/4HANA triggers a licence model conversion. Moving Oracle Database workloads to cloud environments changes processor metric calculations. Licence metric changes during upgrades are routinely under-assessed, creating six-figure audit exposures at go-live that could have been identified during planning.

Oracle's virtualisation policy remains one of the most contentious in enterprise software. Deploying Oracle Database on VMware without "hard partitioning" requires licensing all physical cores in the cluster. Post-Broadcom VMware pricing changes have intensified this risk as organisations renegotiate VMware contracts and consider migration paths.

Oracle, IBM and SAP all have specific policies for non-production environments. Oracle's Named User Plus metric requires individual licensing of developers accessing the database in test. IBM has specific DR environment provisions. Blanket assumptions that dev/test is free are incorrect for all three vendors and are a common source of audit findings.

Pandemic-era remote work expansions permanently increased active user counts in many organisations without corresponding licence adjustments. Vendors audit named users or peak concurrent users based on directory data, not physical presence. Reconcile your user counts against current Active Directory or identity provider state before each major vendor engagement.

Most enterprise licences cover employees of the named licensee. Third-party access — consultants, offshore developers, acquired subsidiaries — frequently falls outside the named-user grant. SAP indirect access audits have produced multi-million-pound settlements for exactly this pattern. Validate third-party access quarterly.

Running unsupported software is both a security risk and an audit trigger. Oracle's Lifetime Support policy and SAP's extended maintenance programme create financial penalties for lapsed support. Some vendors audit more aggressively post-lapse as a commercial lever to force renewals at higher rates.

M&A activity is the most common trigger for Oracle and SAP audits. Licence agreements define the named licensee; acquiring a company does not automatically extend licences to the acquired entity. Similarly, divesting a business unit that retains access to group licences creates ongoing compliance obligations that persist after deal close.

Poor deployment documentation quality is a force-multiplier for audit findings. Vendors with contractual audit rights use their own discovery tools if licensees cannot produce accurate data. Vendor-run discovery almost always overstates usage — maintaining pre-built audit packs allows you to control the data narrative.

Audit rights clauses vary significantly. Some grant vendors the right to use third-party auditors (BSA, KPMG, Deloitte) whose findings are contractually binding. Understanding what data you are obligated to provide and what remediation timeline applies shapes your audit defence strategy before a notice arrives.

Open contract interpretation disputes indicate both parties see compliance risk in the agreement. Document all disputed interpretations, obtain written vendor positions and escalate to legal review. Unresolved disputes harden into audit findings when vendor relationships deteriorate.

Vendors present initial audit findings at list price. Industry practice is to negotiate settlements down by 30–60% using volume discounts, product substitutions and future-spend commitments. Accepting vendor findings without independent benchmarking leaves significant settlement value on the table.