What REALLY Happens During an Audit (Part 1 of 3)
This article has been contributed by Kylie Fowler. Regular columnist and Analyst at The ITAM Review.
1. I’ve had a request for an audit… what do I do now?
Most audit requests come through as a letter or an email addressed to a senior manager or Officer of the company. If it doesn’t look sufficiently formal, ask them to resend it! Most SAM managers don’t have the authority or legal power to accede to an audit request.
Sometimes the audit request is just a phishing expedition and you can and should push back, particularly if the request has come through from a local subsidiary of the vendor to an international subsidiary but you purchase centrally. If the vendor’s local subsidiary persists, then have a strongly worded discussion with your global account manager about revenue sharing, and make it clear to the Global Account Manager that they either audit the entire company or not at all. Yes, you did read that correctly… make it clear to the Global Account Manager that they either audit the entire company or not at all. i.e. If your vendor asks to audit your Italian subsidiary – state a global audit or not at all.
But isn’t that like raising a red flag to a bull? No, it isn’t. Not at all. That’s because of the way Account Managers are incentivised. A large proportion of your Account Manager’s salary will be commission based – that is, they will receive a percentage of the purchases you make with the vendor. Audits are nasty things, and they have huge potential to sour your relationship with the vendor which means you might buy less from them in future. This will have a direct affect on your Account Manager’s take-home pay.
But even worse, once a formal audit is declared, your account will be handed over to an auditor from the Vendor’s Audit department. Audit departments are deliberately kept very separate from Sales to ensure they are objective during the audit. Auditors themselves are often (but not always) recompensed based upon the size of any shortfall identified, and hence the number of licenses purchased as a result of the audit. Your Account Manager may not see a penny of commission for any product purchased through an audit.
So you can see why Account Managers HATE audits. Not only does it affect their relationship with your company, but they also often don’t get a share of the sales that result from the audit – this goes to the auditor.
Which brings me to another point that it is very important to understand: once you have received the formal audit request, the focus of the audit is to raise revenue.
Vendors audit for two reasons:
- a) the possibility of an audit is a deterrent to software cheats and incentivises genuinely honest companies to tighten up their processes to ensure they are compliant; and
- b) Audits raise revenue for the vendor.
The deterrent value of an audit comes mainly from the potential of an audit, not the audit itself! Because audits are very expensive, a vendor doesn’t undertake them lightly and if you have received a request for an audit it is no longer about the deterrent value of an audit, but because the vendor has decided that there is a strong chance that an audit of your company will bring in more money than it will cost to carry out the audit. Once you are in the audit process the vendor will do everything they can to maximise the revenue they receive from the audit. The long term relationship often becomes a secondary consideration because of cost of the audit and the way the auditors are incentivised.
Kylie Fowler
2. Determine your Audit Strategy
So the request has come in, and the audit is definitely going ahead. You will probably be asked to attend a meeting with the auditor, where they outline the audit process. A lot of vendors have very tight timelines (to minimise costs), but if you are a large or particularly complex company the timeline is almost certainly unrealistic.
Prior to the meeting, determine your preferred audit strategy. I would suggest putting together an internal team to manage the audit, with a senior IT or procurement manager as sponsor.
Your audit team need to consider the following:
- Do we acknowledge that we have license shortfalls and do we know the extent? If so, should we try and negotiate a settlement rather than go through a protracted audit? What costs are we willing to settle for? You will need to determine both your initial offer (the lowest figure you think the vendor would accept) and the highest offer you are willing to make (above which you would prefer to do a full audit)
- Do we run the audit internally or get in external consulting assistance? Do we have the expertise in-house? If not, what would be the costs of an external consultant? What are the benefits?
- Do we use our own discovery data, or will we need to rely on the vendor’s discovery tool? If so, how will this affect the estimated timeline and costs for the audit eg what time will be required for testing and getting the tool through the Change Approval Board?
- Do we have a good understanding of what entitlement we own or will we need to rely on the vendor / resellers? How will this impact estimated timeline and costs for the audit eg if you are relying on resellers, how many are there and how long will it take to get data from them? How reliable is it likely to be? How will we validate the accuracy of data received from both internal and external sources? How long will this take?
- Will we ask the vendor to do the actual reconciliation, or would we prefer to pay a third party to do it (note that this will almost always be the vendors preferred option as it reduces costs!)? If so, what will the costs be? What are the benefits? If we let the vendor do it, do we have the skills in house to ensure we can assess the reconciliation for accuracy or can we leverage the LAR relationship to help us? After all, auditors are human, and like everyone they make mistakes!
