Templates Intellectual Property Software License Audit Response Playbook
Universal
Intellectual Property
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO

Software License Audit Response Playbook

Ready to Edit

SOFTWARE LICENSE AUDIT RESPONSE PLAYBOOK

Comprehensive Response Guide for Vendor and Trade Association Software Audits

Prepared for: [________________________________]
Prepared by: [________________________________]
Date: [__/__/____]
Matter/File No.: [________________________________]

TABLE OF CONTENTS

  • Part I: Overview of Software Audits
  • Part II: Audit Rights Analysis
  • Part III: Initial Response Letter Template
  • Part IV: Internal Audit Checklist
  • Part V: Common Audit Triggers and Red Flags
  • Part VI: Negotiation Strategies
  • Part VII: Privilege and Confidentiality Considerations
  • Part VIII: Response Timeline and Deadlines
  • Part IX: Settlement Agreement Framework
  • Part X: Post-Audit Compliance Program
  • Part XI: Practice Tips
  • Sources and References

PART I: OVERVIEW OF SOFTWARE AUDITS

1.1 Purpose of This Playbook

This playbook provides a structured, step-by-step framework for responding to software license audits initiated by software vendors, trade associations, or their representatives. It is designed for legal counsel representing companies that have received audit requests or demand letters, providing practical guidance on managing scope, minimizing risk, and achieving favorable outcomes.

1.2 Types of Software Audits

Audit Type Initiator Typical Process Legal Basis
Vendor-initiated audit Individual software publisher (e.g., Oracle, SAP, Microsoft, Adobe, IBM) Formal letter citing contractual audit clause; vendor or third-party auditor conducts review Contractual audit clause in license agreement
BSA audit BSA | The Software Alliance (trade association representing major publishers) Letter threatening litigation; demand for self-audit; negotiated settlement Copyright infringement claims (17 U.S.C. § 501 et seq.)
SIIA audit Software & Information Industry Association Similar to BSA; letters demanding compliance review Copyright infringement claims
Government audit Federal or state procurement office Compliance review for government-purchased software Procurement regulations; FAR clauses
Internal audit Company's own IT, legal, or compliance team Proactive review to identify and remediate compliance gaps Best practice; risk management

1.3 Who Initiates Audits and Why

Vendor-Initiated Audits:

  • Major publishers (Oracle, SAP, Microsoft, IBM, Adobe, Salesforce) conduct audits as a routine part of their license management and revenue recovery programs
  • Audits are often triggered by license renewal negotiations, reported tips, or automated telemetry data
  • Vendors may use audits strategically to drive upselling, cloud migration, or subscription conversion

BSA | The Software Alliance:

  • Trade association representing major publishers including Adobe, Apple, Autodesk, IBM, Microsoft, Oracle, SAP, Siemens, and Symantec (among others)
  • Operates a confidential reporting hotline encouraging employees and contractors to report unlicensed software use
  • Offers monetary rewards (up to $1 million) for information leading to successful enforcement actions
  • Typically initiates contact through a demand letter requesting a voluntary self-audit

SIIA (Software & Information Industry Association):

  • Trade association focused on software and digital content industries
  • Operates a similar reporting program and enforcement mechanism
  • Tends to focus on smaller publishers and niche software

1.4 Legal Framework for Software Audits

Legal Basis Description Potential Liability
Copyright infringement Unauthorized copying, installation, or use of software beyond license scope Statutory damages: $750–$30,000 per work (17 U.S.C. § 504(c)(1)); up to $150,000 per work for willful infringement (§ 504(c)(2))
Contractual breach Violation of terms in the software license agreement (e.g., exceeding user count, unauthorized deployment) Contractual damages; back-licensing fees; audit costs; termination of license
Criminal liability Willful copyright infringement for commercial advantage Up to 5 years imprisonment and $250,000 fine (18 U.S.C. § 2319)
Trade secret misappropriation Use of software obtained through misappropriation Injunctive relief; actual damages; exemplary damages

1.5 Initial Triage Assessment

Upon receipt of an audit notice or demand letter, immediately complete the following assessment:

Assessment Item Details Notes
Date notice received [__/__/____]
Sender identity [________________________________] Vendor, BSA, SIIA, or other
Products at issue [________________________________] Specific software named in notice
Contract(s) cited [________________________________] License agreement, order form, ELA
Audit clause invoked [________________________________] Specific contractual provision
Response deadline [__/__/____] Per notice or contract
Threat level ☐ Litigation threatened ☐ Settlement proposed ☐ Informational
Internal team assembled ☐ Yes ☐ No Legal, IT, Procurement, Finance

PART II: AUDIT RIGHTS ANALYSIS

2.1 Review the License Agreement

The first and most critical step is to review the license agreement's audit clause. Not all audit demands are contractually supported, and the scope of the vendor's audit rights depends entirely on the specific terms of the agreement.

