SOFTWARE LICENSE AUDIT RESPONSE PLAYBOOK

PURPOSE

• Provide a structured response process when a vendor initiates or threatens a license audit to manage scope, risk, and outcomes.

TRIGGERS

• Audit notice received; informal “true-up” request; compliance questionnaire; requests for deployment data beyond contract requirements.

INTAKE AND TRIAGE

• Log date/time of notice and contract cited.
• Identify products, versions, environments, geos involved.
• Confirm vendor’s audit rights: notice period, scope, frequency, auditors, data access limits, remedies.
• Assemble response team: Legal, IT, SAM, Security, Procurement, Finance, Business Owner.

SCOPE CONTROL

• Insist on scope consistent with contract: products/versions, environments, timeframe, and permitted tools.
• Reject invasive tools not required by contract; propose controlled data extracts instead.
• Require NDA covering audit data and outputs; mark materials confidential.

EVIDENCE GATHERING

• Inventory entitlements (licenses/subscriptions), purchase records, and prior true-ups.
• Current deployment counts by product/version/instance; virtualization/DR instances flagged; indirect use tracked.
• Usage data aligned to metric (users/CALs/cores/transactions); reconcile with entitlements.
• Identify non-prod/dev/test/sandbox and disaster recovery instances; apply carve-outs if allowed.

ANALYSIS

• Identify over-deployment and under-deployment; check metric definitions.
• Validate vendor’s calculation methodology; challenge assumptions (e.g., named vs. concurrent users, peak vs. average).
• Consider contractual cure periods and pricing (avoid list price if contract sets discount/benchmarks).

RESPONSE STRATEGY

• Provide summarized results, not raw environment access, unless contractually required.
• Negotiate scope, methodology, and remediation before sharing detailed outputs.
• For overuse: propose true-up using contract pricing/discounts; seek release for past use upon payment.
• For disputes: document disagreements; consider independent auditor if contract allows.

SECURITY AND PRIVACY

• Sanitize data: remove PII/PHI/customer data unless necessary; apply least data principle.
• Ensure audit tools meet security requirements; run in contained environments; monitor for outbound data.

TIMELINES AND COMMUNICATIONS

• Track deadlines; request extensions if needed.
• Keep communications in writing; single point of contact; meeting notes and decisions logged.

REMEDIATION AND PREVENTION

• Implement access controls to prevent reoccurrence; adjust deployment tooling; update SAM records.
• Consider license optimization (downgrades, consolidations); review rights (BYOL, cloud carve-outs).
• Schedule periodic internal true-ups to avoid future findings.

CLOSURE

• Obtain written settlement/true-up agreement resolving past use; mutual release where possible.
• Confirm destruction/return of audit data by vendor/auditor.
• Update internal records and lessons learned.