Tips for compliance, software audits & more!

06 March 2014
19 minute read
ITAM News & Analysis

Tips for compliance, software audits & more!

06 March 2014
19 minute read
Wayne Jackson

Wayne Jackson

Ahead of the Compliance Manager Summit 10-11 March in Santa Clara, we interviewed speaker and Director at Accordo Group, Wayne Jackson about his thoughts on non-compliant licenses, customer satisfaction, software audits and the future of the ITAM industry.

Q. Companies must be able to learn from your ability to assess client’s environments so quickly to reach a compliance position – what tips can you share for building a fast, accurate compliance position? 

Achieving an accurate compliance position can be a very challenging and time-consuming exercise, depending on the size and structure of the organization under review.  In most engagements, there are constraints of time and budget, so some compromise may be required to reach an agreed compliance position – one which is acceptable and reasonable to both customer and software publisher.

There are three principal phases required to complete a compliance position:

  • Establishing the entitlement position (i.e. what products, versions and quantities are entitled to be used)
  • Establishing the deployment position (i.e. what products, versions are actually being used, and in what quantities)
  • Comparing the two to identify any under or over-licensing.

Each of these phases has some complexity, and requires some specialist knowledge, except in the simplest of environments.  Even the third step, which, on the face of it may appear no more than simple subtraction of one array of quantities from another, can be deceptively complex.  For example, there will be downgrade options to be considered, and these can be frustratingly difficult to determine and complicated to apply.  But failure to correctly apply these rules will result either in unjustified cost for the customer, or loss of rightful revenue for the software publisher – and no SAM Partner wants to be responsible for such an outcome.

Correctly determining the customer’s deployment position has been the focus of much research, analysis, design and development work over many years, and there are a multitude of tools in the marketplace, each claiming to provide a comprehensive and reliable inventory of software usage.  Using one of these tools can provide a large part of the existing deployment position, but some manual work is generally required to complete the picture.

The entitlement position is, in my view, the major challenge, because not only is very specific product knowledge required to analyze and interpret the base data, but the base data itself is usually spread across at least three places.  Some of it will be found in publisher sales records, some in customer purchase records, and some just cannot be found – it is lost in the sands of time, a consequence of the immature software asset management world that we still inhabit.

Very few customer organizations have the people, tools or access to information required to complete this process themselves, so it needs the involvement of a third party with the required experience and expertise, as well as knowledge of software publisher products, versions, release dates, license terms, pricing etc – both current and historical.

So to build a suitably accurate compliance position within an acceptable timeframe, several things are needed:

  • Access to the above-mentioned information, and a relationship with software publishers, which ensures this knowledge remains current.
  • A means of systematizing this information, so that it can be repeatedly applied and automated wherever possible.  Re-inventing the wheel and rediscovering appropriate rules with each engagement is simply not an option, because one will very quickly blow out time and budget.
  • Focus on getting the customer engaged so that they are involved in developing entitlement and deployment positions, because no workable outcome can be reached without their agreement.

Q. What issues tend to trip up companies or what aspects of their licensing do they tend to overlook? Virtualization? 

There are probably dozens of factors contributing to the widespread software license non-compliance afflicting many organizations in the world today.  The sheer complexity of licensing rules is undoubtedly a major contributor, but, to be fair to software publishers, much of this arises from their efforts to provide flexibility in catering for the wide variety of organizational sizes and structures using their products.

Another major contributor is the lingering lack of comprehensive asset management tools that cater specifically for software licenses.  Software is a unique asset – it can’t be seen, touched and handled in the same way as a physical asset, like a desk or a chair.  Yet many organizations manage their software asset in the same way as they manage their desks and chairs.

The advent of virtualization, while bringing some great productivity benefits to publishers and users alike, has definitely aggravated the problem of license compliance.  Software has always been invisible, but now the machine it runs on has vanished also.  Counting physical devices is no longer sufficient, so virtualization has added another layer of complication to the already stressed compliance manager.

A further common area of confusion relates to the different means of purchase available, and the consequent variation in license rights conferred.  For example, a software product purchased as a full-boxed product will typically allow more flexible usage than the same product acquired as OEM (pre-installed on a machine).  Product license rights acquired via a volume purchase program may be different again.  Customers sometimes forget that they are not buying the software per se, but rather a license to use that software under a certain set of terms and conditions.

In the same vein, applications which are internet facing, or even utilized via internal intranet, can require a different license method, and this is sometimes missed by unwary customers.

Q. What best practices can you share for building trustworthy, comprehensive inventory to satisfy audit conditions? 

As mentioned earlier, the need to establish reliable, comprehensive inventory is one area that has received a lot of attention over the last twenty years, and there are some very good tools available as a result of those efforts.  This doesn’t mean it has been conquered – not at all.  In our experience, some manual work and validation is usually required to reach a point where audit standards are fully met.  But a good inventory tool can save a lot of work.

