How much of a focus should software audits be for an ITAM manager in 2020 and beyond? Part 2.
Here’s part 2 of what our Wisdom USA sponsors had to say in answer to our question “How much of a focus should software audits be for an ITAM manager in 2020 and beyond?”.
Audits are inevitable. It’s not a question of IF you’ll be audited, but rather WHEN. Once an audit begins, it should be the ITAM manager’s number one priority as a negative outcome can cost their organisation large penalties.
The ITAM manager’s role is to maintain compliance while minimizing costs. They must always be prepared for audits but that is the bare minimum for building out a robust ITAM organization and strategy. By creating an effective IT Asset Management strategy, they can minimize the risk of large gaps in their IT compliance. It’s key that this strategy be built proactively instead of being a reactive response to a negative audit experience.
Relegating an ITAM manager to a solely reactive audit defense role doesn’t serve the organization well. The silver lining of an audit can be that it becomes the catalyst for organizations to invest in and build out a stable ITAM function, enabling this oft-overlooked area to get the executive sponsorship and investment needed to build a program. A successful ITAM manager is proactive, partnered with both IT and the business and has visibility/sponsorship of leadership to support growth and not just reduce costs.
Instead of the audit, focus on your audit risk profile.
I’d love to say software audits won’t be a worry for ITAM managers in 2020 but, while it might be a new decade, vendors are still auditing their customers. SaaS-focused companies might not perform audits – they can see exactly what their customers use in the cloud – but other software vendors use them as a useful tactical lever to get customers into unnecessary cloud spending.
So, you can still expect to get audited every few years.
If you focus on reducing penalties during an audit, then you’re taking an expensive approach to audits. A better mindset is: “I know exactly how much risk or exposure the organization is willing to accept, and I will implement operational measures to identify, monitor, reduce, and control the risk.”
You might have a known exposure of $200,000, but remedying this, short of buying more licenses, would consume a lot of internal resources. So, you roll the dice and hope for the best. Yup, it happens, more often than you’d expect. These are tactical decisions made at executive levels – not to ‘ignore’ the risk but disregard it.
Risk starts with your contracts. Go beyond basic license management and check your contracts’ ambiguity. Ask yourself, “If I read this clause multiple times, to multiple people, do they all understand it the same way.” If not, you have ambiguity that may or may not be to your benefit (likely not your benefit). Why has “SAP indirect access” littered your google alerts for the past 3 years? Ambiguity.
Once you found the ambiguous clauses that open the door to risk during an audit, you must choose an interpretation. Google is your friend here. Have others found success (or not) with your chosen interpretation? Ask your legal/contracts team how your organization should interpret that clause. What are the costs/impacts to licensing with each interpretation from your online search? You could take a conservative, risk-averse approach (usually more expensive) or an aggressive approach. I call this determining your Risk Profile. When it’s determined, you will always know your level of risk, even if your organization decides to ‘disregard’ it.
Your Risk Profile exists primarily from your contracts’ ambiguity, so take action to remove it. I’ve seen major contracts negotiated to modify or include clauses that eliminate ambiguity in vendor wording. You must be a big player, at least large enough to be taken seriously. Such tactics also risk triggering… yup, an audit. So, get your house in enough order that you can play hard ball with your vendor, without exposing the risk you’re trying to protect yourself from.
Audits remain a focus for ITAM managers in 2020, regardless of how much of your software is SaaS. You need a compliance management approach that does more than just ‘find’ potential problems, you need one that assigns a cost and risk profile against each problem.
The various cloud delivery models disrupting the marketplace today come with a whole new set of software licensing challenges and complexities. Auditing cloud-based subscriptions is largely unchartered territory and therefore poses its own set of challenges. Namely the nuances around IaaS, PaaS and SaaS and where responsibility for compliance sits. Liability will always remain with the customer, but actions by the service provider could have major impacts on compliance.
Publishers will no longer be asking whether you have enough licenses, but rather whether you are using them correctly. For example, acceptable use policies may prevent organizations in the gambling industry from using cloud services with phrasing such as “Customer may not use services for – Illegal Activities. Any illegal activities, including advertising, transmitting, or otherwise making available gambling sites or services.”
“There is little to no precedent set as of yet. As organizations look to the courts to settle all these gray areas, ITAM managers can expect a rise in audits and likely an increase in litigation costs.”
Questions that will likely arise in 2020 and beyond include:
- When you move on-premises licenses to the cloud liability typically resides with the end user, while responsibility with the cloud provider- So, who foots the bill? The cloud provider or the customer?
- Do you use the same metrics for public clouds as for private clouds?
- With IaaS, the customer has shared control over what is run in the cloud environment, but may have control over operating systems and deployed applications- so what rules govern this scenario?
- What about existing “pre-cloud” software-license contracts? Do customers have pre-existing rights to use their software in the cloud?
The devil is very much in the details. The cloud comes with more documents than just the license agreement. All of these need to be properly interpreted and appropriate controls need to be implemented to ensure compliance with new terms and conditions contained in them.
It’s clear to see there is a theme. Audits will continue to be part of an ITAM manager’s life, but they shouldn’t be the primary focus.
The landscape is changing – SaaS, IaaS, PaaS, Containers, Serverless, Low-code/no-code, Open Source (and more) are all impacting the way that organisations see, consume, and manage IT and assets. It is these technologies that IT asset managers must seek to understand and start to implement processes and guardrails to control costs and ensure compliance.
Two things to consider:
- While the large vendors may be moving away from audits, this isn’t necessarily the case for what you might call the “Tier 2” vendors such as Quest, Micro Focus, Veritas. Some of these vendors continue to see audits as a way to increase revenue, particularly where they’ve been acquired by a private equity fund for example, but the knowledge and skills for these product sets is perhaps harder to come by for end user organisations. While you may see fewer audits over the next decade (although that’s debatable), it could well be that they will take more time, money, and effort to defend.
- Cloud brings with it new audit potential. On the SaaS side, we can see that Microsoft are preparing ways to identify and target organisations who are non-compliant with Office/Microsoft 365 – and it stands to reason that other software vendors are looking at the same thing too. Also, as already mentioned, using on-premises software in the cloud means new, different rules come into effect – expanding the audit scope and giving the vendor more targets within your estate.
So software audits will continue, but cloud will potentially make them more difficult AND will require plenty of your time and focus. I think it’s fair to say that, whatever happens, ITAM is going to increase in importance for organisations looking to reduce costs, protect data, and ensure compliance.
- Tags: aspera · Cloud audits · ITAM · ITAM audits · Origina · SAM · SHI · Software Asset Management · Software Audits
About Rich Gibbons
A Northerner renowned for his shirts, Rich is a big Hip-Hop head, and loves travel, football in general (specifically MUFC), baseball, Marvel, and reading as many books as possible. Finding ways to combine all of these with ITAM & software licensing is always fun!
Connect with Rich on Twitter or LinkedIn.