Software license audit
8 traps that cost companies money
OEM, ghost accounts, virtualization, RDS CAL: typical license traps and how to avoid them.
A license audit letter can take a company by surprise, one that was sure it had its software in order. License violations usually do not stem from bad faith. They appear unnoticed at the intersection of old hardware, virtualization, cloud accounts and shadow IT. The good news is that most of them can be caught and fixed in advance. In this article we cover 8 typical licensing traps that many IT departments do not have on their radar.
8 licensing traps - overview with real examples
Inventory checklist in 3 phases (6 weeks)
Phase 1 (Weeks 1-2): Discovery - what we have and what it runs on
| Task | Owner | Tool |
|---|---|---|
| Network scan - all devices and installed software | IT | Endpoint Central (auto-scan) |
| Export licenses from Microsoft 365 Admin Center | IT / M365 admin | M365 Admin Portal |
| List of license agreements from accounting (software invoices, 3 years) | Finance | ERP / invoice PDFs |
| Register of Software Assurance contracts and active subscriptions | IT | VLSC, sales partner |
| SQL Server audit: edition, cores, features used | DBA / IT | T-SQL script |
| VM inventory on Hyper-V / VMware hosts | IT | Endpoint Central / vCenter |
Phase 2 (Weeks 3-4): Analysis - where the gaps are
- Compare installed software against the list of purchased licenses, every application must be covered by a license
- M365 ghost accounts: compare active licenses with active AD accounts, disable every unused account
- Check license terms for the top 10 applications: is the licensing model (per-user, per-device, per-core) right for your environment?
- Verify virtualization rights: Windows Server Standard = 2 VMs per host, more = Enterprise needed
- Check RDS CAL licenses: number of user CALs vs number of RDP users
Phase 3 (Weeks 5-6): Remediation and prevention
- Buy the missing licenses (priority: Microsoft, Adobe, SQL Server, highest penalties)
- Remove unlicensed software that is not needed for the business
- Roll out a software approval policy: no installation without IT consent
- Configure alerts in ITAM: automatic detection of newly installed software without approval
- Documentation: license register in CMDB or AssetExplorer, who, what, on which device, until when
ITAM tooling: what to choose for an SME
Software Asset Management (SAM) without tooling is only feasible in very small companies (up to 20-30 employees). Above that scale, manual inventory is too slow and too error prone. If you are looking for a CMDB to store the inventory results, see also the article CMDB instead of Excel - 7 signals it is time to switch.
| Tool | For whom | Key features | Indicative cost |
|---|---|---|---|
| ManageEngine Endpoint Central | Recommendation for SME | Auto-inventory, license reports, patch management, remote desktop | Annual license tied to endpoint count, quote with the vendor |
| ManageEngine AssetExplorer | Companies with a mature CMDB | ITAM + CMDB, contract management, asset lifecycle | Annual license, quote with the vendor |
| ManageEngine SDP Asset Mgmt | ServiceDesk Plus users | Integrated with ITSM, basic inventory, contributions | Part of ServiceDesk Plus |
| Manual PowerShell inventory | Microbusiness (up to 20 computers) | PS script Get-Package + Excel, one-off | No tool cost, but it takes IT time |
Rotech Group recommendation: for a 50-300 employee company, Endpoint Central is a good entry point. It gives you SAM, patch management and remote desktop in one. The tool cost often pays back already by surfacing and removing a handful of M365 ghost accounts or avoiding a single license violation.
How to respond to a BSA/MPA audit letter
The Business Software Alliance (BSA) and the Motion Picture Association (MPA) run audits on behalf of software producers. A letter requesting an audit is not a verdict, but it requires an immediate and considered reaction. Companies subject to NIS2 should also factor in the related obligations. See the NIS2 checklist for the IT manager.
The first 48 hours after receiving the letter
- Do not respond without consulting a lawyer specializing in IP. Every word in the response can be used against you.
- Trigger an immediate internal inventory. You have to know what you have before you say anything to the auditors. Companies that reveal violations only during the audit have a weaker negotiating position.
- Do not uninstall unlicensed software before responding, this can be treated as destruction of evidence. Document the state and plan the remediation instead.
- Check the response deadline in the letter, usually 30 days. You can request an extension in writing.
Response strategy - 3 scenarios
| Scenario | Situation | Strategy |
|---|---|---|
| No violations | Full inventory confirms compliance | Deliver the inventory report. A simple situation. |
| Minor violations | A few missing licenses of small value | Buy the missing licenses before responding. Show the purchases as evidence of good faith. Propose a settlement. |
| Material violations | Violations of significant value | Engage a lawyer without exception and negotiate settlement terms. A settlement is usually more favorable than litigation, which carries additional costs and risk. The specific terms depend on the situation and the producer. |
Questions and answers
What should I do when I receive a license audit letter from BSA or MPA?
First: do not panic, but act fast. You usually have 30 days to respond. Step 1: trigger an immediate internal inventory, before you send anything to the auditors you have to know what you have. Step 2: consult a lawyer specializing in IP and software law. Step 3: if you find violations, prepare a remediation plan and buy the missing licenses before responding. A settlement is usually cheaper than litigation, but only if you negotiate terms with a full picture of the situation.
Can a company run a license audit on its own without external tools?
Yes, but it is laborious. A manual inventory of 200 workstations can take 2-4 weeks of work. You can use PowerShell (Get-Package, Get-WmiObject Win32_Product) to collect the data, but analyzing and comparing with licenses requires Excel and a lot of time. ITAM tools like ManageEngine Endpoint Central do this automatically in hours. For a one-off audit you can use a free 30-day trial. That is enough for a first inventory.
What is the most common license violation in SME companies?
From license audit practice the most recurring items are: (1) outdated OEM keys moved to other machines, (2) M365/O365 accounts paid but unused by former employees, (3) missing CAL licenses for Remote Desktop Services. In manufacturing companies SQL Server underlicensing is common: Standard edition used where the environment requires Enterprise because of core count or features in use.
How often should a license audit be run?
Full audit: once a year, ideally in Q1 before license renewals. Ongoing monitoring through ITAM: continuous, every new device, every installation should be automatically recorded. Key triggers for an immediate audit: merger or acquisition (new assets equal new licensing risk), change of work model (for example a move to Remote Desktop), large group redundancies (M365 ghost accounts).
Check your company's license compliance
In 2 hours we will run a first scan of your environment and tell you where the risks are. You get a report with recommendations, no commitments, no sales pressure.
Book a free license scan