2.2 Audit Clause Analysis Checklist

Review each of the following elements in the applicable license agreement:

A. Existence of Audit Rights

  • ☐ Does the license agreement contain an audit clause?
  • ☐ If no audit clause exists, the vendor may have no contractual right to audit (though BSA/SIIA claims are typically based on copyright infringement, not contract)
  • ☐ Is the audit clause in the master agreement, the order form, the EULA, or a separate document?

B. Scope of Audit

  • ☐ Which products/versions are covered by the audit clause?
  • ☐ Which entities are subject to audit (parent company only, or subsidiaries and affiliates)?
  • ☐ Which environments are covered (production, development, test, staging, disaster recovery, sandbox)?
  • ☐ What geographic scope applies?
  • ☐ What time period is covered (current deployment, or historical use)?

C. Notice Requirements

  • ☐ How much advance notice must the vendor provide? [____] days (commonly 30 days)
  • ☐ Must notice be in writing?
  • ☐ Must notice specify the products and scope of the audit?
  • ☐ Was the notice actually compliant with the contractual requirements?

D. Frequency Limitations

  • ☐ How often may the vendor conduct an audit? ☐ Once per year ☐ Once per [____] months ☐ No limit specified
  • ☐ When was the last audit? [__/__/____]
  • ☐ Does the frequency limitation reset after a license renewal or amendment?

E. Auditor Identity and Qualifications

  • ☐ Who may conduct the audit? ☐ Vendor's employees ☐ Independent third-party auditor ☐ Either
  • ☐ Does the agreement require the auditor to be a certified public accountant or other qualified professional?
  • ☐ Does the agreement require the auditor to sign a confidentiality/NDA?
  • ☐ Can the company reject the proposed auditor and request an alternative?

F. Data Access and Methods

  • ☐ What data is the vendor entitled to access? (Deployment reports, server logs, user counts, financial records?)
  • ☐ Is the vendor permitted to install audit tools or scripts on the company's systems?
  • ☐ Is the company permitted to provide self-reported data instead of granting direct access?
  • ☐ Are there restrictions on data collection (e.g., no access to trade secrets, customer data, or personally identifiable information)?

G. Cost Allocation

  • ☐ Who bears the cost of the audit? ☐ Vendor ☐ Company ☐ Depends on findings
  • ☐ Is there a threshold (e.g., if underpayment exceeds [____]%, the company pays audit costs)?
  • ☐ Are the company's internal costs of cooperating with the audit addressed?

H. Remedies

  • ☐ What remedies does the audit clause provide for non-compliance? (Back-licensing at list price, contract termination, liquidated damages?)
  • ☐ Is there a cure period for identified compliance gaps?
  • ☐ Are there caps or limitations on the vendor's remedies?

2.3 Common Audit Clause Red Flags

Red Flag Risk Recommended Action
No frequency limitation Vendor could audit repeatedly Negotiate for annual cap
Vendor may use its own employees as auditors Potential for commercial intelligence gathering Request independent third-party auditor
Broad scope covering "all records" May expose trade secrets or customer data Limit scope to deployment data only
Company pays audit costs regardless of findings Financial burden even if compliant Negotiate for vendor-pays unless material non-compliance found
"Audit" includes right to install tools/agents Security and privacy risks Require prior approval of tools; restrict to controlled environment
No confidentiality obligation for auditor Audit data could be used for competitive purposes Require NDA before any data is shared
Remedies include list price for over-deployment List price may be significantly higher than contracted rates Negotiate for contract pricing for true-up

PART III: INITIAL RESPONSE LETTER TEMPLATE

3.1 Initial Response Letter (Vendor-Initiated Audit)

[COMPANY LETTERHEAD]

[__/__/____]

VIA: ☐ Email ☐ Certified Mail ☐ Overnight Courier

[________________________________] (Vendor Contact Name)
[________________________________] (Vendor Company Name)
[________________________________] (Street Address)
[________________________________] (City, State, ZIP)
[________________________________] (Email)

Re: Response to Audit Request — [License Agreement Reference] — [Products]

Dear [________________________________]:

We acknowledge receipt of your letter dated [__/__/____] requesting a software license audit pursuant to [________________________________] (specific audit clause). We take our software license compliance obligations seriously and are committed to working cooperatively with you within the framework established by our agreement.

Before we proceed, we respectfully request clarification on the following matters to ensure that the audit process is efficient and conducted within the scope authorized by our agreement:

1. Scope Confirmation. Please confirm the specific products, versions, and environments that are the subject of this audit, as well as the time period and entities covered.

2. Auditor Identity. Please identify the individual(s) or firm that will conduct the audit on your behalf. Per Section [____] of our agreement, we request that the auditor execute a non-disclosure agreement before receiving any of our proprietary information.

