ARTICLE: Taking Control of a Software Vendor Audit
Following on from my article last week exploring the different results achieved by an organisation faced with a vendor audit, this article attempts to explain how best to deal with an impending audit.
This is an abridged version of an article published by ManageSoft, who are hosting a webinar with IAITAM on the 28th May. Further details can be found here.
1. Review the contract to understand audit terms and conditions
- • TERMS AND CONDITIONS: Read the terms and conditions to establish whether the software publisher indeed has the right to audit the business in the first place. Understand the terms and conditions of non-compliance
• FINANCIAL PENALTY EXPOSURE: Determine whether there are potential financial penalties. Some vendors impose penalties and/or charge the cost of the audit to the customer if non-compliance exceeds a certain percentage of the total license cost. Non-compliance is very seldom by design, but still represents a potential liability. Knowing the consequences can empower an enterprise to take immediate remedial action.
• DESIRED OUTCOME: Create a clear checklist of the key deliverables of the audit. If the audit goal is to establish an “effective license position”, then information on software installations must be compared to license entitlement data for all applications in question. The data to be collected may include hardware and software inventory, users, purchase order and contract information.
• RESOURCES REQUIRED: Prior to any audit, it is worth asking the publisher exactly how the audit will be performed and what level of assistance will be required by the auditors. Enterprise software audits can consume many staff-months of time during which the IT department collects the requested data.
2. Make sure the software and hardware inventory is up to date
- • IT ASSET VISIBILITY: Software publishers audit businesses to make sure that the software is being used within its license terms and is appropriately paid for. This means that IT departments must have a comprehensive view of their entire IT estate, including hardware, to ascertain how the software asset is being used and whether they are in compliance.
• IT ASSET ACCURACY: To make sure that software inventory is accurate and up to date, the fingerprint of every application installation, which includes file evidence, add/remove programmes and WMI (installer) data, must be analysed and a list of proper software titles generated for each machine.
3. Prepare Proof of Purchase and Licensing Agreements ready for inspection
- • ENTITLEMENT: Prior to an audit, IT departments should ensure that all their paperwork is in order, recorded and easily accessible including paid invoices, receipts of purchases, licensing agreements and certificates – especially soft records of purchases from resellers and publishers. This proof of license entitlement is critical to the reconciliation process.
4. Demonstrate that licensing rules are understood and applied
- • RECOGNISING LICENSE MODELS: A vendor license position requires much more than simply comparing purchases and installations. IT departments need to be able to demonstrate that license types, e.g. device based, named user, processor based or concurrent user, are understood in conjunction with the computing environment such as virtual machines, multi-processor machines, user communities, and physical locations. For example, Oracle database administrators must be able to show that they understand and meet the per processor minimum for Named User plus (NUP) licenses.
• UNDERSTANDING USAGE RIGHTS: Demonstrating that both rights of usage as well as limitations of usage are understood and applied across the IT estate will instil auditor’s confidence in the company. For example, the IT department must be able to show that upgrade rights and rights of second usage are applied correctly. Similarly, the IT department should demonstrate that license usage restrictions – for instance, limits on the number of virtual instances per physical host server – are respected.
5. Explain what SAM policies and procedures are in place
- • SAM SYSTEMS: Enterprises should show documented corporate policies and procedures for software asset and license management. These could include frequent hardware and software inventories, centralized procurement, periodic license reconciliations (monthly, quarterly, etc.), software download and installation processes, employee education programs, and internal audits.
• END USER EDUCATION: Lack of IT policy communication to employees and end user monitoring and control are common oversights on the part of IT departments. On the other hand, by educating employees on what they “may” and “may not” install, central IT can prevent rogue installations, which often jeopardize enterprises’ compliance status.
• SAM FIRE DRILL: A good way to overcome inadvertent license breaches is to conduct scheduled internal IT audits. This not only ensures that the enterprise is always ‘audit-ready’, but also reinforces the importance of adhering to IT policy to employees.
6. Don’t remove software from computers; don’t start a shopping spree
- • REMOVING EVIDENCE: Often, when IT departments find that they are out of compliance, a knee-jerk reaction is to instantly remove installed software from computers, just prior to an audit. However, removed software is easily traced by auditing companies, making them suspicious, which leads to further scrutiny. Instead, pre-empting such a situation is the better option.
• COVER UP Alternatively, in their efforts to be compliant just before an audit, IT departments often make purchases of software they need. However, it should be noted that only purchases made before the date of audit notification are considered by the auditors. Therefore, hasty purchase decisions are best avoided.
7. Automate software asset management
- • PREVENTION RATHER THAN CURE: Software license compliance is complex, and this complexity will only increase as more complicated IT infrastructures such as virtualization and cloud computing take hold. Manually managing software asset management and compliance is a time consuming and onerous task, ridden with costs and risks. In general, by the time a manual assessment of an enterprise’s license position can be obtained, it is already out of date. IT departments should look to adopt tools that automate these processes to ensure on-going license compliance.
If you would like to add any other tips for preparing for a software vendor audit then please use the comments field below or contact me privately at alerts (at) itassetmanagement.net.
Photo Credit
Related articles:
80% of software policies overlook mobility
Invested in SAM but still failing? – How to forecast and manage future asset demand
Call for speakers: Wisdom Australia 2019 & USA 2020
GitHub Open Source licensing tool
Discovery, software recognition and optimisation in a SaaS world
Microsoft 2019 servers – on-premises lives on!
- Tags: Vendor Audits
About Martin Thompson
Martin is owner and founder of The ITAM Review, an online resource for worldwide ITAM professionals. The ITAM Review is best known for its weekly newsletter of all the latest industry updates, LISA training platform, Excellence Awards and conferences in UK, USA and Australia.
