Free Consultation
Home / Services / Audit Defense & Negotiation Support
IT Asset Management · 03

Audit defence services.

When a software vendor sends an audit notice, the clock starts. We've defended thousands of audits — and reduced exposure by tens of millions per engagement. AI-forensic analysis. Specialist negotiation. Every time.

72-hr Response AI Forensic Analysis Methodology Challenge
$40M+
Largest single audit defence saving — IBM ECM, US investment bank.
$1.25M+
Saved in less than two weeks during an IBM audit for a UK IP management firm.
8 weeks
Typical timeline from engagement to negotiated audit settlement.
AUDIT TRIGGERS IBM Software Audit Oracle License Review Microsoft True-Up Dispute SAP Indirect Access Claim VMware Compliance Notice Broadcom ELA Audit SaaS Over-Deployment Post-M&A Licence Audit AUDIT TRIGGERS IBM Software Audit Oracle License Review Microsoft True-Up Dispute SAP Indirect Access Claim VMware Compliance Notice Broadcom ELA Audit SaaS Over-Deployment Post-M&A Licence Audit
The problem we solve

An audit notice is a negotiation, not an inspection.

Most audits begin with a vendor — or their appointed third-party auditor — claiming significant non-compliance. The numbers cited in the initial position paper are rarely the numbers you end up paying. Everything between is negotiation.

That negotiation hinges on three things: how thoroughly you understand your contracts, how accurately you can measure your deployment, and how confidently you can challenge the auditor's methodology. That's where most internal teams get into trouble — not because they're incapable, but because each of those three skills is its own discipline.

We've been on both sides of the table. We know how vendor licensing teams build their cases. Our AI forensic engine analyses contracts and deployment data in parallel — surfacing methodology divergences and challenge points before the auditor's position paper even lands. We know how to negotiate a settlement that protects your bottom line and your operating relationship with the vendor.

AI contract forensics Automated methodology audit Independent measurement engine
Vendor specialisations

We know their playbook.

Every major software vendor audits differently. Their methodologies, their appointed auditors, and the specific pressure points they exploit are known quantities to us — because we've defended against every one of them.

IBM IBM Software

IBM audits — particularly around ILMT/BigFix sub-capacity reporting, ECM, and Passport Advantage contractual terms — generate some of the largest exposure claims in enterprise software. IBM's appointed auditors routinely apply sub-capacity rules incorrectly and conflate PVU counts across virtualised environments.

ILMT deployment gaps and sub-capacity reconciliation ECM product version and metric misclassification Passport Advantage contract schedule interpretation Authorised User vs. PVU metric disputes
ORC Oracle

Oracle licence reviews are systematically aggressive, leveraging the complexity of virtualisation licensing rules, ULA certification, and processor metric definitions to maximise initial exposure claims. The gap between the opening position and a settled figure is frequently 60–80%.

VMware / cloud virtualisation — Oracle's hard partition rules Java SE licensing — per-employee metric challenges ULA certification scope and product inclusion disputes Indirect access and integration point claims
MSFT Microsoft

Microsoft true-ups, SAM engagement follow-ons, and post-EA True-Up disputes most often turn on device vs. user assignment rules, hybrid benefit eligibility, and M365 licensing tier conflicts — areas where the complexity of Microsoft's licensing framework creates genuine ambiguity that can be challenged.

M365 / EMS licence tier over-assignment challenges Azure Hybrid Benefit and BYOL eligibility SQL Server virtualisation and core factor table disputes True-Up vs. MPSA reconciliation methodology
SAP SAP

SAP indirect access claims — where third-party systems connecting to SAP are deemed to require named user licences — represent some of the most commercially dangerous audit territory in enterprise software. SAP's licence metric complexity across S/4HANA, BTP, and legacy modules creates extensive challenge opportunity.

Indirect / digital access claim methodology challenges Named user reclassification and role consolidation S/4HANA transition — legacy metric mapping disputes BTP and cloud extension licensing scope
The defence command model

Four stages. One objective: close the audit clean.

From the moment the notice arrives to post-settlement hardening — every action is sequenced, time-boxed, and AI-assisted. The exposure gauge tracks our progress in real time.

Exposure level
NOTICE MEASURED CHALLENGED SETTLED
↓ REDUCING
Stage 01
72 hours
Triage
Scope assessment, contractual basis review, auditor identity verified, and exposure modelled — before any data leaves your environment.
Stage 02
Weeks 1–3
Independent Measurement
Forensic-grade parallel measurement using AI-assisted deployment analysis. Our baseline is ready before the auditor's numbers land.
Stage 03
Weeks 3–7
Challenge & Negotiate
AI methodology analysis identifies every divergence from contract language. We challenge in writing, line by line, and negotiate directly with the vendor's audit team.
Stage 04
Week 8+
Settle & Harden
Audit closed. Automated controls designed to prevent recurrence. Your next audit cycle finds far less to complain about.
AI Forensic Engine

Machine learning cross-references contract language against auditor methodology claims — surfacing divergences that human review would take weeks to find.

Independent Measurement

Automated deployment measurement runs in parallel with the vendor's own audit process — giving us a forensic baseline to challenge their numbers before they're even shared.

Automated Hardening

Post-settlement, we deploy automated licence controls and continuous monitoring — so compliance gaps are detected and resolved before the next audit cycle begins.

