THE SOFTWARE AUDIT THAT FOUND 600 SEATS OVER-LICENSED WITH ONE VENDOR AND 400 UNDER-LICENSED WITH ANOTHER

The Software Audit That Found 600 Seats Over-Licensed With One Vendor and 400 Under-Licensed With Another

How a Routine Renewal Request Revealed a 1,000-Seat Discrepancy

  • The renewal notice arrived from a major enterprise software vendor requesting payment for 2,200 seats. The IT asset management team’s internal records confirmed 2,200 active licenses. The team planned to renew without further review. Then a director asked for a discovery-based validation of actual installation counts.
  • Virima’s IT discovery ran across the environment and found 1,600 active installations, 600 fewer than the renewal quote covered. The gap traced to decommissioned servers. Those servers had gone offline, but no one formally retired them from the software asset record. The ITAM count still showed 2,200 because that was the last recorded purchase count.
  • The same discovery run flagged installation counts for other vendors across the environment. A second enterprise vendor appeared with 1,400 installations against 1,000 licensed seats. Four hundred installations of a business-critical application were running without valid license coverage.
  • That under-licensed position had developed through departmental purchasing. Individual business units had procured additional installations directly, bypassing the central software asset management process. The central ITAM system never received those purchase records.
  • The two findings illustrate the core failure modes that make software license audit discovery an essential recurring practice.

Five Ways License Positions Break Down in the Same Environment

Root CauseHow It DevelopsLicense Impact
Hardware decommissioned without ITAM updateServers go offline; software records remain active in ITAMOver-licensed: paying for installations that no longer run
Departmental purchasing outside central procurementSoftware installed and used; no purchase record sent to central ITAMUnder-licensed: installations running without valid license coverage
Image template pre-installationSoftware deployed in system image; no standalone purchase recordUnder-licensed: invisible to purchase-record ITAM
M&A inherited environmentsAcquired-company software added to production; ITAM records not mergedUnder-licensed: installations from acquired entity missing from entitlement count
Open-term enterprise agreement deploymentVolume-uncapped installs deployed freely; count not tracked centrallyUnder-licensed: deployment count may exceed purchased entitlement

The Discovery Decision That Changed the Renewal Outcome

Running discovery before signing the renewal was not standard practice for this organization. License renewals typically processed through a comparison of ITAM records against vendor invoices. The director who requested the validation described it as a budget check.

What it actually did was prevent an overpayment and surface a separate compliance risk. The over-licensed vendor contract renewed at 1,600 seats instead of 2,200. The cost avoidance on that single renewal paid for the discovery project.

The under-licensed vendor situation required immediate action: either procure 400 additional licenses or reduce the installation count to the licensed quantity. The audit surfaced both problems in time to address them before either produced financial exposure or compliance risk.

A software license audit using discovery compares actual installation counts found by scanning the production environment against the installation counts in purchase records, vendor invoices, and ITAM systems. When discovery finds fewer installations than records show, the organization may be over-licensed. When discovery finds more installations than records show, the organization may be under-licensed. Both findings are common in the same audit because they arise from different causes.

Over-licensed positions often build up silently over years of hardware turnover. When servers are decommissioned without updating the ITAM system, their software records stay active. After three or more years, accumulated ghost records can represent a meaningful share of the total license portfolio.

Decommissioned Hardware: The Root Cause Behind 600 Over-Licensed Seats

The 600-seat over-licensed position traced directly to hardware decommissioning without corresponding software asset record updates. When a server is decommissioned, the physical hardware goes offline. The software on that server should be removed from active license counts in the ITAM system at the same time.

In practice, that deregistration step depends on someone knowing to perform it as part of the decommissioning process. Hardware decommissioning projects often focus on the physical and network removal of the hardware. Software asset management is a separate workflow. When the two workflows are not formally connected, decommissioned hardware leaves ghost software records in the ITAM system.

The vendor’s license count continues to include those decommissioned installations. Each renewal cycle, the over-licensed position grows slightly as more hardware is decommissioned without corresponding ITAM updates. Over three years of normal hardware turnover, 600 decommissioned server installations had accumulated as active license records in this organization.

The gap stayed invisible because no one had compared production installation counts to ITAM records using discovery-sourced data. The ITAM system showed what the organization had purchased, not what was actually running.

How Departmental Purchasing Creates Invisible Under-Licensing Risk

The 400-seat under-licensed position traced to departmental purchasing activity that bypassed the central procurement process. Business units needing additional seats requested them through departmental budgets rather than central IT purchasing. The vendors fulfilled the orders. The installations went live. The central ITAM system never received the purchase records.

