The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

Vendor Audit Maturity Model

The table below summarises the different results achieved by an organisation faced with a vendor audit depending on their maturity. Success with vendor audits is not only about having sound ITAM processes and procedures in place but also the correct attitude towards the situation, swift action, and strong negotiation.

I welcome your feedback or comments on this model or your experiences with vendor audits, either in the comments section below or by emailing me directly at alerts (at)

Characteristics Vendor Behaviour Likely Outcome
Denial Customer does not recognise the issue until it is too late or worse still ignores the issue hoping it will resolve itself. Heavy handed compliance tactics, back penalties, possible press exposure. Crippling penalties. For example
Suprise Audit No inventory of assets or purchase history compiled.

Vendor likely to take advantage of lack of information for revenue generation.

Taken to the cleaners. Repeat in 18 months time.

Expected Audit Anticipating an audit for some time. Have limited or incomplete audit and purchase history. Vendor uses shortfalls / missing information to negotiate upgrades or multi-year tie-in deals. Vendor-led negotiation
Prepared End user tells vendor what they have, what they need and what they want. For example Vendors typically walk away and find more lucrative audit opportunities. Customer-led negotiation.

About Martin Thompson

Martin is owner and founder of The ITAM Review, an online resource for worldwide ITAM professionals. The ITAM Review is best known for its weekly newsletter of all the latest industry updates, LISA training platform, Excellence Awards and conferences in UK, USA and Australia.

Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.

He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.

Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).

When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.

Connect with Martin on LinkedIn.


  1. The stages you mention are recognizable, but I do have my doubts with

    how you describe the characteristics and the vendor behavior. Especially the vendor behavior. I agree that endusers have the possibility

    to control the behavior of the vendor. However this overview creates the impression that vendors have some sort of guerilla tactics to

    stimulate unknown use. As if vendors benefit from under-licensing in order to give them control of the negotiation.

    compliance can lead to revenue opportunities and individual sales reps and even sales managers at vendors would see the benefits, I do

    not know of any vendor that sees it as beneficial to their business to have under-licensing or illegal usage of their products.


    might be a ‘chiken and egg’ problem, but the reason vendors started to do compliance activities in the 90-ties was because end-users

    did not manage deployment &usage and paid accordingly. It did not start with vendors building in traps to stimulate unknown usage or

    deployment. The actions vendor take are often in response to the (lack of) actions end-users has taken. Having said that I know that some

    vendors have taken it to an extreme and I fear with the current economic climate this could become even worse.

    Any action to

    stimulate end-users to take control has my support. Just because it makes good business sense, not just to get removed from an audit

    lists at a vendor. It is in benifit of both to have a conversation, being well prepared on both sides is recommended. A nice benefit is

    that vendor auditors will lose interest and most likely act more appropriate. IT is not unique, eventually will companies follow their

    customers. Customer just need to be prepared to tell them what they have and what they need.

  2. Thanks Mark, I agree with your

    comment that vendors are not deliberately setting traps for end users, but I also think selling an end user an all-you-can-eat site

    license to cover
    their shortfalls is not helping resolving the underlying issue.

  3. Derek Alexander says:


    The all you can eat licence proposal after non-compliance has been proved in “test” areas

    is one tactic I have heard of. Anecdotal evidence of course.

    I also think that the practice of making freely available software

    that customers have not actually licensed (by providing it on media, through the internet etc) could be considered by some to be a form

    of entrapment. It proves to me the need for good licence and software management.

    Mark is right about both sides needing to be

    properly prepared, and the best position for customers to find themselves is in part 4 of Martins grid. Unfortunately, most IT depts

    find themselves in Stage 1.

    Off topic – how are you Mark?

  4. Ray Murphy says:

    This is an interesting article and comments thread. My own experience is

    that software suppliers have in the past ensured that their contracts contained “gotchas” that enabled them to revisit customer software

    installations with certainty that the customer would be non-compliant. For example, a group-wide licensing arrangement might include all

    subsidiaries “at the date of the agreement” (therefore, if the group re-organised later, the subsidiaries list might differ), a

    “subsidiary” might be defined as “any entity in which the holding company has a greater than 50% shareholding” (this would exclude any

    subsidiaries with a 50% exactly shareholding) etc. The best way to ensure that vendor audits do not pose surprises are by negotiating

    appropriate contract terms at the outset (if the intent is for an “all you can eat” licence, list the products and ensure that changes to

    the group structure that do not result in significantly more users (factor in a percentage growth, say 15%) will not result in non-

    compliance), ensure that displacement of products by “functional equivalents” are accommodated at no extra charge etc. and manage the

    software usage via good SAM practices.

Leave a Comment