The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

ARTICLE: Taking Control of a Software Vendor Audit

Following on from my article last week exploring the different results achieved by an organisation faced with a vendor audit, this article attempts to explain how best to deal with an impending audit.

This is an abridged version of an article published by ManageSoft, who are hosting a webinar with IAITAM on the 28th May. Further details can be found here.

1. Review the contract to understand audit terms and conditions

    TERMS AND CONDITIONS: Read the terms and conditions to establish whether the software publisher indeed has the right to audit the business in the first place. Understand the terms and conditions of non-compliance
    FINANCIAL PENALTY EXPOSURE: Determine whether there are potential financial penalties. Some vendors impose penalties and/or charge the cost of the audit to the customer if non-compliance exceeds a certain percentage of the total license cost. Non-compliance is very seldom by design, but still represents a potential liability. Knowing the consequences can empower an enterprise to take immediate remedial action.
    DESIRED OUTCOME: Create a clear checklist of the key deliverables of the audit. If the audit goal is to establish an “effective license position”, then information on software installations must be compared to license entitlement data for all applications in question. The data to be collected may include hardware and software inventory, users, purchase order and contract information.
    RESOURCES REQUIRED: Prior to any audit, it is worth asking the publisher exactly how the audit will be performed and what level of assistance will be required by the auditors. Enterprise software audits can consume many staff-months of time during which the IT department collects the requested data.

2. Make sure the software and hardware inventory is up to date

    IT ASSET VISIBILITY: Software publishers audit businesses to make sure that the software is being used within its license terms and is appropriately paid for. This means that IT departments must have a comprehensive view of their entire IT estate, including hardware, to ascertain how the software asset is being used and whether they are in compliance.
    IT ASSET ACCURACY: To make sure that software inventory is accurate and up to date, the fingerprint of every application installation, which includes file evidence, add/remove programmes and WMI (installer) data, must be analysed and a list of proper software titles generated for each machine.

3. Prepare Proof of Purchase and Licensing Agreements ready for inspection

    ENTITLEMENT: Prior to an audit, IT departments should ensure that all their paperwork is in order, recorded and easily accessible including paid invoices, receipts of purchases, licensing agreements and certificates – especially soft records of purchases from resellers and publishers. This proof of license entitlement is critical to the reconciliation process.

4. Demonstrate that licensing rules are understood and applied

    RECOGNISING LICENSE MODELS: A vendor license position requires much more than simply comparing purchases and installations. IT departments need to be able to demonstrate that license types, e.g. device based, named user, processor based or concurrent user, are understood in conjunction with the computing environment such as virtual machines, multi-processor machines, user communities, and physical locations. For example, Oracle database administrators must be able to show that they understand and meet the per processor minimum for Named User plus (NUP) licenses.
    UNDERSTANDING USAGE RIGHTS: Demonstrating that both rights of usage as well as limitations of usage are understood and applied across the IT estate will instil auditor’s confidence in the company. For example, the IT department must be able to show that upgrade rights and rights of second usage are applied correctly. Similarly, the IT department should demonstrate that license usage restrictions – for instance, limits on the number of virtual instances per physical host server – are respected.

5. Explain what SAM policies and procedures are in place

    SAM SYSTEMS: Enterprises should show documented corporate policies and procedures for software asset and license management. These could include frequent hardware and software inventories, centralized procurement, periodic license reconciliations (monthly, quarterly, etc.), software download and installation processes, employee education programs, and internal audits.
    END USER EDUCATION: Lack of IT policy communication to employees and end user monitoring and control are common oversights on the part of IT departments. On the other hand, by educating employees on what they “may” and “may not” install, central IT can prevent rogue installations, which often jeopardize enterprises’ compliance status.
    SAM FIRE DRILL: A good way to overcome inadvertent license breaches is to conduct scheduled internal IT audits. This not only ensures that the enterprise is always ‘audit-ready’, but also reinforces the importance of adhering to IT policy to employees.

6. Don’t remove software from computers; don’t start a shopping spree

    REMOVING EVIDENCE: Often, when IT departments find that they are out of compliance, a knee-jerk reaction is to instantly remove installed software from computers, just prior to an audit. However, removed software is easily traced by auditing companies, making them suspicious, which leads to further scrutiny. Instead, pre-empting such a situation is the better option.
    COVER UP Alternatively, in their efforts to be compliant just before an audit, IT departments often make purchases of software they need. However, it should be noted that only purchases made before the date of audit notification are considered by the auditors. Therefore, hasty purchase decisions are best avoided.

7. Automate software asset management

    PREVENTION RATHER THAN CURE: Software license compliance is complex, and this complexity will only increase as more complicated IT infrastructures such as virtualization and cloud computing take hold. Manually managing software asset management and compliance is a time consuming and onerous task, ridden with costs and risks. In general, by the time a manual assessment of an enterprise’s license position can be obtained, it is already out of date. IT departments should look to adopt tools that automate these processes to ensure on-going license compliance.

If you would like to add any other tips for preparing for a software vendor audit then please use the comments field below or contact me privately at alerts (at) itassetmanagement.net.
Photo Credit

email

About Martin Thompson

Martin is owner and founder of The ITAM Review, an online resource and community for worldwide ITAM professionals.

Martin is also author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management.

On a voluntary basis Martin a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.

Learn more about him here and connect with him on Twitter or LinkedIn.

4 Comments

  1. When conducting software inventory be careful with tools that generate

    false positive results and also those tools that rely on the add/remove programs area and the registry. The data generated from both the

    registry and add/remove areas is often incomplete and inaccurate so you need to ensure that you create accurate inventories of what is

    actually installed on a system.