3. Data Requirements. Please provide a detailed list of the specific data, records, and documentation you are requesting. We will evaluate these requests against the scope of the audit clause in our agreement and prepare responsive materials.

4. Methodology. Please describe the audit methodology to be used, including any tools or scripts that you propose to install or run on our systems. We reserve the right to evaluate any such tools for security and compatibility before deployment.

5. Timeline. We propose a [____]-day period to prepare our internal response and gather the requested information. Please confirm that this timeline is acceptable.

6. Costs. Per Section [____] of our agreement, [the audit shall be conducted at your expense / we request confirmation of the cost allocation for this audit].

We are assembling an internal team to manage this process. All communications regarding this audit should be directed to:

[________________________________] (Contact Name)
[________________________________] (Title)
[________________________________] (Email)
[________________________________] (Telephone)

We look forward to resolving this matter promptly and cooperatively.

Sincerely,

______________________________
[________________________________] (Name)
[________________________________] (Title)
[________________________________] (Company)

3.2 Initial Response Letter (BSA/SIIA Demand Letter)

[COMPANY LETTERHEAD / LAW FIRM LETTERHEAD]

[__/__/____]

VIA: ☐ Email ☐ Certified Mail

[________________________________] (BSA/SIIA Contact)
[________________________________] (Address)

Re: Response to Software Compliance Inquiry — Reference No. [________________________________]

Dear [________________________________]:

We represent [________________________________] ("Company") and are responding to your letter dated [__/__/____] regarding software compliance.

The Company takes its software licensing obligations seriously and maintains an active software asset management program. We are reviewing the matters raised in your letter and request the following information to facilitate our evaluation:

  1. Please identify the specific software publisher(s) on whose behalf you are acting.
  2. Please identify the specific software product(s) and version(s) that are the subject of this inquiry.
  3. Please provide a copy of any information or report that forms the basis for this inquiry (to the extent permitted by your confidential informant protections).
  4. Please confirm the legal basis for your audit request (i.e., whether this is a contractual audit demand or a pre-litigation inquiry).

The Company is conducting an internal review of its software deployments and license entitlements for the products identified in your letter. We anticipate completing this review within [____] days and will provide a substantive response at that time.

We request that you direct all further communications regarding this matter to the undersigned counsel. Please do not contact Company personnel directly.

In the meantime, we reserve all rights and defenses available to the Company under applicable law and agreements.

Sincerely,

______________________________
[________________________________] (Attorney Name)
[________________________________] (Law Firm)
[________________________________] (Bar Number)
[________________________________] (Email / Telephone)

PART IV: INTERNAL AUDIT CHECKLIST

4.1 Software Inventory

Conduct a thorough internal inventory of all software deployed within the organization:

A. Entitlement Review

  • ☐ Gather all software license agreements, order forms, enterprise license agreements (ELAs), volume license agreements, and subscription agreements
  • ☐ Compile all proof-of-purchase records (invoices, purchase orders, credit card receipts)
  • ☐ Identify all license metrics (per-user, per-device, per-core, per-processor, concurrent, named user, CAL, etc.)
  • ☐ Determine total entitlements by product, version, and metric
  • ☐ Identify any bundled or included licenses (e.g., operating system licenses included with hardware)
  • ☐ Review any prior true-up or compliance agreements

B. Deployment Discovery

  • ☐ Run software discovery tools across all environments (production, development, test, staging, disaster recovery)
  • ☐ Scan all servers (physical and virtual), desktops, laptops, and mobile devices
  • ☐ Identify all cloud instances and SaaS subscriptions
  • ☐ Capture product names, versions, installation dates, and installation paths
  • ☐ Document virtual environments (VMware, Hyper-V, cloud IaaS) and determine how virtualization affects licensing
  • ☐ Identify disaster recovery and high-availability instances
  • ☐ Check for trial, evaluation, and beta software that may have expired

C. Reconciliation

Product Entitlements (Licensed) Deployed (Installed) Variance (+/-) Notes
[________________] [____] [____] [____] [________________________________]
[________________] [____] [____] [____] [________________________________]
[________________] [____] [____] [____] [________________________________]
[________________] [____] [____] [____] [________________________________]
[________________] [____] [____] [____] [________________________________]
[________________] [____] [____] [____] [________________________________]

4.2 License Metric Verification

Different software publishers use different license metrics. Verify the correct metric for each product:

Metric Description Verification Method
Per-user / Named user Licensed to specific individuals Compare user list to entitlement count
Concurrent user Licensed by maximum simultaneous users Check peak concurrent usage logs
Per-device Licensed to specific devices Compare device inventory to entitlements
Per-processor / Per-core Licensed by number of processors or cores Count physical cores; check virtualization rules
Per-server Licensed to specific servers Compare server inventory to entitlements
Client Access License (CAL) Permits a user or device to access server software Verify CAL count against accessing users/devices
Subscription Time-limited access; must be current Verify subscription status and expiration dates
Enterprise / Site license Covers all users or devices at an entity Confirm entity scope matches deployment
OEM Bundled with hardware; non-transferable Verify hardware is still in use

