An audit notice arrives wearing the authority of the contract, but the opening ask almost always reaches beyond what the contract actually grants. Knowing the difference between the vendor's contractual right and the auditor's opening request is the single most useful piece of knowledge a buyer can hold in the first weeks of an OpenText or Micro Focus audit.
The audit clause in most OpenText agreements is short. It grants a defined notice period, a right to verify compliance, and a right to copy relevant records. The licensee carries the obligation to be compliant. That is the structure. Everything an auditor asks for should be measured against it, because the gap between what the clause says and what the request demands is where you hold the line without being obstructive.
What the contract typically does grant
Three things are usually clear and not worth contesting. The vendor is entitled to seven days notice before an audit begins. It is entitled to verify compliance with the license terms. And it is entitled to copy relevant records that bear on that compliance. Alongside these, the EULA places the burden of compliance squarely on the licensee, which means you are expected to be able to demonstrate your position rather than wait for the vendor to disprove it.
These rights are real and a credible defense respects them. The aim is never to deny the vendor what the contract gives it. The aim is to give exactly that, accurately and on a controlled schedule, and nothing more. The notice period itself is worth understanding in detail, because the clock and its pressure are managed deliberately in how to respond to an OpenText seven day audit notice.
Where the opening ask overreaches
The request that arrives with or after the notice is typically far broader than the clause. Auditors commonly ask to install or run a measurement script across the estate, to receive complete user and configuration exports immediately, to interview administrators and architects directly, and to be given access to systems for their own inspection. None of these is automatically authorised by a right to verify and copy relevant records, and several of them shift control of the process from you to the vendor in ways the contract never required.
A right to copy relevant records is not a right to a self assessment script, an open ended export, or an interview with whoever answers the phone. The word that does the work is relevant.
The most consequential overreach is the self assessment script. Running the vendor's tool against your systems produces a measurement defined entirely by the vendor, on metrics the vendor chose, before you have built your own position. It hands the framing of the finding to the other side. The correct sequence is to understand and reconstruct your own effective license position first, which is the whole point of building an effective license position before the vendor script runs.
Relevant is a word you are allowed to contest
The contract's reference to relevant records is a boundary, not a formality. A request for every account across every environment, including non production, decommissioned, and disaster recovery systems, is not self evidently a request for relevant records. Whether dormant accounts, service accounts, read only users, or test environments are relevant to the licensed metric is exactly the question the audit is meant to answer, not a premise you are obliged to concede at the start.
This is why scoping matters before producing anything. Each request should be narrowed to what genuinely bears on the licensed metric, and ambiguous populations should be identified and held back for analysis rather than handed over and argued about later. The way those populations inflate a finding when they are not contested is a recurring theme, and indirect or non human access is its own large category, addressed in indirect access in OpenText and Micro Focus audits.
You control how, when, and through whom
Even where the vendor has a clear right to information, the contract rarely dictates the mechanics. You generally decide how data is produced, in what form, on what schedule within the notice constraints, and through which people. That control is exercised through a single point of contact so that the organization speaks with one voice and no individual is pressured into an unmanaged answer. The discipline behind it is set out in choosing a single controlled channel during an audit.
Direct access to staff is the clearest example. An auditor may request interviews, but the contract seldom compels your administrators to answer technical questions on a call. Routing those questions through the channel, answering in writing after consideration, and declining to provide live commentary is entirely consistent with cooperating on the audit. It simply prevents the casual statement that later becomes a line in the finding.
What the vendor cannot do at all
Some things sit outside the audit right entirely. The vendor cannot unilaterally redefine a licensed metric mid audit to capture more of your usage, although it will often present its preferred interpretation as if it were settled. It cannot treat its own measurement output as a binding finding you are obliged to accept. It cannot demand payment before the position has been reconstructed and the finding challenged. And it cannot manufacture a contractual right out of process convenience. These are negotiating positions dressed as entitlements, and recognising them as such is what keeps the audit on contractual footing. How the vendor's team is organised to apply this pressure is described in inside the OpenText global software compliance team.
What the vendor can do, eventually, is consequential, and it is what makes the discipline above worth the effort. Where genuine noncompliance is established, the remedy is severe: licenses deemed acquired at list price, back maintenance, first year maintenance on the new licenses, and reimbursement of audit costs. That remedy is precisely why you contest the inputs so carefully, and it is explained in full in the deemed acquisition at list price clause explained.
Cooperate on the right, decline the overreach
The posture that wins is not refusal and it is not compliance with every request. It is precise cooperation: honour the notice, verify compliance, produce the records that are genuinely relevant, and decline politely and consistently everything that exceeds the contractual right. In a recent engagement, simply mapping each auditor request against the clause and producing only what the contract required removed a large share of the opening exposure before any substantive argument about metrics had begun, because much of the inflation lived in data that never needed to leave the building. For how this fits the wider defense across every product line, see the complete OpenText audit defense playbook and our Micro Focus ALA and entitlement review. If you are unsure whether a request exceeds what the contract allows, open a case before you produce anything.
If you have received an OpenText or Micro Focus audit notice, the first seven days matter more than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, reduced the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.