An OpenText audit rarely opens with a negotiation. It opens with a notice, a short clock, and a request for records. The contract gives the vendor seven days notice before an audit and the right to copy relevant records, and the way you spend that first week shapes every number that follows.
The seven day notice is not a courtesy. It is the start of a controlled process the vendor has run many times and you have likely never run at all. The asymmetry is the point. By the time the notice reaches your inbox, OpenText has already formed a view of where your estate is likely exposed and what the opening finding could be worth. Your task in the first week is not to prove compliance. It is to slow the process to a pace you can manage and to make sure nothing leaves your organization unmanaged.
Read the notice for what it actually says
Most notices cite the audit clause in the agreement, name a window, and ask for an initial set of records or a self assessment. Before anyone replies, separate what the contract entitles the vendor to from what the notice merely requests. The agreement typically grants seven days notice and the right to copy relevant records. It does not usually grant the right to install measurement tooling on your network on demand, to interview staff without scope, or to receive raw exports of every system the moment they ask. The gap between the contractual right and the opening request is where many findings are quietly inflated, because data handed over early is data that cannot be unhanded.
This is also the moment to confirm who at OpenText is driving the process. A compliance review is normally run by a Compliance Manager who prepares the entitlement and support position and then runs a true up negotiation. Knowing that the person on the other side has a defined commercial objective changes how you read every request.
Freeze the channel
The single most valuable thing you can do in week one is to close every informal line of communication. Administrators answer technical questions in good faith. Procurement forwards a spreadsheet to be helpful. A well meaning architect joins a call and confirms a deployment detail. Each of these is a data point the vendor can build on, and none of it is coordinated. Route everything through one named contact and one controlled channel so that every response is reviewed before it leaves. We set out why this matters in choosing a single controlled channel during an audit.
Nothing reaches the vendor unreviewed. One channel, one voice, one record of what was asked and what was sent. Every exception to that rule becomes a line in the finding.
Bring experience into the room on day one
The asymmetry of an audit is not only about data. It is about repetition. The vendor's compliance function has run this process hundreds of times and refined every step, while most buyers face it once in the life of an agreement. That imbalance is felt most acutely in the first week, when the requests look reasonable, the deadlines feel binding, and there is no internal precedent to measure them against. The remedy is to put someone in the room who has seen the process from the other side and knows which requests are contractual, which are merely customary, and which are reaching past the agreement entirely.
This is also the week to assemble your own small, disciplined team rather than a wide one. Counsel to read the clause, an asset manager to pull entitlements, and one or two technical leads who can describe the estate without speaking to the vendor directly are usually enough. A large, uncoordinated group multiplies the surface area for stray admissions without improving the analysis. Keep the circle tight, keep the channel single, and keep every outbound message under review.
Decide what you are obliged to provide
Compliance is treated in the EULA as the sole responsibility of the licensee, which means the burden of demonstrating the license position can fall on you. That cuts both ways. It obliges you to engage, but it does not oblige you to accept the vendor's framing of the metric or its method of measurement. Distinguish records you must produce under the audit clause from analysis the vendor would like you to run on its behalf. A vendor self assessment script counts what is present in a system. An effective license position counts what is actually entitled and used. Those are different numbers, and the difference is usually the finding. Running the vendor's script first concedes the framing before the argument has started. The disciplined sequence is described in building an effective license position before the vendor script runs.
Map the exposure before you answer
Use the notice period to build your own picture rather than the vendor's. Identify which products are named, pull the governing agreements and any Additional License Authorizations, and reconcile deployed instances against entitlement. Strip out the populations that rarely belong in a defensible count, including service and system accounts, dormant users, non production environments, disaster recovery standbys, and decommissioned systems. You will not finish this in seven days, and you do not need to. You need enough of a map to answer the opening requests narrowly and accurately, and to recognise when a request reaches past the contract.
What you can and cannot be compelled to share is worth understanding precisely, because overbroad requests are common and rarely challenged. We cover the boundaries in what OpenText can and cannot demand during an audit.
Set the tempo for the weeks that follow
The seven day clock controls when the audit begins, not how fast it must resolve. A reconstruction of the license position commonly takes three to eight weeks, and a rebuttal of the finding four to twelve. Acknowledge the notice promptly, agree a realistic schedule, and resist the pressure to compress months of analysis into the notice window. A finding built on a rushed self assessment is far harder to unwind later than one challenged carefully from the start.
The first 48 hours deserve their own checklist, since the early reflexes are where most control is lost. We set those out in what to do in the first 48 hours after an audit notice, and the question of who ultimately carries the cost of the exercise in who pays for an OpenText audit and how cost recovery works.
How the response connects to the finding
Everything in week one feeds the number at the end. A controlled channel keeps stray admissions out of the count. A narrow reading of the audit clause keeps premature data out of the vendor's model. A reconstructed license position gives you a credible alternative to the vendor's self assessment. Each ECM, Fortify, ArcSight or COBOL product line is then defended on its own metric, but the discipline that makes that possible is set in the first seven days. For the full sequence across every track, see the complete OpenText audit defense playbook and our OpenText ECM and Documentum audit defense track. If a notice has already landed, you can open a case and we will take over first contact within the notice window.
If you have received an OpenText or Micro Focus audit notice, the first seven days matter more than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, reduced the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.