Shadow procurement is one of the most common sources of under-licensed positions in enterprise software audits. Departments facing long procurement cycles, or holding budget authority to buy within set thresholds, often purchase software directly. That shortcut keeps the software off the central ITAM record. The compliance risk stays invisible until a discovery-based audit compares running installations to licensed counts.

The ITIL SAM process framework defines software asset management as a formal IT discipline specifically designed to prevent this gap. Organizations without a formal SAM program rely on purchase records that departmental bypass renders incomplete.

According to the BSA Software Alliance, vendor-initiated audits frequently uncover under-licensed positions that originated in exactly this kind of departmental bypass.

Over-licensed positions arise when software is decommissioned from production hardware without removing the installation record from ITAM and vendor license counts. Under-licensed positions arise when software is installed through departmental purchasing without registering the purchase in the central ITAM system. Both conditions coexist in the same environment because they arise from different operational workflows. A discovery-based ITAM license audit surfaces both by comparing running installations to license records directly, rather than using purchase records as a proxy.

Discovery source Endpoint Scan

SaaS Sprawl: The Hidden Compliance Layer Purchase Records Miss

The desktop and server software audit covered one dimension of the license position problem. SaaS subscriptions represented a second dimension that the same discovery cycle surfaced simultaneously.

SaaS subscription sprawl develops when individual users and departments subscribe to cloud-based tools using corporate credit cards. The subscriptions are active and the tools are in use. IT often has no central visibility into how many SaaS tools run across the environment.

The same environment that had 600 over-licensed seats with a traditional on-premises vendor also ran 23 distinct SaaS tools that employees used actively. IT had not formally evaluated, procured, or added any of them to the software asset register. Some were productivity tools with minimal data handling. Others processed business-critical data under terms the organization had never reviewed.

The software license audit discovery process surfaced both categories in the same cycle.

IT discovery identifies SaaS subscription sprawl through two primary signals: network traffic to known SaaS domains from managed endpoints, and corporate SSO authentication logs from connected identity providers. These signals surface SaaS tools that individual users or departments subscribed to on corporate payment methods, including tools processing business-critical data under terms the organization has never reviewed.

Why Purchase-Record ITAM Often Leaves Your License Position Incomplete

Software IT asset management systems that populate from purchase records reflect the software the organization formally bought. SAM is the process discipline focused specifically on license compliance. ITAM encompasses SAM within a broader scope of hardware and asset lifecycle management.

Both share a critical gap when they rely on purchase records as the primary data source. They miss software that never generated a central purchase record. That includes pre-installed applications from image templates, open-term enterprise agreement deployments, M&A-inherited environments, and departmental purchases made outside IT procurement.

Each of these categories introduces a gap between what the ITAM system shows and what runs in production.

What Industry Research Says About the License Exposure Risk

The EMA ServiceOps 2025 report notes that organizations relying on purchase-record-based software asset management often discover their true license position only when facing a vendor audit. At that point, the under-licensed position creates immediate financial exposure.

Flexera’s annual State of IT Asset Management research identifies vendor-initiated audits as a leading cost exposure trigger for organizations using purchase-record-based license tracking.

NIST asset management guidance recommends recurring discovery-based inventorying as the baseline for defensible software asset records.

ITAM systems based on purchase records often have gaps because software reaches production environments through channels that do not generate purchase records: image templates with pre-installed software, departmental purchasing outside central procurement, M&A inherited environments, and enterprise agreement deployments with open terms. Discovery-driven ITAM finds all installed software regardless of how it reached the endpoint. The result is a license position built from what runs in production rather than what appears in procurement records.

Discovery-driven ITAM scans endpoints for actual installed software rather than reading purchase records. It records the installed version, installation path, and last-used timestamp. That data feeds into the ITAM system as a discovery-sourced record. Comparing those counts to license entitlements produces the true license position.

What Discovery-Driven ITAM Surfaces That Purchase Records Cannot

  • Discovery-driven ITAM does not rely on purchase records to determine what software is installed. It scans endpoints, reads running processes, and queries installed application registries. It identifies software by the evidence of its presence in the production environment, not by its purchase record in a procurement database.
  • When Virima’s IT discovery runs for software asset purposes, it identifies every installed software instance on every managed endpoint. It records the installed version, installation path, and last-used timestamp. That data feeds into the ITAM system as a discovery-sourced record rather than a purchase-sourced record.
  • Comparing the two counts produces the true license position. Where installation counts exceed license counts: under-licensed. Where license counts exceed installation counts: over-licensed, meaning the organization pays for coverage the environment no longer uses.
  • The ITAM license audit that found 600 over-licensed seats and 400 under-licensed seats in one cycle delivered enough cost avoidance and risk reduction to justify the discovery investment many times over.

