There are a handful of publishers that seem to be “on the warpath” of compliance audits at any given time. These publishers have done their homework and developed a list of licensees who could be at risk of an out of compliance status. As IT asset managers, we should be ready for a publisher to walk through the door with an audit letter at any moment. One of the best ways to do this is to exercise and evaluate our ability to respond and work through the nuances of these audits. This is referred to as the “self-audit”.
Self Audit Best Practice Guide
From the various conferences I have attended and through every day professional networking, I have found that most companies perform these self-audits in such a manner that they would, generally speaking, leave a lot to be desired when preparing for a real audit. In my experience, most companies think that self-audits are limited to looking at inventory and comparing that to entitlements. While this is effective at a minimal level, this limited process leaves a lot out of the real process we would go through in a real audit. I have found that a deeper self-audit process can bring to the surface the issues that a simple inventory and compliance check cannot.
If you want to be efficient in a software compliance audit, you should prepare for just that, a real audit. This means more resources will be involved. It means there are more things to consider than just inventory and entitlements. It means more time spent and improvement opportunities. It also means you will be well prepared for all the facets of an audit when Mr. Publisher comes knocking.
Let’s break it all down into a framework that everyone can use to be successful in this realm. We will cover the basics of most publisher audits and the main factors and roles involved.
- Auditor – Someone who knows licensing well and has influence internally to apply pressure.
- Audited Party – Send the “letter” of intent to different people in your org to test the process of who handles the audits. Multiple responses are not a good sign.
- Negotiation Team (if different) – Should be the ITAM program manager with legal assistance as applicable
These roles should be firmly set in their role. They must play the part of role they are assigned. In practice, an auditor should expect a response in the timeframe allotted in the audit letter. The audited party should walk through what their company does to ensure proper responses to audit letters. If you need to get a legal sign-off, you should be doing that. If not, then get whoever would sign off on the audit response to be involved as if this were a real event. Ideally the auditor should have an executive supporting them to apply pressure when needed. Splitting all these roles up can be challenging, but it will help improve your audit response process if everyone knows what they are expected to do.
- Inventory – Auditor time frame, audited time frame
- Completion target for internal team – complete finalization and sign-off target
- Response times – measure effectiveness at each step in the audit response process
- Sign-Off – How long does it take to get through inventory, legal, etc.?
Timeframes should be specifically set for all parties and measured throughout the process. In practice there should be a clock that starts when the audit letter arrives. This will be the overall progress meter. Man hours should start being documented as well so that an overall cost can be calculated for a typical audit response.
- Responsible parties must work within their roles and take them seriously
- Vacation scenarios can be tested to ensure coverage
- What data we provide vs. what we have is often different and should be scrutinized
- Communication management (SPOC) – How well is communication performed in accordance with guidance from legal and upper management
Without guidelines, this exercise has the potential to be a complete waste of man-hours. The guidelines should be agreed upon when developing your organizations self-audit framework. Once these are in place everyone should be held to them. A playbook, of sorts, is always a nice thing to have at each team members desk so there is less confusion when events happen. Guidelines for self-auditing should also include various scenarios such as the vacation scenario listed above. Everyone should have a backup on their team. If you have a case where the main audit responder is not adequately backed up, the audit letter should still be sent. Make your teams step up to the challenge and you will find the stand outs that may be potential backups for those who generally take the lead.
- What tool will be used to perform the inventory?
- Who will perform it?
- What is the point in time that data will be gathered?
One thing I have taken away from each audit I have been a part of is that no two publishers have the same expectation for data sources and/or collection tools. While most of them want to use an inventory collection tool of their own, whether it be a script or an actual executable, there is always room for negotiation here. The companies I have worked with have tools in place for discovery and they push to use those inventory sources instead of allowing an unknown tool end up in their systems.
The auditor decides compliance based on :
- Purchase Records
- Entitlement Records
- Inventory Response
The auditor also sends the report on findings and asks for validation of calculations if they are different than what was provided.
Calculating compliance should mimic, as much as possible, what you would expect from each specific publisher. If publisher xyz uses a standard method of calculation, that should be used based on what the auditor knows. Also, inserting mistakes and miscalculations can be helpful here. This happens from time to time when being audited so practicing how you respond to these events is very helpful.
Out of Compliance negotiation
- Did either party perform proper distribution of licenses according to the license terms
- Reinstatement fees
- Unclear/ambiguous licensing terms challenged from both sides
- Timeframe for audit blackout once this audit closes, written from legal – post audit closure
This is where money is saved or burned in any audit. Negotiators should be well versed in litigation as well as contract and EULA verbiage. They should know what to look for and how to push back.
Ensuring you put a clause in an audit outcome final resolution for timeframes between audits is often a result of not doing this when the initial software purchase agreement is done. This happens more often than not because publishers are often silent on audit rights, which leaves the door open for both publisher and consumer to potentially get burned in the end. Both sides of the audit should continue to take this negotiation seriously and document anything they see that may be helpful when the real thing happens.
If you are out of compliance, how do you plan to remediate?
- True up
- New purchase
- Uninstall and pay fees
A formal remediation plan should be in writing and agreed to by both sides with signatures. This will alleviate any further questions and allow for a new baseline to be set once the details are all ironed out. Make sure the legal department is involved in the written plan.
- Meeting all timelines
- Everything In Compliance
- Successful Negotiation
- Man Hours within reasonable expectation
Outcome incentives are optional and I can see both the good and the bad sides of having them. As an IT asset manager I can say that this is all just part of the job and the incentive to perform these self-audits are the lessons learned at the end of each one. With that said, this takes extra time and effort to perform and motivating people to take this exercise seriously could be rewarded with small gestures. A company ‘pat on the back’ award or a gift card, company logo items, etc. all make great incentives and I know they would be remembered and help with overall motivation in any team.
When the exercise is finally over there should be a report that shows how much the audit cost the company in man hours as well as any tool improvements that may have been necessary to complete the audit. Lessons learned should be included in each outcome report to improve the process, procedure and timing of audits. These reports should be delivered to executives to show the effectiveness and value of the IT asset management team. As you improve, the results should get better and better. If they don’t, there is work still needed to improve the team.
An example of an outcome report is below. There are so many things that can go into these reports, but remember who your audience is. You want to deliver an executive view of effectiveness and readiness from your team.
Adobe Self-Audit Exercise – September 2012
Using this framework, anyone can perform a test of sorts on how you would survive the real event. Take the information provided and add names, dates and actions, then get to work!
This will ensure you are well prepared for any real audit that may come your way.
Remember practice doesn’t make perfect, but you can be well on your way to an effective and efficient publisher audit response if you are well versed and honed in on what most likely is coming at you when it happens.
About Stephen Becker
He has a passion for all facets of IT asset management and has held many roles within the overall discipline including software asset manager, hardware asset manager, vendor manager, and program manager.
With nearly 20 years in IT, he brings a considerable amount of experience working with all levels of employee and management. He has had the opportunity to be a session speaker at an industry conference and has written several articles about IT asset management. He currently holds the CITAM, CSAM and CHAMP certifications from IAITAM.