4.3 Common Compliance Gaps

Gap Description Risk Level
Over-deployment More installations than licenses High
Version mismatch Using a newer version without upgrade rights Medium
Metric mismatch Using per-user license on a per-device basis (or vice versa) Medium
Virtualization issues Failing to license virtual cores/instances correctly High
Expired subscriptions Continuing to use software after subscription lapse High
Unauthorized environments Using production licenses in non-production environments (or vice versa) Medium
Indirect access Third parties accessing licensed software through an intermediary system High (especially Oracle, SAP)
Unapproved hardware migration Moving OEM-licensed software to different hardware Low-Medium
Employee departures Failing to reclaim licenses from departed employees Low
Mergers/acquisitions Deploying software on acquired entity's systems without license transfer High

4.4 Internal Audit Response Team

Role Responsibility Team Member
Legal Counsel (Lead) Overall strategy, communications, privilege management, negotiation [________________________________]
IT / SAM Manager Software discovery, deployment data, technical analysis [________________________________]
Procurement License agreements, purchase records, entitlements [________________________________]
Finance Budget for remediation/settlement, cost-benefit analysis [________________________________]
Information Security Review vendor audit tools, data protection, access controls [________________________________]
Business Unit Owner Operational impact assessment, business justification [________________________________]
Executive Sponsor Escalation, decision authority, budget approval [________________________________]

PART V: COMMON AUDIT TRIGGERS AND RED FLAGS

5.1 What Triggers a Software Audit

Trigger Description Frequency
Employee tips Disgruntled or former employees report unlicensed use to BSA/SIIA hotlines Very common
License renewal cycle Vendor initiates audit in connection with renewal negotiations Common
Acquisition/merger Vendor audits acquired entity's compliance Common
Usage telemetry Software "phones home" and reports deployment data to vendor Increasing
Business intelligence Vendor identifies usage patterns inconsistent with license entitlements Common
Random selection Vendor selects accounts for routine compliance review Less common
Industry campaign BSA/SIIA conducts targeted enforcement in a specific industry Periodic
Government compliance Federal procurement office reviews compliance with volume agreements Government customers

5.2 Red Flags That Attract Audit Attention

  • ☐ Rapid growth (headcount, offices, servers) without corresponding license purchases
  • ☐ Failure to renew support/maintenance contracts (suggests possible continued use without license)
  • ☐ Significant virtualization deployment (raises licensing complexity)
  • ☐ Cloud migration (hybrid environments create compliance gaps)
  • ☐ Mergers and acquisitions (acquired entities may have compliance issues)
  • ☐ Reduction in workforce (departed employees' licenses not reallocated)
  • ☐ Multi-vendor environment with complex licensing terms
  • ☐ Prior audit findings that were not fully remediated
  • ☐ Using trial or evaluation software beyond the trial period
  • ☐ Decentralized IT procurement with no centralized software asset management

5.3 Vendor-Specific Audit Tendencies

Vendor Common Audit Focus Key Risks
Oracle Processor licensing, virtualization, indirect access, cloud usage, Java SE licensing changes Extremely aggressive audit practices; complex licensing metrics; "soft audit" through LMS reports
SAP Named user types (Professional, Limited, etc.), indirect/digital access, engine licensing Indirect access claims (accessing SAP data through non-SAP interfaces); "enhanced" audit scope
Microsoft Server CALs, SQL Server core licensing, Office/M365 licensing, Windows Server Datacenter vs. Standard Virtualization licensing complexity; hybrid benefit entitlements; Azure consumption
Adobe Named user vs. shared device licensing, Creative Cloud deployment, legacy perpetual licenses Transition from perpetual to subscription model; employee departures
IBM PVU (Processor Value Unit) licensing, sub-capacity reporting, virtualization Complex PVU calculations; ILMT tool deployment requirement for sub-capacity licensing
Autodesk Named user licensing, legacy perpetual licenses, subscription compliance Transition to subscription-only model; historical perpetual license entitlements
Salesforce User licensing tiers, API access, data storage, integration users User type classification (Full vs. Platform vs. Integration); overage charges

PART VI: NEGOTIATION STRATEGIES

6.1 Overarching Principles

  1. Cooperate but control the narrative. Demonstrate good faith cooperation while managing scope, timing, and data disclosure.

  2. Know your rights. The audit clause is a contract — enforce it. Push back on demands that exceed the contractual scope.

  3. Never volunteer more than required. Provide accurate data as requested, but do not disclose information beyond the audit scope.

  4. Understand the vendor's incentives. Vendors use audits to generate revenue (through back-licensing, settlements, and upselling). Understanding this motivation helps frame negotiations.

