Vendor Audit Maturity Model
The table below summarises the different results achieved by an organisation faced with a vendor audit depending on their maturity. Success with vendor audits is not only about having sound ITAM processes and procedures in place but also the correct attitude towards the situation, swift action, and strong negotiation.
I welcome your feedback or comments on this model or your experiences with vendor audits, either in the comments section below or by emailing me directly at alerts (at) itassetmanagement.net.
Stage |
Characteristics | Vendor Behaviour | Likely Outcome |
Denial | Customer does not recognise the issue until it is too late or worse still ignores the issue hoping it will resolve itself. | Heavy handed compliance tactics, back penalties, possible press exposure. | Crippling penalties. For example |
Suprise Audit | No inventory of assets or purchase history compiled. |
Vendor likely to take advantage of lack of information for revenue generation. |
Taken to the cleaners. Repeat in 18 months time. |
Expected Audit | Anticipating an audit for some time. Have limited or incomplete audit and purchase history. | Vendor uses shortfalls / missing information to negotiate upgrades or multi-year tie-in deals. | Vendor-led negotiation |
Prepared | End user tells vendor what they have, what they need and what they want. For example | Vendors typically walk away and find more lucrative audit opportunities. | Customer-led negotiation. |
Related articles:
Software-enforced obsolescence undermines Microsoft’s sustainability credentials
Modern SAM requires ‘Environment Recognition’ as much as ‘Software Recognition’
É chegada a hora de SAM no Brasil?
Making sense of SAP’s new Indirect Access license
Can you resell software licenses? The latest legal position in 2016
Building stakeholder relationships with Service Desk and End User Computing
About Martin Thompson
Martin is owner and founder of The ITAM Review, an online resource for worldwide ITAM professionals. The ITAM Review is best known for its weekly newsletter of all the latest industry updates, LISA training platform, Excellence Awards and conferences in UK, USA and Australia.
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
The stages you mention are recognizable, but I do have my doubts with
how you describe the characteristics and the vendor behavior. Especially the vendor behavior. I agree that endusers have the possibility
to control the behavior of the vendor. However this overview creates the impression that vendors have some sort of guerilla tactics to
stimulate unknown use. As if vendors benefit from under-licensing in order to give them control of the negotiation.
Although
compliance can lead to revenue opportunities and individual sales reps and even sales managers at vendors would see the benefits, I do
not know of any vendor that sees it as beneficial to their business to have under-licensing or illegal usage of their products.
It
might be a ‘chiken and egg’ problem, but the reason vendors started to do compliance activities in the 90-ties was because end-users
did not manage deployment &usage and paid accordingly. It did not start with vendors building in traps to stimulate unknown usage or
deployment. The actions vendor take are often in response to the (lack of) actions end-users has taken. Having said that I know that some
vendors have taken it to an extreme and I fear with the current economic climate this could become even worse.
Any action to
stimulate end-users to take control has my support. Just because it makes good business sense, not just to get removed from an audit
lists at a vendor. It is in benifit of both to have a conversation, being well prepared on both sides is recommended. A nice benefit is
that vendor auditors will lose interest and most likely act more appropriate. IT is not unique, eventually will companies follow their
customers. Customer just need to be prepared to tell them what they have and what they need.
Thanks Mark, I agree with your
comment that vendors are not deliberately setting traps for end users, but I also think selling an end user an all-you-can-eat site
license to cover
their shortfalls is not helping resolving the underlying issue.
Hmm.
The all you can eat licence proposal after non-compliance has been proved in “test” areas
is one tactic I have heard of. Anecdotal evidence of course.
I also think that the practice of making freely available software
that customers have not actually licensed (by providing it on media, through the internet etc) could be considered by some to be a form
of entrapment. It proves to me the need for good licence and software management.
Mark is right about both sides needing to be
properly prepared, and the best position for customers to find themselves is in part 4 of Martins grid. Unfortunately, most IT depts
find themselves in Stage 1.
Off topic – how are you Mark?
This is an interesting article and comments thread. My own experience is
that software suppliers have in the past ensured that their contracts contained “gotchas” that enabled them to revisit customer software
installations with certainty that the customer would be non-compliant. For example, a group-wide licensing arrangement might include all
subsidiaries “at the date of the agreement” (therefore, if the group re-organised later, the subsidiaries list might differ), a
“subsidiary” might be defined as “any entity in which the holding company has a greater than 50% shareholding” (this would exclude any
subsidiaries with a 50% exactly shareholding) etc. The best way to ensure that vendor audits do not pose surprises are by negotiating
appropriate contract terms at the outset (if the intent is for an “all you can eat” licence, list the products and ensure that changes to
the group structure that do not result in significantly more users (factor in a percentage growth, say 15%) will not result in non-
compliance), ensure that displacement of products by “functional equivalents” are accommodated at no extra charge etc. and manage the
software usage via good SAM practices.