In this blog, we share several practical tips based on dozens of Audit Defense engagements we have conducted.
Start Early
Audit preparation should not begin when the audit letter is received. It is far more effective to start well in advance. Below are several key areas you can already begin addressing today (this is not an exhaustive list).
Scope: What Is Actually In Scope?
Auditors often assume that the entire IT environment falls within the scope of the audit. In practice, this is not always the case.
Carefully review your contracts and determine:
- Which entities, environments, and systems are in scope
- Which data and infrastructure the software vendor is entitled to audit
A clearly defined scope helps prevent unnecessary data from being shared—along with the associated risks.
Development and Test Environments
Do you make use of development and test environments? If so, it is important to verify that you are using the correct (often lower-cost) licenses.
Conversely, are you certain that development deployments, such as Microsoft SQL Server Developer, are not being used in production? During audits, this is typically treated as a full Enterprise edition deployment—resulting in substantial costs. We have seen cases where such “mistakes” exceeded € 100.000.
Microsoft SQL Server: Proof Is Essential
Focusing on Microsoft SQL Server, we often see a recurring pattern: if there is no verifiable proof of the installed edition, auditors will default to the most expensive option—the Enterprise edition.
This also applies to:
- Passive environments
- Disaster recovery setups
Even though these scenarios may not always require licensing, the rule is simple: no proof means pay. As a customer, you are responsible for maintaining accurate records and supporting evidence.
Virtual Servers: Flexibility Requires Discipline
Virtual environments provide flexibility but also introduce risks. Licenses can typically only be assigned to a physical device once within a defined period (for Microsoft, usually every 90 days).
In addition, virtual machines may dynamically move across the infrastructure due to features such as high availability and load balancing.
If you do not document:
- Which virtual machines run on which hosts
- Whether movement is permitted under your licensing terms
then an auditor may assume a worst-case scenario: “everything runs everywhere.” This can result in significant and often unnecessary licensing costs.
Subscription Ended? Remove the Software
A common challenge in modern workplaces involves online subscriptions such as Microsoft Visio Plan 2. Users may install the associated software on their devices.
However, what happens when the subscription expires or is terminated?
In that case, the software must be removed. That may sound obvious—but is it consistently enforced within your organization?
During an audit, the rule is clear: if software is installed, a valid license must be in place, regardless of whether the software is actively used.
What Can You Do?
Proper preparation is critical. Start by organizing internal processes and responsibilities early. Involve different roles within your organization, such as:
- Procurement (agreements and proof of purchase)
- Contract management (license assignment and interpretation)
- IT (discovery and measurement)
If this is difficult to achieve due to limited time, resources, or expertise, Quexcel can support you. Explore our Software Asset Management services for more information.
Measurement Is Key
You cannot improve what you do not measure. Gaining insight into your software usage and licensing position is the foundation for compliance and control.
With the right preparation, you can approach an audit with confidence and clarity.
If panic still arises when the audit letter arrives, Quexcel offers a dedicated Audit Defense service. In addition, our sister company Didactive regularly hosts Audit Defense webinars, providing practical guidance to help you successfully navigate software audits.