  5. Aim for a global resolution. The best outcome is a settlement that resolves all past non-compliance and positions the company for future compliance at favorable commercial terms.

6.2 Scope Limitation Strategies

  • ☐ Challenge requests that exceed the contractual audit clause scope
  • ☐ Limit the audit to specific products named in the notice, not all vendor products deployed
  • ☐ Restrict the audit to the entities (legal entities, subsidiaries) covered by the license agreement
  • ☐ Exclude non-production environments if the license agreement does not cover them
  • ☐ Reject requests for "all records" — provide only deployment data relevant to the audited products
  • ☐ Resist installation of vendor audit tools on production systems; propose controlled data extracts instead
  • ☐ Insist on an NDA before sharing any data

6.3 Pricing and True-Up Strategies

  • ☐ Negotiate true-up pricing at contracted rates (not list price)
  • ☐ Request volume discounts for large true-ups
  • ☐ Bundle the true-up with a renewal or new purchase to improve overall commercial terms
  • ☐ Negotiate installment payments for large settlement amounts
  • ☐ Propose a technology upgrade or cloud migration as part of the settlement (often in vendor's interest)
  • ☐ Challenge the vendor's deployment calculations — request detailed methodology and validate assumptions
  • ☐ Dispute metric interpretations that are unreasonable (e.g., counting inactive users, dormant accounts, DR instances)
  • ☐ Request a mutual release for past non-compliance upon payment of the settlement amount

6.4 Settlement Negotiation Tactics

Tactic Description When to Use
Self-audit first Conduct internal audit before sharing any data with the vendor Always — understanding your own position before engaging with the vendor
Challenge the findings Audit findings are not gospel; vendors routinely overcount When vendor's calculations appear inflated
Offer alternative data Provide self-reported data from your own SAM tools instead of vendor-controlled tools When vendor requests invasive access
Leverage renewal Combine the settlement with a license renewal for better commercial terms When renewal is upcoming (within 12 months)
Propose cloud migration Offer to migrate to vendor's cloud solution as part of the settlement When vendor is pushing cloud adoption
Request a payment plan Spread settlement payments over 12-24 months When the settlement amount is large
Negotiate release language Insist on broad mutual release language covering all past use Always — prevent future claims for the same period
Walk-away scenario Be prepared to decline unreasonable terms and defend in litigation When vendor demands are excessive and litigation risk is manageable

6.5 BSA/SIIA-Specific Negotiation Considerations

  • ☐ BSA/SIIA settlements typically include: (a) purchase of replacement licenses, (b) payment of a "settlement fee" (often characterized as damages), and (c) destruction of unlicensed copies
  • ☐ BSA/SIIA settlement demands are often inflated — negotiate aggressively
  • ☐ Confirm which publishers the BSA/SIIA represents in this specific matter — they may not represent all publishers whose software is at issue
  • ☐ Consider whether the BSA/SIIA's informant is reliable (disgruntled employees may exaggerate)
  • ☐ If the company is compliant, provide evidence and demand dismissal — do not accept a nuisance settlement

PART VII: PRIVILEGE AND CONFIDENTIALITY CONSIDERATIONS

7.1 Attorney-Client Privilege

  • Engage legal counsel early. Involve legal counsel from the outset to ensure that the internal audit and response strategy are protected by attorney-client privilege.
  • Direct the internal audit through counsel. The internal software audit should be conducted at the direction of legal counsel, and the results should be reported to counsel, to maximize privilege protection.
  • Label privileged documents. All audit-related memoranda, analyses, and communications should be labeled "ATTORNEY-CLIENT PRIVILEGED AND CONFIDENTIAL — PREPARED AT THE DIRECTION OF COUNSEL."
  • Separate privileged and non-privileged information. Keep the legal analysis separate from the factual deployment data that will be shared with the vendor.

7.2 Work Product Doctrine

  • ☐ Internal audit analysis prepared in anticipation of litigation is protected by the work product doctrine.
  • ☐ If the BSA/SIIA has threatened litigation, documents prepared in response are more likely to be protected.
  • ☐ Factual data (deployment counts, license records) is generally not privileged, but the legal analysis of that data may be.

7.3 Confidentiality Protections

  • Require NDA before sharing data. Before providing any deployment data, license records, or business information to the vendor or auditor, execute a non-disclosure agreement.
  • Mark all documents as confidential. All data provided to the vendor should be marked "CONFIDENTIAL — SUBJECT TO NDA."
  • Limit data access. Provide summarized data rather than raw system access whenever possible.
  • Restrict auditor's use of data. The NDA should prohibit the auditor from using audit data for any purpose other than the audit, and should prohibit sharing with the vendor's sales team.
  • Require destruction of data. The NDA should require the auditor to return or destroy all company data upon completion of the audit.