How the Team Renegotiated One Contract and Remediated Another

The over-licensed vendor renewal renegotiation recovered 600 seats of license cost, reducing the renewal by roughly 27 percent compared to the original invoice.

The under-licensed vendor situation required procuring 400 additional seats. The net cost of that remediation was substantially lower than the cost recovered from the over-license position. As a result, the organization came out with a positive net financial impact from a single software license audit discovery cycle.

The 23 unauthorized SaaS tools required a separate remediation workflow. The team reviewed each tool’s data handling against security and compliance policies. They formally procured tools that met policy requirements and removed access to those that did not. That workflow took three months. The discovery that made it possible took one cycle.

See how Virima’s IT discovery compares actual installation counts to your license entitlements. Explore IT Discovery

Discovery-driven ITAM surfaces the true software license position by scanning endpoints for actual installed software rather than relying on purchase records. It finds over-licensed positions from decommissioned installations that remain in license counts, under-licensed positions from departmental purchasing that bypassed central procurement, and SaaS sprawl from tools deployed without IT review. The license position it produces reflects what runs in production, not what was formally acquired.

Both the 600-seat over-licensed position and the 400-seat under-licensed position developed over years of normal IT operations. Neither was visible in purchase records or vendor invoices. Both became clear in a single software license audit discovery cycle. The correct response is recurring discovery-driven ITAM as the standard operating model, not a one-time fix.

Building a Discovery-Driven License Compliance Foundation

  • Both positions developed over years of normal IT operations. Neither would have been visible to a license management process that checked purchase records against vendor invoices. Both were visible the moment discovery compared running installations to licensed counts.
  • Adopting discovery-sourced software asset tracking as the standard operating model is the right response when a software license audit finds significant gaps. Returning to purchase-record-based management after updating the records leaves the same failure modes in place.
  • When discovery runs on a recurring scheduled basis and updates the ITAM system with current installation data, the license position stays current. Renewals proceed from accurate counts. Under-licensed positions surface before vendor audits find them. Over-licensed positions clear before the next renewal cycle locks in unnecessary spend.
  • Connecting Virima’s IT discovery to your CMDB and ITAM workflows creates a license position your procurement team can trust and a vendor audit cannot contradict.
Schedule a demo to see how Virima’s IT discovery validates license positions before renewals, recovers over-license costs, and surfaces under-licensed installations before audit exposure.

Frequently Asked Questions

How does Virima’s IT discovery integrate with ITAM and CMDB workflows to maintain a current license position?

Virima’s IT discovery feeds installation data directly into the ITAM module, which compares discovered counts against license entitlement records from purchase data and vendor agreements. The CMDB stores CI relationships that connect software records to the hardware they run on. When a hardware CI is decommissioned, that connection triggers automatic deregistration. This keeps the license position current without manual ITAM record maintenance. Integrations include: ServiceNow, Ivanti, Halo, Jira Service Management, Xurrent.

What causes software over-licensing?

Software over-licensing most commonly occurs when hardware is decommissioned without removing the corresponding software installation records from the ITAM system and vendor license counts. Each decommissioning event without a corresponding software deregistration adds to the over-licensed count. Over several years of normal hardware turnover, the accumulated count can represent a substantial portion of the total license portfolio.

What causes software under-licensing?

Software under-licensing occurs when software is installed through channels that do not generate records in the central ITAM system. Common causes include departmental purchasing outside central procurement, software deployed from image templates with pre-installed applications, software inherited from acquired company environments, and SaaS subscriptions taken out by individual users or departments on corporate payment methods.

How does IT discovery identify software installations that purchase records miss?

IT discovery scans managed endpoints and reads installed application registries, running processes, and software metadata directly from the endpoints, not from procurement records. It identifies software by the evidence of its presence on the device regardless of how the software arrived. This means discovery finds software from departmental purchasing, image template pre-installation, and M&A inherited environments that never generated central purchase records.

How does Virima’s ITAM module support software license audit discovery?

Virima’s ITAM module receives installation data from IT discovery scans. It compares discovered installation counts against license entitlement records from purchase data and vendor agreements. This comparison produces the true license position: over-licensed where installation counts fall below license counts, under-licensed where they exceed them. Discovery-driven ITAM updates this position on a recurring scheduled basis, giving IT teams a current view of their compliance exposure at all times.

Similar Posts