This article has been contributed by Kylie Fowler. Regular columnist and Analyst at The ITAM Review.
1. I’ve had a request for an audit… what do I do now?
Most audit requests come through as a letter or an email addressed to a senior manager or Officer of the company. If it doesn’t look sufficiently formal, ask them to resend it! Most SAM managers don’t have the authority or legal power to accede to an audit request.
Sometimes the audit request is just a phishing expedition and you can and should push back, particularly if the request has come through from a local subsidiary of the vendor to an international subsidiary but you purchase centrally. If the vendor’s local subsidiary persists, then have a strongly worded discussion with your global account manager about revenue sharing, and make it clear to the Global Account Manager that they either audit the entire company or not at all. Yes, you did read that correctly… make it clear to the Global Account Manager that they either audit the entire company or not at all. i.e. If your vendor asks to audit your Italian subsidiary – state a global audit or not at all.
But isn’t that like raising a red flag to a bull? No, it isn’t. Not at all. That’s because of the way Account Managers are incentivised. A large proportion of your Account Manager’s salary will be commission based – that is, they will receive a percentage of the purchases you make with the vendor. Audits are nasty things, and they have huge potential to sour your relationship with the vendor which means you might buy less from them in future. This will have a direct affect on your Account Manager’s take-home pay.
But even worse, once a formal audit is declared, your account will be handed over to an auditor from the Vendor’s Audit department. Audit departments are deliberately kept very separate from Sales to ensure they are objective during the audit. Auditors themselves are often (but not always) recompensed based upon the size of any shortfall identified, and hence the number of licenses purchased as a result of the audit. Your Account Manager may not see a penny of commission for any product purchased through an audit.
So you can see why Account Managers HATE audits. Not only does it affect their relationship with your company, but they also often don’t get a share of the sales that result from the audit – this goes to the auditor.
Which brings me to another point that it is very important to understand: once you have received the formal audit request, the focus of the audit is to raise revenue.
Vendors audit for two reasons:
- a) the possibility of an audit is a deterrent to software cheats and incentivises genuinely honest companies to tighten up their processes to ensure they are compliant; and
- b) Audits raise revenue for the vendor.
The deterrent value of an audit comes mainly from the potential of an audit, not the audit itself! Because audits are very expensive, a vendor doesn’t undertake them lightly and if you have received a request for an audit it is no longer about the deterrent value of an audit, but because the vendor has decided that there is a strong chance that an audit of your company will bring in more money than it will cost to carry out the audit. Once you are in the audit process the vendor will do everything they can to maximise the revenue they receive from the audit. The long term relationship often becomes a secondary consideration because of cost of the audit and the way the auditors are incentivised.
2. Determine your Audit Strategy
So the request has come in, and the audit is definitely going ahead. You will probably be asked to attend a meeting with the auditor, where they outline the audit process. A lot of vendors have very tight timelines (to minimise costs), but if you are a large or particularly complex company the timeline is almost certainly unrealistic.
Prior to the meeting, determine your preferred audit strategy. I would suggest putting together an internal team to manage the audit, with a senior IT or procurement manager as sponsor.
Your audit team need to consider the following:
- Do we acknowledge that we have license shortfalls and do we know the extent? If so, should we try and negotiate a settlement rather than go through a protracted audit? What costs are we willing to settle for? You will need to determine both your initial offer (the lowest figure you think the vendor would accept) and the highest offer you are willing to make (above which you would prefer to do a full audit)
- Do we run the audit internally or get in external consulting assistance? Do we have the expertise in-house? If not, what would be the costs of an external consultant? What are the benefits?
- Do we use our own discovery data, or will we need to rely on the vendor’s discovery tool? If so, how will this affect the estimated timeline and costs for the audit eg what time will be required for testing and getting the tool through the Change Approval Board?
- Do we have a good understanding of what entitlement we own or will we need to rely on the vendor / resellers? How will this impact estimated timeline and costs for the audit eg if you are relying on resellers, how many are there and how long will it take to get data from them? How reliable is it likely to be? How will we validate the accuracy of data received from both internal and external sources? How long will this take?
- Will we ask the vendor to do the actual reconciliation, or would we prefer to pay a third party to do it (note that this will almost always be the vendors preferred option as it reduces costs!)? If so, what will the costs be? What are the benefits? If we let the vendor do it, do we have the skills in house to ensure we can assess the reconciliation for accuracy or can we leverage the LAR relationship to help us? After all, auditors are human, and like everyone they make mistakes!
- How will we fund any shortfalls? Will we need to give business units and IT groups a chance to review the reconciliation to ensure they recognise the validity of any shortfalls? What level of sponsorship do we need to ensure any large purchases of licenses required to remediate shortfalls is prompt and not held up because of signatory authorisation limitations.
Although license terms & conditions often specify that you must pay for an audit, the costs tend to fall where the resource is used (ie you provide data, the vendor does the reconciliation). However in some cases the vendor may agree to pay a portion of the costs, particularly if they insist a third party be engaged to support the audit, so it is always worth negotiating on this point.
Once you have an idea of how YOU would like to carry out the audit, the meeting with the auditor will be much more productive for both of you. If you decide you would like to negotiate a settlement, this is your chance to do so (if the Vendor will accept a negotiated settlement, of course!) or if it is decided a formal audit or an informal licensing review is more appropriate (the difference generally lies in the rules governing the audit and eventual settlement and the vendor will tell you which they want to do) then you can use the time to put together a high level project plan to ensure the audit is completed as quickly and efficiently as possible – which is in the interest of both parties.
Read Part two: ‘Data Gathering’ here.
About Martin Thompson
Martin is also author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management.
On a voluntary basis Martin a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
Learn more about him here and connect with him on Twitter or LinkedIn.