7.4 Data Security Considerations

  • ☐ Evaluate any vendor-provided audit tools for security risks before deployment
  • ☐ Do not allow vendor audit tools to run on production systems without security review
  • ☐ Remove all PII, PHI, customer data, and trade secrets from data provided to the vendor
  • ☐ Monitor outbound data transfers during the audit process
  • ☐ Ensure audit tools do not create persistent backdoors or exfiltrate data beyond the audit scope

PART VIII: RESPONSE TIMELINE AND DEADLINES

8.1 Recommended Response Timeline

Day Action Responsible Status
Day 0 Audit notice received; logged and forwarded to legal IT / Admin ☐ Complete
Day 1-3 Initial triage: identify sender, products, contract, deadline Legal Counsel ☐ Complete
Day 3-5 Assemble internal audit response team Legal Counsel ☐ Complete
Day 5-7 Review license agreements and audit clause Legal Counsel ☐ Complete
Day 7-10 Send initial response letter (acknowledging receipt, requesting clarifications) Legal Counsel ☐ Complete
Day 10-30 Conduct internal software inventory and license reconciliation IT / SAM Manager ☐ Complete
Day 30-45 Complete internal analysis; identify compliance gaps and exposure Legal + IT ☐ Complete
Day 45-60 Prepare and submit audit response to vendor Legal Counsel ☐ Complete
Day 60-90 Negotiate scope, methodology, and findings with vendor Legal Counsel ☐ Complete
Day 90-120 Negotiate settlement or true-up terms Legal + Finance ☐ Complete
Day 120-150 Execute settlement agreement; implement remediation Legal + IT + Procurement ☐ Complete
Day 150+ Post-audit compliance program implementation IT / SAM Manager ☐ Complete

8.2 Critical Deadlines

Deadline Source Action Required
Contractual response deadline License agreement audit clause [____] days from notice
BSA/SIIA response deadline Demand letter Typically 30-60 days (negotiable)
Extension requests As needed Request in writing before deadline
Vendor's audit completion deadline License agreement or negotiated scope [____] days from engagement
Cure period for non-compliance License agreement [____] days from finding
Settlement payment deadline Settlement agreement [____] days from execution

8.3 Extension Requests

If additional time is needed, send a written extension request:

"We are diligently working to gather the information necessary to respond to your audit request. Due to the scope of the review and the number of products and environments involved, we respectfully request an extension of [____] days, to [__/__/____], to complete our response. We remain committed to cooperating fully within the framework of our agreement."

PART IX: SETTLEMENT AGREEMENT FRAMEWORK

9.1 Key Settlement Terms

A software audit settlement agreement should address the following elements:

  • Scope of settlement — Specifically identify the products, versions, time period, and entities covered
  • True-up licenses — Number and type of additional licenses to be purchased
  • Pricing — Negotiated price for true-up licenses (ideally at contracted rates, not list price)
  • Settlement payment — Separate payment for past non-compliance (damages, penalties, audit costs)
  • Payment terms — Lump sum or installments; payment schedule
  • Mutual release — Broad release of all claims relating to past software use through the settlement date
  • Destruction of unlicensed copies — Commitment to remove unauthorized installations
  • Forward-looking compliance — Commitment to maintain compliance going forward
  • Confidentiality — Both parties agree to keep settlement terms confidential
  • No admission of liability — Settlement is not an admission of infringement or wrongdoing
  • Audit data destruction — Vendor/auditor returns or destroys all company data
  • No future audit for [____] months — Moratorium on audits for a defined period

9.2 Settlement Amount Considerations

Factor Impact on Settlement
Number of over-deployed licenses Primary driver of settlement amount
Duration of over-deployment Longer periods may increase exposure
Metric at issue (users, cores, etc.) High-cost metrics (e.g., per-core) generate larger settlements
List price vs. contracted price Insist on contracted pricing for true-up
Willfulness Evidence of knowing over-deployment increases exposure
Cooperation Good-faith cooperation typically reduces settlement demands
Litigation risk tolerance Greater willingness to litigate provides negotiating leverage
Renewal opportunity Combining settlement with renewal improves overall deal

9.3 Settlement Agreement Template Clause

SETTLEMENT AND RELEASE. In consideration of [Company]'s payment of $[________________] and its purchase of [____] additional licenses for [Product(s)] at the pricing set forth in Exhibit [____], [Vendor/BSA/SIIA] hereby releases and forever discharges [Company] from any and all claims, demands, actions, and causes of action arising from or relating to [Company]'s deployment and use of [Product(s)] through [__/__/____] (the "Settlement Date"). This release covers all past, present, and future claims, whether known or unknown, that arise from facts or circumstances existing on or before the Settlement Date.

