This audit defence / software contract negotiation checklist has kindly been shared by Chris Moffett for The ITAM Review community. Thanks Chris!
This list contains items that are nice to have, negotiable or non-negotiable for inclusion in your next audit defence or contract negotiation.
If you have any other items to add to this list or have an alternative point of view please contact us.
To learn how to defend against software audits with your peers join our free audit defence workshop on the 12th April in Amsterdam, further details itassetmanagement.net/events .
- Finalization of audit includes a non-audit clause that will extend for a minimum of 4 years.
- Purchase of licenses for agreed non compliance will be processed via defined reseller.
- No non compliance penalties other then license purchases for non compliant areas will be assessed.
- All communication regarding the ongoing audit must be communicated through dedicated audit response team and publisher/auditor must not attempt to discuss environment, installation count or any other audit related data with other employees
- Establish a cost due to lost work effort that must be paid by publisher/auditor if, upon completion of audit, there are no areas of non-compliance identified. (assuming we offered to self report and they declined)
- Provide publisher/auditor with specific AD extract your company is comfortable using for the completeness review.
- Identify a percentage (i.e. 5% or less) of non compliance would not constitute a need for license purchases or penalty payments.
- Method for extracting/defining devices that are used for DR/BCP/Dev.
- Identifying software installations that are trial version and not a licensable product.
- Scope of audit should be based on a specific group (i.e. specific business unit or division).
- Scope of audit should include a specific list of domain(s).
- Scope of audit should include specific geographic locations.
- Scope of audit should include specific device types (i.e.desktops, laptops, servers, etc)
- Scope of audit should include specific list of OperatingSystems. (i.e. Windows Desktop OS only, etc)
- Determination of start date and grace period of installs thatmight be found after last pull of purchase data occurred.
- Auditor to identify which values within the AD extractidentifies a machine as “in-scope” or “out of scope”.
- All sensitive data (i.e. computer name) is redacted withdummy value.
- 3rd party auditor must perform audit.
- If no third party auditor, your company has the right to disagree with the findings.
- Dispute resolution/mediation process must be defined prior to audit commencement. This includes identifying which terms still hold (i.e. no audit for [x] years) should no agreement be decided upon.
- Define how to determine a product is a full installation. (i.e. if a .dll is installed but no executable, etc)
- Your company may choose to complete a “Self Audit” and provide report to Supplier or third party auditor.
- If instances of non-compliance are identified your company shall true-up any coverages at the then current discounted cost; no other penalties and/or fees shall apply.
- Entitlements must be agreed and confirm prior to starting any other action.
- Auditors must be onsite when reviewing deployment data and all data must remain on a company provided laptop that has no network connectivity.
- Your company provided laptop for audit exercise must be returned to audit response team employee assisting in the audit at the end of each day.
- Only summary level data can be taken off site upon completion of ELP creation.
- Only company (x) discovery tool can be used when gathering deployment data.
- Finalization of audit includes a non-audit clause that will extend for a minimum of 2 years.
- Definition of which products are in scope and how those products are licensed. (i.e. per user, per install, etc)
- Publisher/Auditor must provide a list of product key words, executable or process names, and install paths for products that will be pulled back by inventory tool
- Upon completion of the audit, supplier shall verify that company (x) is fully compliant
- Supplier and third party auditor must have current NDA in place with your company
- Supplier and third party auditor must agree to your company’s current NDA terms
About Martin Thompson
Martin is also author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management.
On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
Learn more about him here and connect with him on Twitter or LinkedIn.