- How will we fund any shortfalls? Will we need to give business units and IT groups a chance to review the reconciliation to ensure they recognise the validity of any shortfalls? What level of sponsorship do we need to ensure any large purchases of licenses required to remediate shortfalls is prompt and not held up because of signatory authorisation limitations.
Although license terms & conditions often specify that you must pay for an audit, the costs tend to fall where the resource is used (ie you provide data, the vendor does the reconciliation). However in some cases the vendor may agree to pay a portion of the costs, particularly if they insist a third party be engaged to support the audit, so it is always worth negotiating on this point.
Once you have an idea of how YOU would like to carry out the audit, the meeting with the auditor will be much more productive for both of you. If you decide you would like to negotiate a settlement, this is your chance to do so (if the Vendor will accept a negotiated settlement, of course!) or if it is decided a formal audit or an informal licensing review is more appropriate (the difference generally lies in the rules governing the audit and eventual settlement and the vendor will tell you which they want to do) then you can use the time to put together a high level project plan to ensure the audit is completed as quickly and efficiently as possible – which is in the interest of both parties.
Read Part two: ‘Data Gathering’ here.
Related articles:
- Tags: audit · audit process · auditing · kylie fowler · vendor audit · vendors
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
It is worth mentioning that Account Managers do get paid commission therefore do actually encourage audits…
Quality article Kylie; I’m looking forward to the next installments.
Matt, thinking about it, I think you’re right! But the commission will be shared with the auditor, and so will be lower than the commission they would get through an equivalent sale.
My experience is Account Managers will try and avoid an audit where possible (so my advice still stands), and once an audit is launched they are pretty powerless to affect the process or outcome, even where it’s obvious the audit is actively damaging the relationship.
Hi Kylie, thank you for this interesting article!
Just one question about the reconciliation. Are you saying we have to provide the vendors with our current usage only and that they do the reconciliation, meaning they have to have the knowledge of our entitlements?
We had recently the experience with a big vendor who not only requested that we provide them with our entitlements but also all the proof of purchases and invoices for the last x years. Is it something we have to reply to?
Working within a LAR/RESELLER and being the unbiased person in the middle of the customer and the Software Vendor, I have found that often a LAR/RESELLER Account Manager normally gets upset that that their customer has been contacted as they are worried of loss of revenue recognition. But the Vendor Account Manager is often the person initiating the audit as they have not met their Sales Targets or the customer has not met their forecasted spend. However, when the LAR/RESELLER Account Manager gets in touch with the Vendor Account Manager, they quickly see that there will be significant transactional Licensing cost benefits and both Account Managers will see the benefits of the audit.
85% of audits are classed at friendly audits in which a customer may choose which Vendor SAM Partner they want to work with to have the audit performed and generally a Vendor only wants to know products the customer is using and is generally not aggressive. However, where the Vendor does not support the SAM Partners process or accreditation or where an organisation does not co-operate with the Audit is where the Vendor would then engage the organisation directly.
A lot of organisations see the benefit of working with the LAR/RESELLER as the LAR/RESELLER can assist with renegotiating the relevant licensing agreements, or negotiate the mix of Licences as this is due to the LAR/RESELLER having a close partnership with the Vendor. But interestingly enough some customers do not benefit using the LAR/RESELLER when the Account Manager wants to earn as much commission as possible, as the Account Manager will not have the customer’s best interests at heart.
Despite the SAM Manager not being fully accountable for the non-compliance, it is at this point that the SAM Manager should be engaged, to ensure that the correct products and Volume Licensing agreements are being procured as I have seen many senior stakeholders in organisations signing new volume licensing agreements for products they do not need within agreements with lengthy timescales with little room for licensing flexibility. This is where Vendors generally make their money as some senior stakeholders are blind to the business needs. So, it is extremely important that a business has a clearly defined process and policy to ensure that Supply Chain, Procurement, SAM are joined up and working together. And, I talk from being involved in supporting a number of organisations through Vendor audits and being the customer being audited 😉
Thanks for your Article Kylie it was a good read!
OK, I COMPLETELY eat my words about Vendor Account Managers hating audits! Thanks for the comments, Matt, it’s really interesting to see the LAR / Reseller perspective.
Flea – are you a member of the Virtual User Group? Why don’t you join and start a conversation about the audit request you’ve received, then you’ll be able to get the benefit of everyone else’s experience too.
It is not unusual for account managers to flag up audit targets because they have failed to sell in and believe the customer is using more than they are paying for. In that way it is nothing versus some revenue sharing with the compliance manager – why not.