  2. Ania Levy says:

    I can appreciate the value of this article, but I disagree with several points.

    A

    licensor not only has the right but an obligation to protect its proprietary interests in and to the intellectual property it licenses.

    It is equally important to note that licensees should have control over:

    ➢ the auditor’s adherence to corporate

    policies and procedures
    ➢ expulsion of a non-compliant auditor
    ➢ the duration of the audit
    ➢ the timing of the audit

    (e.g. never at quarter/year end)
    ➢ the qualifications and relationship (to the vendor) of the auditor
    ➢ what the

    auditor is permitted to access
    ➢ how that access is granted (e.g. accompanied at all times by licensee management or a

    staff member; NEVER remotely)
    ➢ who pays for the audit (good or bad outcomes)
    ➢ what percentage of overuse would be

    subject to penalties
    ➢ the grace period before penalties are assessed
    ➢ dispute resolution resulting from a “bad”

    outcome

    I could go into an explanation of each bullet point above, but that would take up too much space for a commentary and

    would be advisory in nature. Each licensee has unique conditions and limitations (e.g. some smaller firms may not have a corporate

    policies and procedures manual that would have to be provided to the licensor’s auditor prior to an audit).

    I believe that any

    organization undergoing or about to undergo a vendor audit should bear in mind, that unless certain terms have been agreed to up front,

    there is a good chance that penalties and even the cost to conduct the audit may be borne by them.

    With that said, it should be

    clear to your readers that it’s never too late to amend existing contracts to include audit terms and conditions that clearly state the

    rights of BOTH parties. I strongly urge them to do so as both the demand and supply sides of the marketplace are feeling the pressures

    of our current economic times. Forget about setting a flag or causing suspicion by amending the license agreement. Your readers should

    assume that their vendors are always suspicious of overuse. That’s why they have incomprehensible license agreements. My advice is to

    use a third party expert in this field – preferably a third party that has no vested interest in the sale of more products as that would

    create a conflict of interest. A neutral party that is recognized by industry players as an expert would take the pressure off of the

    licensee and emphasize the licensee’s commitment to license compliance and the written agreement with their vendor/licensor. This

    process is a proactive move in the right direction, intended to mitigate risks and reduce spending.

    Also, one of your readers made

    a very valid and important comment regarding the tools used to conduct an audit. Although the caution pertained to an internal audit,

    the tools used by the vendor/licensor should also be reviewed and researched for any known flaws as the outcome could result in

    overpayment by the licensee.

    Good luck to you all!

  3. They are great additional observations.

    The key clarification I

    would add is that vendor audits can fall into two categories;

    Category A; hostile audit in response to an internal tipoff from a

    disgruntled employee

    Category B; a “fishing expedition” based on “it’s your turn to be audited” based on their random audit

    schedule

    Depending on which type of audit that occurs will determine whether and how any of the strategies outlined across the

    article (and the feedback so far) can be implemented and deployed to be effective.

    Leaving it to the time of an impending audit

    (which isn’t the suggestion made by the article) is too late, but this stating the bleeding obvious!

    Having said that, many do

    leave it too late, and then try and run around to implement some of the strategies outlined, and fail dismally!

    Many of the fines

    and settlements made are arbitrary assessments (weighted in favour of the vendor) rather than factual full counts and in some cases we

    have seen instances where organizations have been penalised by poor housekeeping. They have “paid up” to get them out of the premises due

    to the duration and inconvenience caused!

    Rule of thumb based on what we have seen having been in this industry (anti-piracy

    advice) since 1991 puts the cost of a full audit/fine/settlement and license true-up, plus the cost of staff, legal fees, reconciliation

    etc to be around 3 to 4 times (in some cases higher) the value of the under-licensed software.

    If the vendor is auditing you

    under “Category A” they can do this with their own legal counsel and/or use a legal instrument as the means to gain entry to premises (an

    Anton Pillar order) and you have a maximum of one hour to have your lawyer attend.

    Under this type of legal instrument (Anton

    Pillar order) they can seize assets and remove them from your premises, which can render a lot of your defence useless. This means that

    in this case many of the steps outlined in the article are not capable of being deployed at the time or just before the time of the

    audit. In this instance the licensee CANNOT control the situation or teh timing of teh audit ie; go away it’s end of year / end of

    quarter.

    Best advice we can give is to be well prepared, well in advance with good housekeeping and good SAM management so as to

    minimize the risk of the audit situation. A good SAM program and regimen will help identify if you have over-licensed applications (paid

    for more than you actually need) in which case you can trade-off the costs of running an effective SAM program vs the cost of license

    saved.

    We don’t sell SAM solutions (but we do recommend them for our clients) – we offer independent audit tools for auditors.

  4. Leaving aside the legalities of the audit/review…

    I’d

    probably add to the “Don’t buy to cover up” scenario by saying that what you learn about what you don’t have (ie. what you may be

    underlicensed) can also be used in negotiations that MAY take place at the end of the audit. Use your new found information to assist you

    in any way you can. Incorporate what you need to buy to become compliant into future licensing discussions.

    Above all, I would

    suggest that the best approach is to be ethical and honest. Playing avoidance games or trying to delay things without good reason really

    doesn’t do anyone any favours – you or the vendor (or the third party trying to help in the middle). The more co-operative you are, the

    more relaxed and willing to assist the vendor is also likely to be. Communication is the key!

    Heather
    Conductor of hundreds of

    vendor based license reviews – now happily working for the other side! 🙂

Leave a Comment