Thank you to everyone who contributed to our community survey back in July 2020.
The results were compiled over the summer of 2020 and shared during our online conferences for EMEA, North America and APAC last year. I’m now pleased to share the results in full.
This is part two of a three part series.
- In part one I explained the basics of audit defence (what is audit defence?)
- In this part I will share the results of our survey, we will explore which software publishers are currently auditing
- and in part three I will share audit defence strategies from the ITAM Review community
Survey Introduction – Which software publishers are currently auditing?
The objective of the survey was to understand how the threat landscape had changed as a result of COVID-19. Audits are a tried and tested method of revenue generation for software publishers, so we wanted to assess how things had changed as a result of the pandemic. We looked at audit volumes, frequency of software audits and impact it is having on your business.
ITAM best practice suggests that IT Asset Managers should regularly assess their software portfolio for potential risks. Risk of software audit and the time-consuming process of going through the audit process and potentially paying settlements – is a very real and present risk for many ITAM Review readers. I would urge readers to look at the publishers currently auditing mentioned in this survey, especially the aggressive ones, and compare it to their own portfolio, and prepare accordingly.
Survey Results at a glance
- The threat of audits has increased, and is expected to increase further in 2021
- Many audits are sales based, looking for any form of revenue. No one is exempt, even hospitals are being audited
- The average organisation spends 60 working days addressing audit requests
- Microsoft, IBM and SAP are most helpful during an audit
- Microfocus, Oracle and IBM are least helpful during an audit
- Many publishers are actively auditing. It is not just the usual suspects. Just because a publisher is smaller it doesn’t necessarily mean they will be less vicious
The threat of audits has increased, and is expected to increase further in 2021
50% of you are reporting increased risk as a result of COVID-19, and around 12% anticipate more risk in the future. I hear anecdotally that software publishers are stepping up recruitment into their license management / audit teams for 2021. As the repercussions of the pandemic slowly filter through the economy and therefore to publisher sales numbers and share price, everyone should anticipate more desperate behaviour from certain publishers.
Back in July 2020, 27% of ITAM Review readers were already experiencing an uptick in audit behaviour and 20% reporting a significant increase. Whilst 38% reported business as usual and no change – the overall sentiment is an increase in requests.
To demonstrate what I mean about publishers being increasingly desperate for revenue or otherwise lacking moral fibre, the survey highlighted hospitals being audited or receiving audit requests during the outbreak. Most hospitals are resource constrained at the best of times let alone during a once in a lifetime pandemic, yet somebody at each of these publishers has decided to proceed anyway. It’s simply mind boggling.
Melody Ayeli, the chair of ITAM Forum, the professional body for the advancement of the global IT Asset Management industry, was alarmed to see the number of hospitals reporting audits during the height of the pandemic:
“Targeting hospitals with a license audit during an international health emergency, which essentially could take away from their efforts to gather resources and work on plans to minimize the toll of this virus, indicates an unfortunate lack of proper judgement from these vendors.”
Audits for revenue generation
Survey respondents also reported that some vendors are desperate for a little bit of revenue, just to put something on the books. To quote directly from the one of the survey respondents, “They are more desperate vendors, happy to accept any kind of commercial product proposal, as long as some form of revenue is achieved”.
This is quite an interesting perspective, given that this is supposed to be a compliance audit rather than a sales engagement, but it demonstrates the purpose of modern day audits as outlined in part one.
Melody Ayeli has called out software publishers for using audits as a surreptitious sales tool during the pandemic:
“The ITAM Review’s poll aligns with the feedback that we have received from our members and peers in the industry, that software audits have increased considerably during the COVID-19 pandemic. Audits are a common route for software publishers to increase revenue, so this behavior may be unsurprising during a recession as vendors face their own financial challenges. However, interrogating customers for even more money during their struggles in an international health and economic crisis does not demonstrate a spirit of partnership, nor does it align with most vendors’ messaging to promote the overall good of our communities.”