In order to compare software inventory to entitlement, we need a concise, complete and comprehensive list showing software title, specific version, and quantity deployed/used.  For many years I was continually frustrated that many tools would deliver a list of product usage which was almost incomprehensible – being a rambling collection of executables in some kind of computer register language, with many repetitions and overlaps.  I then had to spend a lot of time trying to interpret this data and translate it into a concise list of product name, version and quantity.  Fortunately the world has moved on, and inventory tool output is now typically much friendlier to the software compliance practitioner.

There still remain difficult areas, notably:

  • Capturing usage of those license requirements which leave no footprint – such as server access.
  • Getting coverage of all devices.  Notebooks have long been a problem, and tablets and smartphones must be aggravating this.

More and more organizations have some kind of inventory tool, and there are also freeware options provided by some vendors, which can be utilized.  In the context of a license compliance engagement, it is best if the customer manages this aspect themselves, and provides the data, rather than having some seemingly intrusive discovery tool imposed upon them.

However, when finalizing a compliance position, it is not wise to rely on a single source, and we have, over the years, evolved a large number of cross-checks in order to validate software inventory data and alert us to possible inconsistencies.

Q. How do you measure customer satisfaction during an audit and how do you minimize impact? 

Let’s be honest, there are very few organizations who welcome the idea of a software audit.  For most, their first thought is, “how do I avoid doing this?”  The prospect of a software audit has about as much appeal as a trip to the dentist.

Trying to measure customer satisfaction near the beginning of an engagement is a very bad idea – you are most likely to encounter some mixture of anger, annoyance, resentment or denial.  However, if the messaging is good, the information accurate and the communication professional, then as the engagement proceeds, most customers will progress to some kind of acceptance, perhaps some relief, and even gratitude and appreciation.

So the result of any customer satisfaction survey will depend on when the survey is undertaken, and in this business, at the completion of the engagement is the only sensible option.  I imagine the same would apply with dentists – asking someone how they like visiting the dentist when they are halfway through a root canal job is really not that smart.

Only a completed compliance engagement has a chance of being a good one, and there is a real chance that the customer has gained some tangible value from the process.  This is the key question for any customer satisfaction measurement.  I have been associated with very many audits of small and medium sized organizations over many years, and it is amazing how many customers have expressed genuine gratitude at the end of the process, and declared that they have learnt valuable lessons about how to better manage their software asset and reduce organizational risk.  In many cases, particularly for smaller organizations, it is the first time they have had contact with someone who has real licensing knowledge and can give them practical guidance on something that has concerned them for years.

In terms of minimizing impact, there are several points to note:

  • The initial approach must be carefully thought out, and tailored to the country and culture concerned.   As mentioned previously, the customer will most likely be looking for a reason to not do it, so don’t give them one right at the start.
  • Any information provided at the beginning, such as license statements, must be as accurate as possible.  This is the most fragile stage and a very steady hand is needed.
  • For the same reason, follow up must be consistent and timely.  If you say you will call back within two weeks, you must do so.
  • This is particularly important once the customer is engaged (i.e. providing information back to you).  Having negotiated them through the early difficult stages, and won their trust to some extent, it will go badly if it is you who then drops the ball.
  • Make sure that customer-facing people have solid back-up in terms of license expertise.  Once the customer is engaged, they will want to know that you can genuinely help them.
  • Complete as many engagements as possible.  An incomplete audit is like an incomplete visit to the dentist – all the pain, but no resolution.
  • When establishing software inventory, use the customer’s own data wherever possible – but also cross-check with your own analysis.

Q. What nuances exist when auditing multi-cultural, multi-national organizations? 

I should be well placed to answer this, having been associated with compliance audits in more than sixty countries, spanning every continent except Antarctica.  I will try to offer a few thoughts without offending any particular country or culture.

It’s well known, from studies such as that conducted regularly by BSA, that software piracy rates vary dramatically across international and cultural boundaries – from 90% plus in Zimbabwe, Georgia and Bangladesh to around 20% in USA, Japan and New Zealand.

When conducting software audits on a large scale, as we do with small and medium sized organizations, the critical success factor is engagement rate – by which I mean getting to the point where the customer is providing data back.  You cannot consider yourself to be engaged until you start getting something back.  In conducting hundreds of thousands of compliance audits in many countries over many years, we have gathered data, which measures engagement rate quite precisely, and have been able to look for any correlation between this and published piracy rates.

Of course, there are numerous factors at play here, and the results must be interpreted with care, but a distinct pattern emerges whereby, not altogether surprisingly, countries with the highest piracy rates are hardest to engage, and those with the lowest piracy rates are easiest to engage.

We have also been able to measure the speed at which organizations in various countries respond to communications.  Again, certain general trends are discernible, with some countries more inclined to respond quickly while others are inclined to leave it until the last minute.

We have also noticed nuances in how various cultures respond to different types of messaging.  In some countries, firm, formal written communication may be the best way to gain traction, whereas in other countries this will be met with widespread resistance.  In some countries, a telephone call is the best way to get the ball rolling, whereas letter and email work better elsewhere.

