What is software asset management and why does it matter at EOFY?

Software asset management (SAM) is the practice of tracking, managing, and optimising software licences. At EOFY, it is critical because most enterprise contracts auto-renew, committing organisations to unnecessary spend without a usage review.

What is the risk of running unlicensed or end-of-life software?

Unlicensed and end-of-life software creates financial exposure to vendor audits and significant security risks. The Australian Signals Directorate's Essential Eight framework treats unsupported software as a critical vulnerability.

How do software vendors decide which organisations to audit?

Vendors target organisations based on usage patterns or market intelligence. Data shows 50% of enterprise organisations have been audited by Microsoft in the last three years, often resulting in significant unbudgeted costs.

Licensing Roulette – The Software Asset Management Problem Nobody Talks About Pre-EOFY

1 May, 2026

ValidPro®

The invoice arrives in early June. Three years of maintenance and support for a product the team migrated away from eighteen months ago. Auto-renewal. Nobody caught it. The contract committed the organisation to another 36 months before anyone thought to check. Elsewhere in the same week, a software vendor’s audit notice lands in the inbox of a legal team that cannot locate the original licence records, let alone the usage data that would establish whether the organisation is compliant. Both situations are, in their own way, the same problem: nobody actually knows what software the organisation has, what it is contractually obligated to, or whether all of it is properly licensed.

This is not an unusual story. It is, by most measures, the default state of software licence management in Australian enterprise environments. EOFY is the moment when that default state becomes expensive.

The Licence Estate Is Both a Financial and a Security Problem

The most visible cost of a poorly managed software licence estate is straightforward overpayment: licences purchased for headcounts that no longer exist, tools acquired during the 2020–21 expansion sprint that are still auto-renewing, subscriptions that were consolidated into a platform deal but never cancelled individually. These are real costs, and they add up quickly in an environment where organisations routinely hold dozens of concurrent vendor relationships.

But the less visible risk is the one that tends to matter most when it surfaces. End-of-life and unlicensed software running in production environments is not receiving security patches. It is not covered by vendor support agreements. And in many cases, the security team has no visibility over it, because the asset management process that should have flagged it as a risk never captured it in the first place. Software that falls outside the known estate is software that falls outside the patched estate.

The Australian Signals Directorate’s Essential Eight framework explicitly addresses this through its patch applications and patch operating systems strategies. The ASD’s position is clear: applications and operating systems that are no longer supported by their vendor — and therefore no longer receiving security updates — represent unacceptable exposure and should not be running in production. For organisations working toward Essential Eight compliance, unmanaged or unlicensed software is not a procurement problem with a secondary security dimension. It is a security problem with a secondary procurement dimension.

Auto-Renewal Is the Structural Enemy of Licence Hygiene

Enterprise software contracts are written to renew. That is not a criticism of software vendors — it is simply how their business models work. The default in most commercial software agreements is automatic renewal at the existing price and scope, often with a notice window of 30 to 90 days to terminate or renegotiate. In a well-governed environment, those windows are tracked and actioned. In most environments, they are not.

The result is a quiet, compounding commitment problem. Year on year, the licence estate drifts further from the organisation’s actual technology footprint. Tools that were indispensable in 2022 and largely abandoned by 2024 are renewed without question, because the renewal is automatic and the invoice goes to a cost centre that no longer talks to the team that actually used the product. Platform consolidation decisions that eliminated the need for half a dozen point tools get executed in the engineering environment but not in the contract management system. Mergers and acquisitions introduce new licence portfolios that are never reconciled against existing entitlements.

EOFY accelerates this problem. When procurement teams are under pressure to commit before June 30, they are less likely to pause on auto-renewing licences and more likely to approve renewal without interrogating usage. The financial pressure of the final quarter is real — but moving quickly without visibility does not save money. It locks in another twelve or thirty-six months of spend on a baseline the organisation has not validated.

The Audit Risk Is Growing, and It Is Not Evenly Distributed

Software vendor audits have become a material revenue recovery mechanism for major publishers. This is not a niche phenomenon. According to Flexera’s 2024 State of ITAM Report (n=503 enterprise-level organisations), 50 per cent of respondents had been audited by Microsoft in the preceding three years. IBM audited 42 per cent. Oracle, SAP, and Salesforce each appeared in the audit experience of 25 to 31 per cent of respondents. These are not random events. Vendors audit when they have reason to believe an organisation may be underreporting — and in complex, hybrid environments, the conditions for underreporting are almost always present.