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
When conducting software inventory be careful with tools that generate
false positive results and also those tools that rely on the add/remove programs area and the registry. The data generated from both the
registry and add/remove areas is often incomplete and inaccurate so you need to ensure that you create accurate inventories of what is
actually installed on a system.
I can appreciate the value of this article, but I disagree with several points.
A
licensor not only has the right but an obligation to protect its proprietary interests in and to the intellectual property it licenses.
It is equally important to note that licensees should have control over:
➢ the auditor’s adherence to corporate
policies and procedures
➢ expulsion of a non-compliant auditor
➢ the duration of the audit
➢ the timing of the audit
(e.g. never at quarter/year end)
➢ the qualifications and relationship (to the vendor) of the auditor
➢ what the
auditor is permitted to access
➢ how that access is granted (e.g. accompanied at all times by licensee management or a
staff member; NEVER remotely)
➢ who pays for the audit (good or bad outcomes)
➢ what percentage of overuse would be
subject to penalties
➢ the grace period before penalties are assessed
➢ dispute resolution resulting from a “bad”
outcome
I could go into an explanation of each bullet point above, but that would take up too much space for a commentary and
would be advisory in nature. Each licensee has unique conditions and limitations (e.g. some smaller firms may not have a corporate
policies and procedures manual that would have to be provided to the licensor’s auditor prior to an audit).
I believe that any
organization undergoing or about to undergo a vendor audit should bear in mind, that unless certain terms have been agreed to up front,
there is a good chance that penalties and even the cost to conduct the audit may be borne by them.
With that said, it should be
clear to your readers that it’s never too late to amend existing contracts to include audit terms and conditions that clearly state the
rights of BOTH parties. I strongly urge them to do so as both the demand and supply sides of the marketplace are feeling the pressures
of our current economic times. Forget about setting a flag or causing suspicion by amending the license agreement. Your readers should
assume that their vendors are always suspicious of overuse. That’s why they have incomprehensible license agreements. My advice is to
use a third party expert in this field – preferably a third party that has no vested interest in the sale of more products as that would
create a conflict of interest. A neutral party that is recognized by industry players as an expert would take the pressure off of the
licensee and emphasize the licensee’s commitment to license compliance and the written agreement with their vendor/licensor. This
process is a proactive move in the right direction, intended to mitigate risks and reduce spending.
Also, one of your readers made
a very valid and important comment regarding the tools used to conduct an audit. Although the caution pertained to an internal audit,
the tools used by the vendor/licensor should also be reviewed and researched for any known flaws as the outcome could result in
overpayment by the licensee.
Good luck to you all!
They are great additional observations.
The key clarification I
would add is that vendor audits can fall into two categories;
Category A; hostile audit in response to an internal tipoff from a
disgruntled employee
Category B; a “fishing expedition” based on “it’s your turn to be audited” based on their random audit
schedule
Depending on which type of audit that occurs will determine whether and how any of the strategies outlined across the
article (and the feedback so far) can be implemented and deployed to be effective.
Leaving it to the time of an impending audit
(which isn’t the suggestion made by the article) is too late, but this stating the bleeding obvious!
Having said that, many do
leave it too late, and then try and run around to implement some of the strategies outlined, and fail dismally!
Many of the fines
and settlements made are arbitrary assessments (weighted in favour of the vendor) rather than factual full counts and in some cases we
have seen instances where organizations have been penalised by poor housekeeping. They have “paid up” to get them out of the premises due
to the duration and inconvenience caused!
Rule of thumb based on what we have seen having been in this industry (anti-piracy
advice) since 1991 puts the cost of a full audit/fine/settlement and license true-up, plus the cost of staff, legal fees, reconciliation
etc to be around 3 to 4 times (in some cases higher) the value of the under-licensed software.
If the vendor is auditing you
under “Category A” they can do this with their own legal counsel and/or use a legal instrument as the means to gain entry to premises (an
Anton Pillar order) and you have a maximum of one hour to have your lawyer attend.
Under this type of legal instrument (Anton
Pillar order) they can seize assets and remove them from your premises, which can render a lot of your defence useless. This means that
in this case many of the steps outlined in the article are not capable of being deployed at the time or just before the time of the
audit. In this instance the licensee CANNOT control the situation or teh timing of teh audit ie; go away it’s end of year / end of
quarter.
Best advice we can give is to be well prepared, well in advance with good housekeeping and good SAM management so as to
minimize the risk of the audit situation. A good SAM program and regimen will help identify if you have over-licensed applications (paid
for more than you actually need) in which case you can trade-off the costs of running an effective SAM program vs the cost of license
saved.
We don’t sell SAM solutions (but we do recommend them for our clients) – we offer independent audit tools for auditors.
Leaving aside the legalities of the audit/review…
I’d
probably add to the “Don’t buy to cover up” scenario by saying that what you learn about what you don’t have (ie. what you may be
underlicensed) can also be used in negotiations that MAY take place at the end of the audit. Use your new found information to assist you
in any way you can. Incorporate what you need to buy to become compliant into future licensing discussions.
Above all, I would
suggest that the best approach is to be ethical and honest. Playing avoidance games or trying to delay things without good reason really
doesn’t do anyone any favours – you or the vendor (or the third party trying to help in the middle). The more co-operative you are, the
more relaxed and willing to assist the vendor is also likely to be. Communication is the key!
Heather
Conductor of hundreds of
vendor based license reviews – now happily working for the other side! 🙂