From a practical perspective, these national and cultural nuances present challenges.  The economics of conducting large scale compliance audits with SMB customers calls for standardization and automation wherever possible, in order to increase efficiency and ensure an acceptable ROI.  But one cannot ignore the national and cultural differences cited above, and the wise course is to accommodate a variety of communication methods in order to maximize the holy grail of compliance auditing – engagement rate.

Q. Can you comment on any trends in the licensing space? Perhaps on the impact of cloud delivery and subscription models on compliance? 

Common sense says that the uptake of cloud delivery will make licensing simpler and compliance more easily achievable.  However, I have been working with software license programs for several decades and every year there is a new licensing method, a new agreement structure, or a new delivery method that is heralded as “making licensing simpler”.  I am still waiting for this to happen.  Rather, I have continually seen the reverse.  Licensing simplicity, and, by implication, ease of compliance, has continued to become more and more elusive.

Obviously, we have been watching carefully over these last few years, trying to discern the extent and rate at which software delivery will move away from on-premise, perpetual licensing towards cloud, subscription licensing.  As I write this, the great majority of organizations that we deal with are either entirely on-premise, or a mixture of on-premise and cloud.  The balance appears to be moving, but still slowly, and certainly more slowly than predicted during the first flush of cloud products several years ago.

A summary of 35,000 SMB customer responses over the last year indicates that approximately 6% have some cloud products deployed, and about 10-15% are contemplating a future move to cloud.  That’s a worldwide average, and in mature markets the figures are more like 15% and 40%, but there is clearly still a way to go.

Do I think that, in years to come, we will see almost all software delivered via the cloud under a subscription model, and non-compliance become relegated to history?  Possibly – but I believe there is a long and winding road between now and then.

For a start, we need the internet to become faster, more pervasive and more reliable.  And cyber security looms like a great back cloud over people’s willingness to rely solely on cloud delivery.  It would only take one or two high profile security disasters to put the brakes on this migration.

Secondly, I don’t believe a move to cloud delivery will automatically wipe out non-compliance.  There is an awful lot of software currently being used illegally, and that is not going to change easily.  The last five BSA reports on global software piracy show that it is either flat lining, or marginally increasing (from 38% in 2007 to 42% in 2011), and the estimated monetary value of unlicensed software is increasing.  I don’t know how people will find a way to use unlicensed software in the future, but I think they will find a way, for many years to come.

Q. What would your advice be to someone who is struggling with compliance issues?

From an organizational perspective, the most important thing is to make sure that someone is specifically responsible and accountable for license compliance – and it needs to be a senior person who has influence with the Executive.

Secondly, seek specialist help – someone who has access to the methodology, and also to the technical specifications and documentation required to establish entitlement and deployment.  This may be from a trusted reseller in the first instance.  If there is no trusted reseller, or they don’t seem to have the requisite knowledge and experience, then find a suitably qualified SAM Partner who can help.

How does an organization know whether or not they are compliant?  License compliance requires a deliberate and specific set of actions to achieve and maintain.  It will never happen by itself.  If you don’t know that you are compliant, then you are very probably not compliant.

Q. Looking at the industry as a whole, outside of Compliance what do you see to be the biggest issue for businesses when it comes to ITAM?

There are many challenges facing ITAM in general, arising from trends such as cloud computing, virtualization, changing IT standards, pervasive growth of personal devices such as smartphones and tablets, cyber security etc.  However, and this is just a personal view, I feel the biggest challenge for ITAM is being taken seriously and achieving the organizational profile needed to really make a difference.  It still feels as if ITAM is a bit fringe – like HR was for a long time.

Q. Where do you see the ITAM industry in ten years time?

Following on from the previous response, I think that ITAM will continue to grow in terms of its importance.  And I believe it will earn the right to be a vital component of management structures everywhere by delivering increasing value to organizations who invest in it.

The IT industry only really gained momentum in the latter half of last century, so it is still a young industry.   Management systems, and the measurement methods that support them, have taken time to evolve and mature.

Over the last thirty years, there have been enormous amounts of money spent on IT, and far too much of it has been effectively wasted.  For example, there are many examples of large software development projects which have consumed vast sums of money and countless hours of effort, only to deliver almost nothing in terms of productivity and profit.   Everyone has a story about how a new computer system has made things worse rather than better.  In terms of software, measurement systems have been poor and still have a long way to go. It is very rare to encounter an organization who’s IT Manager could, on demand, accurately report how many devices are owned or exactly what software is being used.

However, the economics have changed over the last decade, and there is less and less tolerance for waste and non-delivery.  ITAM is maturing and getting much better at measuring IT performance.  The drive for greater efficiency and cost reduction over the next ten years will, in my view, ensure that ITAM emerges as a vital component of organizational management.

Q. Finally, where do you work, and what do you do?

I am a co-founder and Director of Accordo Group Limited.  We are an independent consulting company who specialize in software licensing.  Our major activity is delivering remote license compliance engagements to small and medium customers on behalf of major software publishers.  Over the last ten years, we have delivered several hundred thousand such engagements, spread across more than fifty countries.

Thank-you to Wayne for taking the time to talk to us. We look forward to hearing from him at the Compliance Manager Summit in sunny California.

Can’t find what you’re looking for?