The final point to make about current audit activity is regarding inventory quality. When you build an effective licence position, when you’re potentially defending an audit, you obviously need good consumption data and inventory data. That might include desktops and laptops. And for some of you, with your entire workforce suddenly working remotely, inventory quality might’ve gone out the window. For some of you, you might have the existing infrastructure to inventory remote workers, but for some of you, it represents a real hole in your defences and something to look at over the coming months.
Audit frequency and duration
The average organisation spends 60 working days addressing audit requests (The average audit takes 20 working days to work through, and ITAM Review readers receive, on average, three requests per year).
That audit request is not addressed by one person. The Asset Manager doesn’t defend on their own, there is a team or different stakeholders involved, but the 60 working days, or three working months, is an indication of the amount of work going on defending against audits. To understand why we need to “defend” against an audit in the first place, please refer to the first article in this series.
Some organisations are able to open and shut an audit request within three months, kudos to the 27%. Nearly 50% of respondents take between 4 months and 9 months to close an audit with the odd exception dragging on for 12, 18 or 24 months. Only 7% of you have had no audit requests, roughly 20% have had one. The majority response was at two to three responses at 42%. And then some unlucky organizations have had one a month for the last 12 months.
Most Helpful vs Least Helpful Software Publishers
As we mentioned earlier in this article, ITAM best practice suggests reviewing your software publisher portfolio and asking yourself: “Of the publishers that we manage, which ones are risky in terms of an audit threat?” How notorious are they in the market? Are they currently auditing? And are they active?”. Hopefully this section will provide an indicator and help towards that process.
Most Helpful during a software audit
Firstly we looked at which vendors were the most helpful. Is the publisher constructive? Do they look at the long-term relationship? Do they offer you help and guidance and flexibility?
Number one is Microsoft. Microsoft was also top in our previous similar audit survey back in 2016.
They’re generally considered the most constructive of software publishers when it comes to software management, generally helping customers, especially if you’re buying something. If you can buy some cloud or Microsoft 365 subscriptions, all compliance misdemeanours can be swept under the mat.
This is a form of lock-in by Microsoft, but they are still generally more helpful than other publishers.
Second is IBM. Interestingly, IBM is second most helpful and third least helpful. So there are clearly some mixed views about IBM in the market. If we had a bigger data set it would be good to understand the reasons for this difference. Are different countries getting different experiences? Are different partners executing audits giving customers different experiences? IBM also has the new IASP model which might be having an impact.
Finally, on the most helpful front is SAP, who didn’t feature on the most helpful list back in 2016. In the last few years SAP were in the firing line with their customers for their bungled handling of indirect access leading to several customers being taken to court. So it’s good to see them turning a corner in terms of customer perception.
Least Helpful during a software audit
The least helpful software publishers. They are scrupulous, focussed on short term revenue and don’t care about the customer relationship. They are motivated to squeeze a bit of revenue out of you at any cost so they can hit their number.
Number one is Micro Focus. I don’t see a great deal of innovation coming out of Micro Focus, it appears to be the place where software titles go to die, where the strategy is to milk as much revenue from IP as we can before the copyright or customer share expires. Micro Focus are aggressive and don’t appear to care about the relationship. Oracle is at number two, falling from number one back in 2016. I think they will be quite disappointed to be at number two, because Oracle’s business model is founded on hostility. Followed by IBM and Quest.
Publisher Audit Risk Radar – Which software publishers are currently auditing?
In addition to most helpful and least helpful. We compiled a summary by notoriety and number of mentions in the survey. Again, Micro Focus is top followed by Microsoft (see above).
What is important to note is that it’s not just about the usual suspects. There are some smaller vendors active but that doesn’t make them less vicious.
In addition to the publishers mentioned above the following vendors were also cited as being active:
- PITNEY BOWES
- SOFTWARE AG
In the next article I’ll share best practices on how to defend against audits.
If there are any other publishers that are currently active please leave a note in the comments. Thanks. Martin
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.