Thank you to everyone who contributed to our community survey back in July.
The results were compiled over the summer and shared during our online conferences for EMEA, North America and APAC. I’m now pleased to share the results in full.
This is the first of three articles:
- In part one I will explain the basics of audit defence
- In part two I will share the results of our survey
- and in part three I will share audit defence strategies from the ITAM Review community
Survey Introduction – The software audit landscape
The objective of the survey was to understand how the threat landscape had changed as a result of COVID-19. Audits are a tried and tested method of revenue generation for software publishers, so we wanted to assess how things had changed as a result of the pandemic. We looked at audit volumes, frequency of software audits and impact it is having on your business.
ITAM best practice suggests that IT Asset Managers should regularly assess their software portfolio for potential risks. Risk of software audit and the time-consuming process of going through the audit process and potentially paying settlements – is a very real and present risk for many ITAM Review readers. I would urge readers to look at the publishers currently auditing mentioned in this survey, especially the aggressive ones, and compare it to their own portfolio, and prepare accordingly.
Part One – What is audit defence?
Before we dig into the survey results. It is worth going back to basics for those new to the ITAM field.
When an organisation signs a software agreement, there might be an “audit clause” which allows the software publisher to audit whether the buyer of software is using their IP according to the terms they’ve signed. The publisher is basically trying to protect their copyright.
This is similar to a landlord renting property who might perform periodic checks. The landlord wants to ensure you’re not abusing their property.
So, if I’ve signed an audit clause, why do I need to defend against it?
Newcomers to the ITAM field might be slightly perplexed as to why we need to “Defend” against an audit in the first place. If an organization has signed an agreement with an audit clause, why is “defence” so important?
Audit defence is important for the following reasons:
A. Ensuring a balanced outcome
The software publisher typically delivers the audit via an audit programme. This programme has been developed by the publisher to defend their intellectual property. It might be delivered by an audit company, a partner or directly with the publisher.
It’s not independent arbitration, carefully considering the evidence from both sides.
For example, an auditor assessing compliance against a user centric licensing model might want to assess the number of users in an organisation against entitlement. The auditor might look at your active directory and see 10,000 users and records of entitlement from the publisher and present a picture of non-compliance. In reality, your active directory might be out of date, and your entitlement might be missing purchasing history. Just because the auditor has a shiny suit and comes from an audit firm – doesn’t mean they have perfect knowledge about your company or your environment.
Organizations need to “defend” their position to ensure the auditor gets the full and accurate picture.
One of the first steps of learning audit defence, which we’ll learn more about in the next article, is learning when to push back.
B. Filtering rogue audit requests
Software audits requests come in many forms. From the formal letter to the CIO instigating the audit clause, to softer “reviews” or “assessments” through to sales scoping exercises. Sometimes it is really useful to work with a strategic partner to assess your environment to prepare the path for new innovation. But for the majority of the time, it is software publishers using the threat or guise of audit to up-sell or lock in your next renewal. Our job is to “defend” against phoney requests.
C. Audits are abused
Finally, it has become the industry norm for software publishers to abuse the audit clause or audit mechanism in the interests of new business.
The tactic is known as Audit, Bargain, Close or Audit, Bargain, Cloud. The software publisher uses whatever means possible to identify a discrepancy, this is then associated with an eye watering settlement figure. Then it is proposed that the customer’s pain will be taken away if they buy the new product.
Recent litigation with Oracle exposed this tactic for propping up the Oracle share price. We also saw this from many other software publishers whilst running the Campaign for Clear Licensing a few years ago.
This technique is a manipulation of the customer and also grossly anti-competitive. Whilst the customer is on the back foot defending the audit and speculative audit settlements, they are being locked into that vendor and not exploring alternatives.
A point reinforced in our previous audit survey back in 2016. In that research, we found that
“the average audit takes 194 working hours and takes around seven months to complete. IT departments are wasting time trying to interpret licensing terms and defending audits, rather than exploring competitive solutions or reviewing their true requirements.”
So, now we understand why we need to perform audit defence in the first place. Let us understand what the audit threat landscape looks like. In the next article I will cover who is auditing, how long audits are taking, the resources consumed and behaviour of the major vendors in 2020.
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.