The Dreaded Audit Request
This article has been contributed by Sandi Conrad of Conrad & Associates.
Sandi is the author of the “SAM Starter Kit” published by The ITAM Review.
So, you’ve just received a call from your software publisher that went something like this:
“Hi. I’m the software asset management rep from Microsoft, and I’d just like to chat with you for a few moments about your software asset management processes. I’m looking at a report of your purchases from the past few years and would like to know how many desktops your company has right now.”
Immediately, your stomach does a flip, you check your calendar to see if you can clear your schedule over the next month and you wonder at what point of non-compliance they send CIOs to prison.
Will you be lucky enough to be in with the rock stars and CFOs or will you be in with the general population?
First: in the words of the great and wonderful Douglas Adams “Don’t Panic.”
Secondly: in almost all cases, they do actually want to work with you, not against you. Of course, it will help their bottom line if you need to fill a gap in your license inventory, but in reality they are looking at ways to solidify the relationship, ensure that you are comfortable with the information you have on how to license the products and keep you from being so far out of compliance that you can’t find budget to fix it. They want their customers to be happy and continue to use their product, but use it according to the end user agreements too. After all, they’ve spent a ton on research and development to make your employees more productive.
I’ve worked with clients who have had internal audit requests from vendors, who have called me in a panic and we’ve been able to resolve most of the issues very quickly, without need for legal representation. Here’s some advice to help you should this call happen to you.
- Be friendly and co-operative. If they think you are trying to hide something they will be more likely to pursue the information aggressively. No one wants to be the bad guy and they are not necessarily targeting you for any particular reason. It may just be that they have finally hit your company name on their alphabetical list of clients. If you don’t know the answers, ask them for a few days to check into the finer details and call them back.
- Ask your software publisher and vendor for help. You should be able to get reports from both that you can compare to each other and that you can compare to your inventory. This is especially important if you are looking at a combination of purchasing options such as license, subscription, retail boxes and OEM. The publisher most likely will only have license or subscription on file.
- Review your internal processes and see where there is room for improvement. Do you have a corporate anti-piracy policy? Do you have employee communication and sign off? Do you have a controlled software distribution process? Do you have appropriate SAM tools in place? (How quickly can you get these in place?)
- If your software really is out of control, contact a SAM partner to assist. They know what to look for and the fastest way to find it. They will know the questions to ask about how you are using the software to decide if you are licensed appropriately. They will also be focused on your issues without other “regular, day-to-day, work” getting in the way, like what your IT staff might be facing. Plus they can act as liaison between you and your publisher on the sketchier issues.
- Communicate fully with the software publisher. If they know that you have put strong policies in place and that you are getting assistance from someone in the field, or have someone dedicated for XX amount of time, they will most likely back off and give you some space to determine your compliance situation. They will be less likely to impose unrealistic deadlines, fines and retroactive charges if they know you are taking the license issues seriously.
This article has been contributed by Sandi Conrad of Conrad & Associates. Sandi is the author of the “SAM Starter Kit” published by The ITAM Review.
Sandi has been in the software business since 1991 and was one of the first Software Contract Administrators in Canada.
She has been providing consulting services since 1996, helping hundreds of clients to understand their obligations and rights under a myriad of contracts, and comparing licensing programs to find the most advantageous options for her clients.
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
From what I hear, the large software companies are setting up teams to actively target accounts to raise
Mike, it’s a given that in a down economy as we’re in, that software companies will ramp up their customer
compliance audits to capture that “low hanging fruit” for revenue generation. They’ve been doing it since the mid- to late-90’s and
once the program is in place, it becomes addicting for them to continue the practice on a full-time basis.
I posted a similar
article to Sandi’s back in March 2008, but more from the perspective of what the publishers’ compliance/sales teams are being trained
to look for in their targeting. It can be found at:
The key to ease the pressure of a request is to always have an accurate picture of what you
have and what is beng used. For many, this is a lot easier to say than achieve! Many organisations invest in a manual process to get a
snapshot of this but it is so painful and time consuming that they are not keen to repeat the exercise. Therefore it quickly gets out of
date and is prone to errors.
A rapid and repeatable process powered by an automated discovery tool can help you get an initial
accurate picture and keep it up to date with no disruption to your day to day operation.
If you have the facts you can take action
as it is needed, not when it is forced on you. Automated Accuracy = No Fear Audits
The key to ease the pressure of a request is to always have an accurate picture of what you have and what is beng used. For many, this is a lot easier to say than achieve! Many organisations invest in a manual process to get a snapshot of this but it is so painful and time consuming that they are not keen to repeat the exercise. Therefore it quickly gets out of date and is prone to errors.
A rapid and repeatable process powered by an automated discovery tool can help you get an initial accurate picture and keep it up to date with no disruption to your day to day operation.
If you have the facts you can take action as it is needed, not when it is forced on you. Automated Accuracy = No Fear Audits
Well, yes and no Andy (congrats on getting certified by LMS by the way).
An automated tool is
important, but its main purpose is to give you some certainty that the data discovery element is correct, and that human error in this
has been eliminated. Which is, of course, hugely important. It also saves a lot of time.
Having all the data can still be like staring
into a ditch if you don’t know what you are looking for. As a licensing consultant, my work only really starts when the data is
returned. Also, good data doesn’t interpret your contractual obligations (which can work both for and against you).
You can only be
audited on the contract you signed, not on today’s Ts&Cs. A vendors approach to usage (what actually constitutes an installation for
example?) can often be hidden in their own internal documentation.
Having the skills to interpret the data (particularly when dealing
with usage withing data centres) – that is still a key element to ensuring both compliance and protection from over eager audit functions
and sales people.