The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

Audit Defence Checklist – Nice to have, negotiable or non-negotiable terms

Nice to have, negotiable, non-negotiable

Nice to have, negotiable or non-negotiable

This audit defence / software contract negotiation checklist has kindly been shared by Chris Moffett for The ITAM Review community. Thanks Chris!

This list contains items that are nice to have, negotiable or non-negotiable for inclusion in your next audit defence or contract negotiation.

If you have any other items to add to this list or have an alternative point of view please contact us.

To learn how to defend against software audits with your peers join our free audit defence workshop on the 12th April in Amsterdam, further details .

Nice to HAVe

  • Finalization of audit includes a non-audit clause that will extend for a minimum of 4 years.
  • Purchase of licenses for agreed non compliance will be processed via defined reseller.
  • No non compliance penalties other then license purchases for non compliant areas will be assessed.
  • All communication regarding the ongoing audit must be communicated through dedicated audit response team and publisher/auditor must not attempt to discuss environment, installation count or any other audit related data with other employees
  • Establish a cost due to lost work effort that must be paid by publisher/auditor if, upon completion of audit, there are no areas of non-compliance identified. (assuming we offered to self report and they declined)
  • Provide publisher/auditor with specific AD extract your company is comfortable using for the completeness review.
  • Identify a percentage (i.e. 5% or less) of non compliance would not constitute a need for license purchases or penalty payments.
  • Method for extracting/defining devices that are used for DR/BCP/Dev.
  • Identifying software installations that are trial version and not a licensable product.


  • Scope of audit should be based on a specific group (i.e. specific business unit or division).
  • Scope of audit should include a specific list of domain(s).
  • Scope of audit should include specific geographic locations.
  • Scope of audit should include specific device types (i.e.desktops, laptops, servers, etc)
  • Scope of audit should include specific list of OperatingSystems. (i.e. Windows Desktop OS only, etc)
  • Determination of start date and grace period of installs thatmight be found after last pull of purchase data occurred.
  • Auditor to identify which values within the AD extractidentifies a machine as “in-scope” or “out of scope”.
  • All sensitive data (i.e. computer name) is redacted withdummy value.
  • 3rd party auditor must perform audit.
  • If no third party auditor, your company has the right to disagree with the findings.
  • Dispute resolution/mediation process must be defined prior to audit commencement. This includes identifying which terms still hold (i.e. no audit for [x] years) should no agreement be decided upon.
  • Define how to determine a product is a full installation. (i.e. if a .dll is installed but no executable, etc)
  • Your company may choose to complete a “Self Audit” and provide report to Supplier or third party auditor.
  • If instances of non-compliance are identified your company shall true-up any coverages at the then current discounted cost; no other penalties and/or fees shall apply.


  • Entitlements must be agreed and confirm prior to starting any other action.
  • Auditors must be onsite when reviewing deployment data and all data must remain on a company provided laptop that has no network connectivity.
  • Your company provided laptop for audit exercise must be returned to audit response team employee assisting in the audit at the end of each day.
  • Only summary level data can be taken off site upon completion of ELP creation.
  • Only company (x) discovery tool can be used when gathering deployment data.
  • Finalization of audit includes a non-audit clause that will extend for a minimum of 2 years.
  • Definition of which products are in scope and how those products are licensed. (i.e. per user, per install, etc)
  • Publisher/Auditor must provide a list of product key words, executable or process names, and install paths for products that will be pulled back by inventory tool
  • Upon completion of the audit, supplier shall verify that company (x) is fully compliant
  • Supplier and third party auditor must have current NDA in place with your company
  • Supplier and third party auditor must agree to your company’s current NDA terms

Image Credit

About Martin Thompson

Martin is owner and founder of The ITAM Review, an online resource for worldwide ITAM professionals. The ITAM Review is best known for its weekly newsletter of all the latest industry updates, LISA training platform, Excellence Awards and conferences in UK, USA and Australia.

Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.

He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.

Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).

When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.

Connect with Martin on LinkedIn.


  1. Rory Canavan says:

    A great list, good job Chris. I’m just wondering whether their is a term or condition that could be applied to a 3rd party auditor not coming back within a certain period of time? I don’t think it’s any coincidence that the very same companies that audit for one vendor can appear to be on a revolving door back into your premises for another all too soon.

  2. Janet says:

    Hi Martin

    Wonder if this can be formatted to a version one can export…?

  3. Janet – excel sheet or PDF?

  4. Peter Kozisek says:

    Rory, auditor has usually little impact in selection process, but it is not a coincidence. Vendors are selecting targets based on similar analysis and as an example, if company has a signifficant merge/acquisition it is a good target for each vendor.

  5. Jacobo Senior says:

    From your experience, are top vendors usually willing to accept the non-negotiable terms listed? Which ones are more flexible in this sense?

  6. Fredrik Filipsson says:

    re: oracle,

    Oracle doesnt negotiate its audit clause except in rare cases. it requires highest approval level. I wouldnt spend too much energy trying to negotiate the audit clause with Oracle.

  7. Great job Chris ! I’ve got two more (non-negotiable):
    – (if in place) Supplier and third party auditor must comply to the company’s audit protocol
    – (in non-English speaking countries): all communication will be done in the local language

  8. PetrS. says:

    Excel would be more flexible. 🙂 Thank you in advance…

  9. Abdul says:

    Well done. Good way expose the Auditor!

    Its very helpful checklist!

  10. Jacobo – I’ve posted your question on our forum for anonymous comments.

    Cheers, Martin

  11. Paul DeGroot says:

    – auditor will supply the customer with the resumes of staff assigned to the audit
    – audit will have Microsoft competencies in Volume Licensing and Software Asset Management

    We have seen some atrocious boners from untrained auditors in some engagements. It’s clear they know little about licensing or SAM. These competencies won’t fix it, but it may reduce the number of beginners who are assigned to audits. And how can Microsoft insist that auditors can use untrained or unqualified personnel?

  12. Great comment Paul. That is true – many auditors may know how to use a given tool but have required knowledge about licensing and product use rights

  13. Kamal says:

    Paul DeGroot – Good one.

    This checklist is indeed helpful, Martin.

  14. Hitesh Akul says:

    This is Really Cool, I work with Chris and really proud to see this article. any Auditee can just refer this list while getting in to audit KickOff calls to set SOW.

  15. Brettz says:

    Does anyone know of a published or sample Audit Defense Policy?

Leave a Comment