Thank you to everyone who contributed to our community survey back in July 2020.
The results were compiled over the summer of 2020 and shared during our online conferences for EMEA, North America and APAC last year. I’m now pleased to share the results in full.
This is part three of a three part series:
- In part one I explained the basics of audit defence (what is audit defence?)
- In part two we explored the survey results (Which software publishers are currently auditing?)
- In this final part I will share audit defence strategies from the ITAM Review community
Survey Introduction – Audit Defence Strategies from the community
The objective of the survey was to understand how the threat landscape had changed as a result of COVID-19. Audits are a tried and tested method of revenue generation for software publishers, so we wanted to assess how things had changed as a result of the pandemic. We looked at audit volumes, frequency of software audits and impact it is having on your business.
ITAM best practice suggests that IT Asset Managers should regularly assess their software portfolio for potential risks. Risk of software audit and the time-consuming process of going through the audit process and potentially paying settlements – is a very real and present risk for many ITAM Review readers. I would urge readers to look at the publishers currently auditing mentioned in this survey, especially the aggressive ones, and compare it to their own portfolio, and prepare accordingly.
Crowd Sourced Audit Defence Strategies
In this final article of this series I will share audit defence strategies from the ITAM Review community. Whether you are new to audit defence or an old-hand, I hope you will find the results useful.
We asked ITAM Review readers:
“…Please share any audit defence strategies or change in tactics you that you have used to successfully reduce the impact of audits”
I have collated the results into four main areas. If you have any additional ideas please share them in the comments below or start a discussion here.
1. Audit Defence Fundamentals
Fundamental building blocks of audit defence strategy
- Stay compliant! – The first piece of advice is perhaps painfully obvious but the objective is to stay compliant in the first place. Due to the nature of software compliance audits, your interpretation of “compliant” might not match that of your software publisher, so it won’t make you immune from risk, but it will give you a strong foundation. We obviously recommend that you build a robust IT Asset Management practice and treat your investment in IT like an asset in order to manage the risk of software audits.
- Three-way NDA – A non-disclosure agreement is signed to ensure the software publisher (and their auditor if they are using one) treat your organisation’s data confidentially. Not only is this good practice, it is also a good way of smoking out unauthentic audit requests.
2. Be Prepared
What steps can we take to prevent audits happening in the first place?
- Internal Education – One of the resounding themes of your survey responses was the importance of internal education to build up your defences. Many of you are reporting that audits are coming through “the back door” rather than through formal audit letters. An example is a software publisher phoning a service desk, persuading an operator to help them with some analysis or perform a script, and before you know it the publisher has jumped to 2+2=5 and slapped a speculative audit settlement on you. “Leakages” of this nature are prevented via internal education of the risks of audits and directing enquiries to a central team or central point of contact.
- Audit-grade License Statements – The community survey recommends building audit-grade license statement balances (also known as Effective License Positions or ELPS). This is a summary of your entitlement and consumption that would stand up to scrutiny by an auditor. This means you don’t just click a button on a SAM tool, but actually scrutinise the output as an auditor would. If you don’t have confidence doing this yourself, hire ex-auditors, consultants or partners that can help. Someone who has had their fingers burnt through a few audits is well qualified to give you pointers.
- Risk assess your software publisher portfolio – As I have mentioned in the previous parts of this series, best practice is to risk assess your software publisher portfolio. In particular –
A. Licensing complexity is a risk, if the licensing model is difficult to understand it represents a risk because complexity leads to greyness and ambiguity, which can be used against you in the face of an audit.
B. Measurement complexity is a risk, How difficult is the license model to measure? If it is difficult to measure and quantify consumption – it’s a risk.
C. Unscrupulous Market Behaviour is a risk, If you are witnessing unscrupulous or aggressive behaviour in the market from a publisher you manage – it’s a risk to be assessed
3. Have a plan
Audit Policy – The most important advice when it comes to audit defence is to have a plan. Have a playbook for how you will respond and manage audit requests. Build a policy, sign it off at the highest level, follow it diligently and refine it after each audit. The goal is that all emotion is stripped out of the process and your organisation follows a play book to de-risk the whole process. To quote from survey respondents “ [You must] grab the steering wheel and you drive the audit. You don’t let the vendor drive the audit.”
Whether it is the publisher directly or the third party auditor, software audits follow a script. Their objective is to follow this process as closely as possible to minimise costs and reach their goals. However, you need to follow YOUR playbook not theirs. Cool, calm and calculated rather than running around like headless chickens panicking about a new audit request.
Your job is to not get mangled through that process, but to acknowledge their audit request and then follow your own well thought out internal process. This is the strongest recommendation from all the survey results. This internal process will cover things like setting the scope, so that the initial audit request doesn’t bleed out into other product lines and territories, the communications process, timings and so on.
- Push back – Don’t be afraid to push back. This, I’m afraid, only comes with experience of audits. For example once you’ve done ten audits with Micro Focus, you would typically know their routines, the art of the possible, what’s acceptable and when to push back. Don’t be afraid to push back. If you don’t have the experience to do this, go and find it. It will be worth the investment versus any potential eye watering settlement figures. You need to review and challenge any findings. Just because the audit representative is wearing a shiny suit and comes from a big company, it doesn’t mean their results are perfect. They might be acting on imperfect information. Review it, challenge it, and look at all the underlying data and make sure that it’s accurate and represents your organization.
- Settlement versus Turnaround – There is often a balance between settlement and turnaround. There is often an opportunity to reach a quick settlement in exchange for a quick turnaround. The publisher is much more likely to settle for a small settlement if it means the audit does not drag on for eons. This might be a valuable tactic based on how you value your position. You need to decide how successful you will be. It’s a bit like a legal dispute in the courts. Do we do a quick out-of-court settlement and settle for a low amount to make it go away? Or do we drag it through the courts and end up in the Supreme court and end up with an eye-watering fine at the end of it? It’s balancing that trade-off.
- Ooh, Shiny – Think about the strategic products of the vendors. Often, if you can imply that you’re interested in some of their strategic cloud products or whatever is the shiny thing that they’re selling this month, there’s a possibility to remove or drastically remove a settlement if you buy that product. Sadly this is the game of modern software audits. Audit, Bargain, Close. Find a discrepancy and put you on the back foot due to this issue (Bad cop) then suggest that all of this will go away if you were to upgrade or otherwise buy something of strategic importance to them (Good cop). It’s a mucky way of doing business, but it’s the norm. All the while you are not looking at competitive solutions or assessing your real demand, because you are tangled in the audit process.
Thank you again to everyone who contributed towards the survey. If you have any additional ideas please share them in the comments below or start a discussion here.
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.