PART X: POST-AUDIT COMPLIANCE PROGRAM

10.1 Software Asset Management (SAM) Program

Following the audit, implement or strengthen the company's SAM program:

A. Governance

  • ☐ Designate a SAM Manager or team with responsibility for license compliance
  • ☐ Establish a SAM policy and communicate it to all employees
  • ☐ Create a software procurement policy requiring all software purchases through approved channels
  • ☐ Establish a software request and approval workflow

B. Inventory and Discovery

  • ☐ Deploy automated software discovery tools across all environments
  • ☐ Maintain a centralized software inventory database
  • ☐ Conduct periodic reconciliation (☐ quarterly ☐ semi-annually ☐ annually)
  • ☐ Track software installations, removals, and transfers

C. Entitlement Management

  • ☐ Maintain a centralized license entitlement repository
  • ☐ Store all license agreements, order forms, and proof-of-purchase records
  • ☐ Track license metrics, counts, and usage rights for each product
  • ☐ Calendar maintenance renewal dates, subscription expirations, and true-up deadlines

D. Compliance Monitoring

  • ☐ Conduct internal compliance audits at least annually
  • ☐ Reconcile deployments against entitlements after significant changes (acquisitions, restructuring, cloud migration, layoffs)
  • ☐ Implement access controls to prevent unauthorized software installation
  • ☐ Monitor for expired subscriptions and trial software

E. Vendor Relationship Management

  • ☐ Review and understand audit clauses in all license agreements
  • ☐ Negotiate favorable audit terms during contract renewals
  • ☐ Maintain organized records to facilitate any future audit
  • ☐ Build constructive relationships with vendor account teams

10.2 Employee Training

  • ☐ Train all employees on the software procurement and usage policy
  • ☐ Conduct annual refresher training
  • ☐ Include software compliance in new-employee onboarding
  • ☐ Establish a reporting mechanism for compliance concerns
  • ☐ Address the consequences of unauthorized software installation

10.3 Ongoing Compliance Calendar

Activity Frequency Responsible Next Due
Software discovery scan ☐ Monthly ☐ Quarterly IT / SAM Manager [__/__/____]
Entitlement reconciliation ☐ Quarterly ☐ Semi-annually SAM Manager [__/__/____]
Internal compliance audit ☐ Annually Legal + IT [__/__/____]
License renewal review ☐ 90 days before each renewal Procurement [__/__/____]
Employee training ☐ Annually HR / Compliance [__/__/____]
Audit clause review (new agreements) ☐ Before execution Legal Ongoing

PART XI: PRACTICE TIPS

11.1 Upon Receiving an Audit Notice

  1. Do not panic, but do not ignore it. Respond promptly and professionally. Failure to respond may escalate the matter to litigation.

  2. Do not provide data without legal review. All communications with the vendor or BSA/SIIA should go through legal counsel.

  3. Preserve all records. Implement a litigation hold on all software-related records, license agreements, purchase orders, and communications.

  4. Assess whether you are contractually obligated to comply. Review the audit clause carefully — some audit demands lack a contractual basis.

  5. Determine if it is a "soft audit." Some vendors (especially Oracle) initiate "soft audits" disguised as helpful compliance reviews. Treat any information request as a formal audit.

11.2 During the Audit

  1. Control the single point of contact. Designate one person (preferably legal counsel) as the sole point of contact with the vendor. Instruct all employees not to communicate directly with vendor auditors.

  2. Do not install vendor audit tools without security review. Vendor tools may collect data beyond the audit scope and transmit it to the vendor. Evaluate security implications before any installation.

  3. Challenge unreasonable requests. If the vendor demands access to systems, records, or information beyond the audit clause scope, push back in writing.

  4. Validate the vendor's findings. Do not accept the vendor's audit report at face value. Verify deployment counts, metric calculations, and pricing independently.

  5. Document everything. Keep detailed records of all communications, data provided, meetings held, and decisions made.

11.3 During Negotiations

  1. Know your BATNA (Best Alternative to Negotiated Agreement). Understand the litigation risk and cost before entering negotiations. A strong BATNA improves your negotiating position.

  2. Negotiate pricing aggressively. Vendors typically demand list price for over-deployed licenses. Insist on contracted pricing, volume discounts, and payment plans.

  3. Bundle the settlement with a renewal or new deal. Vendors are often willing to reduce settlement demands if the company commits to a significant new purchase or cloud migration.

  4. Demand a broad mutual release. The settlement should release all claims for past use — not just the specific products audited — through the settlement date.

  5. Include a moratorium on future audits. Negotiate a period of at least 12-24 months during which the vendor will not conduct another audit.

11.4 After the Audit

  1. Implement remediation immediately. Remove unlicensed software, purchase required licenses, and correct any compliance gaps identified during the audit.

  2. Strengthen your SAM program. The best defense against future audits is a robust, ongoing software asset management program.

  3. Calendar future compliance reviews. Set internal reminders for quarterly or semi-annual compliance reconciliation.

  4. Review audit clauses in all new agreements. Before signing any new license agreement, review and negotiate the audit clause.