What's included

Six work-streams. One outcome.

Every licence audit defence engagement covers these areas — adapted in scale and depth to your environment, contracts, and timeline.

01
Work-stream 01 · Day 0–3

Notice review & strategy.

The day the audit notice arrives, we review the scope, the contractual basis the vendor is invoking, and the appointed auditor's methodology. We agree a defence strategy with you before any data leaves your environment.

Scope verification — what products and entities are in scope, and whether the audit right is validly invoked
Auditor identity review — who is conducting the audit, and what methodology they typically apply
AI-assisted contract analysis — licence metrics, schedule terms, and contractual limitations on audit scope
Initial risk model — exposure range estimated before any data is shared with the auditor
AI scope analysis
02
Work-stream 02 · Weeks 1–3

Independent measurement.

We run our own deployment measurement in parallel with the vendor's — using AI-assisted forensic tools to process infrastructure data at scale. When the auditor's numbers land, we have an independent baseline ready to compare against — and to challenge from.

Automated infrastructure discovery across on-premise, cloud, and virtualised environments
Licence metric application — we apply the same rules the auditor will, using your actual contract definition
Forensic-grade output — a defensible baseline our consultants can present directly to the auditor
Gap analysis — where our numbers diverge from the auditor's, we identify the specific cause
Automated forensic measurement
03
Work-stream 03 · Weeks 2–5

Methodology challenge.

Vendors routinely apply licensing metrics that diverge from the actual contract language. Our AI engine forensically compares the auditor's methodology against your contracts and surfaces every point of divergence — which our consultants then challenge in writing, line by line.

AI contract-vs-methodology cross-reference — every clause compared against auditor claims
Metric version disputes — auditors frequently apply newer, more aggressive metrics than the contract specifies
Virtualisation and sub-capacity rule challenges — the most common source of inflated IBM and Oracle claims
Written challenge documentation — formal, evidence-backed position delivered to the auditor
AI methodology comparison
04
Work-stream 04 · Weeks 3–6

Position-paper response.

We draft your formal response to the auditor's findings. Each non-compliance claim is analysed individually — accepted where the evidence is clear, partially contested where the methodology is arguable, or rejected where the contract doesn't support the claim.

Finding-by-finding analysis — each auditor claim categorised and evidence-weighted
AI-generated counter-position data — automated calculation of the corrected exposure under our methodology
Contractual reasoning — every rejection or partial challenge backed by specific clause references
Settlement anchor — our response sets the opening position for negotiation at the lowest defensible figure
AI-assisted drafting
05
Work-stream 05 · Weeks 5–8

Direct vendor negotiation.

Where useful, we engage directly with the vendor's audit team — separating the contractual dispute from your wider commercial relationship. We know how these teams operate and what they're authorised to settle for. The goal is a clean close at the lowest defensible figure.

Direct engagement with the vendor's audit leads — bypassing the third-party auditor where advantageous
Commercial relationship protection — the audit dispute is kept separate from renewal and ELA discussions
Settlement authority intelligence — we know what settlement ranges vendor teams are authorised to accept
Structured close — settlement terms documented and signed off before the engagement concludes
Negotiation intelligence
06
Work-stream 06 · Post-settlement

Post-audit hardening.

Once the audit settles, we fix the upstream process gaps that allowed exposure to build in the first place. Automated controls, continuous AI-powered monitoring, and licence alerting prevent the same issues recurring — so the next audit cycle starts from a defensible baseline.

Root cause analysis — the compliance gaps the audit revealed, mapped to specific process failures
Automated licence controls — deployment guardrails that prevent exposure drifting above entitlements
Continuous AI monitoring — real-time alerting when licence positions move outside defined thresholds
Audit-ready baseline — a defensible licence position maintained year-round, not rebuilt under pressure
Automated control deployment
Proof

A recent engagement.

"Within 8 weeks, we negotiated over $40 million in immediate cost savings for a US investment bank facing IBM ECM non-compliance findings — after their internal team's 5-month effort had stalled."
VD
Viswam Dhaveji
Founding & Managing Partner
Audit exposure neutralised
$40M+
A leading US multinational investment bank brought us in after five months of failed audit defence. We engaged directly with IBM's auditors and negotiated a settlement using AI-assisted contract forensics and independent measurement.
Read full case study →
Adjacent services

Often deployed alongside.

Audit defence rarely stands alone. The strongest defence is built before the audit notice arrives — and the cleanest settlement is sustained by what comes after.

— 01

SAM Baselining & Cost Optimization

The best audit defence is being permanently audit-ready. Our managed SAM service maintains a defensible licence baseline year-round — so the next vendor audit finds nothing to complain about.

Learn more
— 02

SAM Maturity Assessment

Audit findings expose SAM programme weaknesses. Our maturity assessment identifies exactly where your programme needs strengthening — and builds the roadmap to get there.

Learn more
Audit notice on your desk?

Don't go in without specialists.

If you've received an audit notice — or you're hearing rumblings that one is coming — the first 72 hours matter. Book a call now. We'll review the notice, talk through the vendor's likely position, and tell you whether you need our help or your internal team can handle it.

Speak to a specialist See defence case studies

What you'll get

  • 30-minute call with a senior audit defence consultant.
  • Honest read on the vendor's likely position and exposure range.
  • Recommended response strategy for the next 30 days.
  • Clear view of whether external help is needed at all.