Playing Defense in the Audit Game

ITAM News & Analysis

Playing Defense in the Audit Game

Ahead of the SAM Summit taking place in Chicago, 23-25 June, I chatted to Christof Beaupoil, Co-founder and President at Aspera Technologies. In this interview Christof shares his advice on audit defense and how to get your organization ‘audit ready’.

– See more at: https://itassetmanagement.net/wp-admin/revision.php?revision=17057#sthash.xyTBkRCW.dpuf

Please could you provide us with a brief overview of your experience and current role?

I’m still the same ol’ Co-Founder and President of Aspera. Right now my focus is on managing and facilitating Aspera Technologies’ strong growth. In the past 6 months we’ve welcomed many new customers, including three Fortune 100 companies, and have hired several SAM specialists to join our rapidly growing team.

“Audits” seem to currently be the buzzword-of-the-moment within the SAM market. Why is this the case?

I don’t consider audits to be a buzzword in the market. Publishers have indicated time and time again that audits a part of their business model, and therefore revenue stream.

What’s the most important strategy when it comes to audit defense?

The best audit defense is to avoid it all together through an established SAM program and audit response procedures, which include these key aspects:

• Having internal SAM resources, and access to subject matter experts (whether internal or external) for substantial assistance throughout the audit, including license entitlement experts and technical expertise for the data sources, etc.
• Having the appropriate license management processes in place
• Having a license management tool to support these resources and processes; specifically the tool should provide:
  • Out-of-the-box (OOTB) license optimization to reduce perceived under-licensing
  • One-click compliance analysis and reports that follow audit protocols and meet the requirements of the software publishers
  • Consolidation of licenses for global audits
  • Consolidation and processing of software usage and hardware data with OOTB connectors
  • Verification of the data used by the auditor

With SAM, enterprises are able to dramatically shorten their reaction time to audits while simultaneously minimizing internal efforts. An enterprise that is in control of its software estate is less likely to be audited, because the chances of auditors finding license breaches are low.

How can I ensure people ensure they won’t be audited? Or if they are, what can they do to make it as painless as possible?

Research has shown that publishers look for certain characteristics and behaviors when choosing audit candidates, such as company size or significant growth, recent M&A or re-structuring, failing an audit in the past, and fluctuating purchase amounts. A company’s country of origin also influences their chances of an audit, as does upcoming contract renewals.

To make an audit painless, you just have to be ready for it. That means implementing a SAM program NOW.

What’s the first thing people need to do when they receive an audit letter?

We’re talking Audit Defense, so the enterprise should immediately designate an internal single-point-of-contact (SPOC) for the auditor–and no one other than the SPOC should communicate with the auditor.  Additionally, the enterprise should bring in the legal department to question the publisher’s right to audit the company.

The enterprise should not buy any licenses of the publisher’s products until the audit is settled and it should also not try to remove software. Finally, the enterprise should not disclose any information until a confidentiality agreement is signed.

What are the best data-sets to present to an auditor should they knock on your door?

While the audit procedures are basically the same for all audits, each publisher has its own data requirements, so there is no one “best” data-set per se. In any case, a report on the company’s licenses and maintenance agreements will be required as well as proof-of-entitlements (PoE). Generally, enterprises have more than one kind of purchase and license agreement from any given publisher—which makes a SAM tool handy because it acts as a central repository for the numerous contracts and licenses, as well as for the PoE’s.

Technical data on hardware, e.g. configurations, virtualization, and software usage will also be required data-sets. This data depends on the products under the scope of the audit and the publishers’ license metrics. Again, a SAM tool can prove very valuable in that it can process the raw data to create the necessary reports with one-click, as well as enable the enterprise to verify the accuracy of the data-set before handing it over to the auditor.

Audits can help change an organization for the better. What should an organization learn from the audit experience?

After an audit the enterprise is in a perfect situation to create long-term value out of a one-time effort by setting up a full SAM program if it does not already have one implemented. The processes put in place to gather the data for a specific publisher can be rolled out for other vendors as the need inevitably arises over time.

Should people be reactive or proactive with a strategy for audit defense?

Definitely proactive. Not every audit letter has to turn into a full-blown audit, and showing your audit-readiness is a clear signal to the publishers: there’s nothing to find here!

Why should people invest time in creating an audit strategy, if they’ve never been audited before?

Simply put, Audit Defense is only one obvious benefit of an audit strategy. An audit strategy is only really effective if it is supported by the necessary people, processes, and tools. And these same people, processes, and tools can be used for a comprehensive SAM program, which goes beyond Compliance Management and audits. A SAM program:

• Reduces silos of information through best practices and a centralized SAM tool
• Enables optimization of the software portfolio
• Delivers transparency into software usage, especially for servers, virtualization and the data center
• Ensures efficient preparedness for contract negotiations, renewals, and true-ups
• Drives systematic software cost reduction (e.g. re-use licenses, apply product use rights, and optimization of support and maintenance agreements, etc.)
• Improves data quality for ITAM and CMDB: Equips ITAM with the data and processes needed to meet the demands of license management
• Increases efficiency by integrating with ITSM for intelligent software request fulfillment
• Enables enterprises to accurately distribute assets across the enterprise and create a strategy that unlocks the full potential of ITAM for all stakeholders

How can an organization ensure they are ‘audit ready’?

To help enterprises gage how “audit ready” they are, Aspera created worksheet called, Are you ready for a software audit?

For each question enter the appropriate number that corresponds to your level of agreement with the statement:

Strongly disagree= 1, disagree = 2, and slightly disagree = 3.

Strongly agree = 6, agree = 5, and slightly agree = 4.

Add up your score when you are finished to interpret your results. If the enterprise scores under 36 the organization is ready for a software audit and will be able to defend itself. If the enterprise scores 37 – 60, the organization is moving in the right direction and should consider getting implementing a Software License Management Tool very soon. If the enterprise scores more than 60, the organization is not currently ready for a software audit. They should make audit preparedness a top priority.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Image Credit

Can’t find what you’re looking for?