The organisations most exposed are not necessarily the largest or the most careless. They are the ones that have grown through acquisition and carry inherited licence portfolios they have never fully mapped. They are the ones that moved workloads to cloud environments without fully understanding how on-premises licences translate to cloud deployment rights. They are the ones that consolidated platforms and retired tools without updating the entitlement records to reflect what was actually surrendered. In all of these cases, the gap between what the organisation believes it holds and what an audit would reveal can be substantial — and the financial exposure is the back-payment of licence fees for the gap period, plus interest, plus the disruption cost of the audit process itself. The IBM Cost of a Data Breach Report 2024 (n=604 organisations, 16 countries) puts the average global cost of a data breach at USD $4.88 million — the largest year-on-year increase since the pandemic. For organisations that reach that point because unpatched, untracked software provided the entry point, the licence management failure and the security failure are the same failure.

Evidence Snapshot

53 per cent of IT teams globally report challenges gaining or maintaining complete visibility of their technology investments — a persistent and widespread failure of software licence and asset management discipline. (2024, Flexera 2024 State of ITAM Report, n=503)

Nearly a quarter (22 per cent) of global IT leaders paid more than $5 million in software vendor audit costs over the preceding three years — up from 15 per cent the year prior. (2024, Flexera 2024 State of ITAM Report, n=503)

In ASD’s analysis of 60 CVEs tracked between July 2020 and February 2023, one in five vulnerabilities was exploited within 48 hours of a patch or mitigation being released — and in one instance, ASD observed actors exploit an unpatched vulnerability that was seven years old. Unpatched software is not a slow-burn risk; it is active attack surface. (2023, ASD Cyber Threat Report 2022–23)

A Pre-EOFY SAM Audit Is One of the Highest-ROI Actions an IT Team Can Take

Unlike many pre-EOFY efficiency measures, a software asset management audit produces direct, quantifiable return. Licences cancelled before their renewal commitment date are licences not paid for. Contracts renegotiated with accurate usage data are contracts with lower scope, correct SKUs, and better pricing. Audit exposure identified and remediated before a vendor comes looking is exposure resolved on the organisation’s terms rather than the vendor’s.

A SAM audit conducted properly before EOFY involves four things. First, a complete discovery of what software is actually installed and running across the environment — including shadow IT, cloud-deployed tools, and anything inherited through acquisition or organisational change. Second, a reconciliation of installed software against current licence entitlements, identifying both overpayment (licences held but not used) and potential compliance exposure (software running without adequate entitlement). Third, a mapping of upcoming renewal dates and notice windows, so that the organisation is positioned to act rather than to simply receive invoices. Fourth, a review of end-of-life and unsupported software that represents both compliance exposure and unpatched attack surface.

This is not an indefinite programme. A focused SAM review, properly scoped, can be completed in a matter of weeks. The output is a clear picture of the licence estate, a prioritised list of actions before June 30, and the contractual intelligence needed to negotiate from a position of knowledge rather than assumption.

The savings identified through a well-executed SAM audit also carry forward. Licences cancelled now are licences that do not auto-renew next year. Entitlement records corrected now are the foundation of a more governable estate in FY27. The discipline, once established, compounds.

The gap between what an organisation thinks it holds and what a proper licence review actually reveals can be confronting. I have seen environments where the divergence runs into six figures of annual overpayment — and others where the security team was unaware that a category of software in production had reached end-of-life and stopped receiving patches more than a year earlier. Neither situation is unusual, and neither is the result of negligence. It is the result of complexity accumulating faster than governance catches up. The honest conversation going into EOFY is not “do we have a SAM problem?” Most organisations do. The question is whether they find it before their vendor does.

If the licence estate described in this article feels familiar, the most practical next step is a structured self-assessment before your next renewal cycle closes. The EOFY Technology Audit Checklist: 40 Questions to Ask Before You Sign Anything includes a dedicated software licensing domain — it is a useful starting point for any team that wants to identify gaps before they commit. For organisations that want independent licence review before EOFY renewals commit, Orro’s ValidPro® service provides procurement and licence validation independent of the vendor relationship. The CFO’s Technology ROI Guide: Making Smarter Decisions in the Final Quarter covers the broader framework for intelligent EOFY investment decisions, including software asset governance as one of five core disciplines.

Orro helps Australian organisations get control of their software licence estates — from independent licence validation and renewal review through to procurement, managed services, and security. To have an upcoming renewal or hardware quote independently validated, visit ValidPro® at orro.group/validpro. To speak with our team about your broader FY26 close-out or FY27 planning, visit orro.group/contact or reach out to your Orro account manager directly.