Reconciling ArcSight entitlements before an audit
The strongest position in an ArcSight audit is the one you build before the audit reaches a number. Reconciling ArcSight entitlements before an audit means knowing exactly what you are licensed for, what you are running, and where the two diverge, so that when a finding arrives you are correcting it rather than discovering it. The reconstruction is not a reaction to the vendor. It is the baseline the vendor has to argue against.
OpenText gives seven days notice before an audit and the right to copy relevant records, and the EULA treats compliance as the sole responsibility of the licensee. That responsibility is also leverage: the licensee who has already reconciled entitlements to deployment controls the facts. Reconciling ArcSight entitlements means assembling the contractual position, the Additional License Authorizations where Micro Focus products are in scope, and the live operating data, then comparing them on terms the contract supports rather than terms a vendor script prefers.
What an entitlement reconciliation actually assembles
A reconciliation pulls together several distinct records. The entitlement itself, expressed as an EPS rate for ESM, a daily volume for Logger, connector counts, and any user populations. The contractual definitions of each metric, including whether EPS is sustained or peak and whether a burst allowance is defined. The live operating data: ingestion statistics, the connector inventory, node configuration, and identity views. And the history of changes, including decommissioned sources and migrations that left residue. Only with all four can you state your effective position with confidence, which is the goal of preparing an ArcSight entitlement reconstruction.
An organisation that knows its sustained EPS, its active connector count, and its normalised Logger volume, each documented against the contractual definition, can meet a finding with evidence on day one. An organisation that learns those numbers from the audit report is negotiating from the vendor's framing instead of its own.
Why reconstruction must precede measurement
The order matters. If a vendor measurement script runs before you have reconstructed your position, the script's reading becomes the baseline and you spend the engagement arguing it down. If you reconstruct first, you set the baseline and the vendor argues against your evidence. This is the core of our method and the reason we respond and reconstruct before we rebut. It is the same sequencing that protects you when you are asked to complete a questionnaire, as we describe in how OpenText measures ArcSight in a self assessment.
The metric definitions to settle in advance
Reconciliation is where you settle the definitions that decide a finding. For EPS, establish whether the entitlement is sustained or peak and document your sustained rate, the foundation of ArcSight EPS burst versus sustained measurement. For volume, establish raw versus normalised and identify duplicate and non production sources. For connectors, build the active production inventory and remove decommissioned and duplicate entries. For identities, classify the user population against the named or managed user definition. Settling these in advance means the audit cannot reinterpret them upward.
How the four operations apply to a reconciliation
Reconciliation is the reconstruct operation done proactively. We respond readiness by establishing a single controlled channel and a process for any vendor contact. We reconstruct the effective position across entitlements, definitions, and live data. We prepare to rebut by documenting the evidence for each metric before any finding exists. And we position to resolve by knowing in advance where the defensible figure sits, so a settlement reflects the contract rather than the opening claim.
A representative pattern
In a recent engagement, an organisation that had reconciled its sustained EPS and active connector inventory ahead of an audit met the opening finding with documented figures rather than estimates, and the finding tracked the reconciled position closely. The contrast with reactive engagements is stark: our anonymised banking matter, case file E-03, began at $6.0M and settled at $1.8M, a 70 percent reduction, precisely because the reconciliation work that should precede an audit had to be done under pressure afterward. Doing it first is faster, cheaper, and stronger.
The checklist for an ArcSight reconciliation
- Entitlements. EPS, volume, connectors, and users, with the contractual definition of each.
- Live data. Ingestion statistics, connector inventory, node configuration, identity views.
- Exclusions. Decommissioned connectors, duplicate sources, non production and standby components.
- Channel. A single controlled channel for any vendor contact, established before notice arrives.
Reconciliation as leverage, not just compliance
It is easy to think of an entitlement reconciliation as a defensive housekeeping task, something done to avoid trouble. It is more than that. A reconciliation completed before a notice arrives is leverage, because it determines who controls the facts when the audit begins. The party that can produce a documented sustained EPS rate, a clean active connector inventory, a normalised volume figure, and a classified identity population is the party that sets the baseline. The other party is left arguing against evidence rather than presenting its own.
That leverage is valuable precisely because the remedy stacks. A deemed shortfall is priced at list, with back maintenance, a first year of forward maintenance, and audit costs added. A baseline that is too high inflates every layer of that calculation, and a baseline that is documented and defensible holds every layer down. Reconciliation done in advance is the cheapest, fastest, and strongest version of the same work that would otherwise have to be done reactively, under the seven day clock, against a number the vendor has already fixed.
Reconciliation is also the foundation of a clean conversion. The same documented position that defends a finding becomes the basis for an OpenPass agreement with the metrics defined and the active inventory agreed, so the next audit starts from a baseline both sides already accept. Work done once, before the first notice, pays forward across every engagement that follows, and it turns each subsequent audit into a confirmation of a known position rather than a fresh and expensive discovery exercise.
Want to reconcile before an audit arrives?
The reconciliation you do before a notice is the baseline the vendor has to argue against. We build the effective ArcSight position with you, through our ArcSight and Security audit defense. To start the work before the seven day clock, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security cluster go deeper on building and documenting an entitlement position. Each links back to the complete OpenText audit defense playbook for 2026.
- preparing an ArcSight entitlement reconstruction
- documenting sustained EPS for an ArcSight rebuttal
- how OpenText measures ArcSight in a self assessment
- what records OpenText copies in an ArcSight audit
- reducing an ArcSight finding with throughput evidence
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.