I recently corresponded with a former audit manager from a top tier software vendor.
He kindly shared his tips for dealing with compliance audits from a vendor perspective.
Q. What role does the license compliance audit play in Software Asset Management?
A colleague of mine once insisted that reconciliation is just once component of SAM and that an effective asset management program includes other equally important factors. The logic is sound, but I have always felt that being able to accurately reconcile software installations against entitlement is cornerstone of any SAM process. And in my experience, even the best organized IT department does not always put a strong focus on being prepared for a vendor audit.
Q. Isn’t it difficult to be prepared for such a diverse range of vendor requirements, especially in light of all the other responsibility that IT professionals face, beyond compliance or even SAM itself?
Of course, but in today’s economy, the last thing that an IT Manager wants to face is a vendor audit for which they are not adequately prepared, not to mention any related unbudgeted purchase requirements cause by an entitlement shortfall.
Q. Are there any tips as a former audit manager that you would like extend to SAM community?
Well I think it is important to understand the role of the auditor. They are usually a cog in the wheel of sales, legal, order management, finance, customer service and even product teams, trying to put together a two-sided puzzle. One side represents the vendor’s information about customer and their entitlements and the other represents the customer’s audit results and interpretation of the results. Completing the puzzle often requires that both the customer and the vendor agree that each other’s side of the puzzle is accurate.
Audit managers are often driven by goals and timelines that are of little interest to the customer. Though this sounds like a hopeless situation it is actually an opportunity. Open communication and adherence to a predetermined schedule give the audit manager the ability to achieve progress, even if completing the audit takes longer than originally requested. Stalling an audit just makes that audit manager have to spend more time on the early phase of an audit, not allowing him or her to achieve progress, or work on other audits. That will build unnecessary tension, and could lead to a less cooperative negotiation.
Q. Is there an aspect of audit preparation that you would like to stress, based on your experience?
Definitely; know your software agreements. Whether you just arrived at a company or have recently inherited the responsibility, you need to understand your company’s rights in regard to the possession of or interaction with, a vendor’s intellectual property. I intentionally made that statement convoluted in order to describe the numerous ways a party can be granted rights to “use” software. Even businesses that know exactly where every piece of software resides in their environment could have compliance problems if they misconstrued their usage rights.
Enterprise agreements and end user license agreements could even contradict each other, but you won’t know unless you have read the agreement. You also won’t be able to educate your users on what they can and cannot do with the software, increasing the risk of non-compliance.
There are software tools to help manage entitlement but you need to be aware of what agreements exist. If your company has had a long relationship with a software vendor, make sure you contact your account representative and have them provide you with any historic agreements which may correspond to older software purchases. Entitlement rights can change from version to version, or contract to contract. This information will allow you to understand whether the general perception of how software is entitled to your company fits how it is being implemented, which can be make a huge difference when facing a vendor audit.
Q. What advice can you share in terms of agreements? What key points should organizations be looking out for?
Remember that a contract is a living document, and often the terms include certain requirements that extend past the signature date and invoice. Auditors review deployments against specific terms in the contract. The following are a sample of questions to consider: Are there any usage/revenue reporting requirements? What hardware restrictions are called out? How is partitioning addressed? What are the territorial/geographical restrictions? Do you have production, development, or back up environments and does the contract treat them differently? Are there OEM, Evaluation, or Student version restrictions on any installed software? How are users defined? How many installations are granted with each license? These are some of the areas where auditors focus.
Q. Have you any experience with end users working innovative or protective clauses into their contracts with software vendors as a result of audits? Can you provide any advice in this area?
With any custom Software License Agreement there is an opportunity to negotiate terms. Usually these are reserved for either very large licensing deals or for larger companies with inside counsel. Though there is little chance of having an audit clause removed, you may be able to reduce your chances of being audited by opting for an unlimited enterprise license. Be wary that there may be an audit necessity if a maintenance contract is involved and terms call out a usage levels that are not unlimited.
Self Certification clauses can also reduce the need of an audit. By providing a vendor with a quality certification report signed by an officer of the company, they may choose to accept the customer report instead of doing the review, though eventually they will still want to validate the information.
Specific terms surrounding the way an audit is performed may also be negotiated, but often, by quickly engaging with an audit request, you can get favorable treatment without focusing on contract details. It can’t hurt you to try to get a favorable contract, but you need to weigh the cost benefits from legal perspective with the perceived risks you may be facing with the terms as presented. The most important thing is to really understand the language and implications before you sign it.
Q. Are there any specific tactics that work well with auditors?
Again, proactive communications are best way to get fair treatment and smooth negotiations. Audit managers and consultants are required to report progress and stay ahead of the audit, falling behind makes them irritated and effects their performance evaluation. It also leads to escalations to their management. It is better to schedule a longer lead time in advance than to miss deadlines.
Also, having a good attitude doesn’t hurt. I have heard onsite consultants go on about how well they were treated and others who were put into a conference room with a security guard at the door. Guess which customer was viewed with greater suspicion? People in general will respond more positively to pleasant cooperation versus bitter dissent. If that isn’t your personality, consider a representative from your organization that can manage the communication process. If you have agreed to the audit there is no point in being contentious without a good reason.
Have you any other questions that you would like to ask of an auditor? Either make a comment below or contact me privately.
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.