  5. Consider cyber insurance. Some cyber insurance policies cover software audit-related costs and settlements.

SOURCES AND REFERENCES

Statutes

  • 17 U.S.C. § 101 et seq. — Copyright Act
  • 17 U.S.C. § 106 — Exclusive Rights in Copyrighted Works
  • 17 U.S.C. § 501 — Infringement of Copyright
  • 17 U.S.C. § 504 — Remedies for Infringement: Damages and Profits
  • 17 U.S.C. § 504(c) — Statutory Damages ($750-$150,000 per work)
  • 17 U.S.C. § 506 — Criminal Offenses
  • 18 U.S.C. § 2319 — Criminal Infringement of a Copyright

Key Cases

  • Oracle USA, Inc. v. Rimini Street, Inc., 879 F.3d 948 (9th Cir. 2018) (software copyright infringement damages)
  • SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161 (Fed. Cir. 2018) (software copyright scope)
  • Oracle Int'l Corp. v. Envisage Solutions Ltd., No. 5:17-cv-07075 (N.D. Cal. 2019) (unauthorized use of Oracle software)
  • BSA v. Compupharma LLC, No. 14-cv-4065 (C.D. Cal. 2015) (BSA enforcement action)
  • Adobe Sys. Inc. v. Christenson, 809 F.3d 1071 (9th Cir. 2015) (software licensing terms enforcement)

Industry Resources

  • BSA | The Software Alliance: https://www.bsa.org/
  • SIIA Anti-Piracy: https://www.siia.net/anti-piracy
  • ITAM Review — Software Asset Management Best Practices: https://www.itassetmanagement.net/
  • Gartner — Software Asset Management: https://www.gartner.com/en/information-technology/glossary/sam-software-asset-management
  • ISO/IEC 19770-1:2017 — IT Asset Management Systems

Vendor-Specific Licensing Resources

  • Oracle Licensing Documentation: https://www.oracle.com/assets/technology-price-list-070617.pdf
  • Microsoft Volume Licensing: https://www.microsoft.com/en-us/licensing/
  • SAP Licensing Guide: https://www.sap.com/about/agreements.html
  • Adobe Licensing: https://www.adobe.com/howtobuy/buying-programs.html
  • IBM License Information: https://www.ibm.com/software/passportadvantage/

Practice Guides

  • Scott & Scott LLP — "11 Secrets to Defending BSA Audits": https://scottandscottllp.com/
  • IAITAM — IT Asset Management Body of Knowledge

DISCLAIMER: This template is provided for informational purposes only and does not constitute legal advice. The use of this template does not create an attorney-client relationship. Laws and procedures change frequently, and the applicability of this template to specific facts may vary. You must have this template reviewed and customized by a qualified attorney licensed in your jurisdiction before use. ezel.ai is not a law firm and does not provide legal services.

Template prepared for ezel.ai — Legal Template Repository for Solo Practitioners
Last Updated: 2026-02-26

Ezel AI
Hi! I can rewrite every section of this to your exact case in about 5 minutes. Heads up: I'm $49 for a one-shot, or $249/mo if you want unlimited docs. But that's still less than 10 minutes of what a lawyer charges to even look at this. Want me to do it?
AI Legal Assistant
Ezel AI
Hi! I can rewrite every section of this to your exact case in about 5 minutes. Heads up: I'm $49 for a one-shot, or $249/mo if you want unlimited docs. But that's still less than 10 minutes of what a lawyer charges to even look at this. Want me to do it?

Insert Image

Insert Table

Watch Ezel in action (sample case)

All changes saved
Save
Export
Export as DOCX
Export as PDF
Generating PDF...
software_license_audit_response_playbook_universal.pdf
Ready to export as PDF or Word
AI is editing...
Chat
Review

Customize this document with Ezel

  • Deep Legal Knowledge
    Understands case law, statutes, and legal doctrine.
  • Court-Ready Formatting
    Proper captions, certificates of service, and local rule compliance.
  • AI-Powered Editing on Your Timeline
    Edit as many times as you need. Tailor every section to your specific case.
  • Export as PDF & Word
    Download your finished document in professional PDF or DOCX format, ready to file or send.
Secure checkout via Stripe
Need to customize this document?

Related Legal Templates

More Intellectual Property Templates

AI Training Data License Agreement Book Publishing Agreement Broadcast and Streaming Rights License Agreement Cease and Desist - IP Infringement Comprehensive IP Assignment Agreement Content Creator License Agreement Browse all

About This Template

Intellectual property law protects inventions, brand names, creative works, and trade secrets. Filings with federal IP offices have strict formal requirements, and demand letters or licensing agreements have to identify the exact rights being claimed. Weak IP paperwork makes it harder to enforce your rights against copycats, harder to sell or license your IP, and easier for someone else to claim it first.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: March 2026