Software vendors, like all businesses, have the right to ensure that their products are purchased and utilized in the agreed and sold manner. Software audits however are far more onerous on the host organization, with little risk for the title provider. The potential for non-compliance fines, reputation risk, in addition to the costs to manage the audit process that may require several resources for months certainly makes the reality of a software audit daunting. Software audits are particularly problematic with the layers of complex licensing agreements, legacy data overlap, licensing documentation and use rights just to name a few items that can lead to the potential confusion of licensing entitlement.  Audits can be triggered by past or present employees, vendor discovered licensing anomalies, industry target, news about company changes (mergers, acquisitions and divestures), and to virtualization projects just to name a few. One way or another, Gartner expects that all clients can expect at least one audit within the next 12 months.[1] Without prior preparation if will be difficult and expensive to prepare a response to the audit request. With the audit time constraints, and multi-departmental data to collect, without prior preparation your organization will be at a significant disadvantage in demonstrating its compliance.

Preparing for the Inevitable

You need to develop policies and procedures to handle the audit before it happens. Processes around assessing current applications matched to purchase data and license rules need time to be put together, and need to be automated and maintained. Developing an audit response strategy and determine what resources will need to be involved, as well as defining the communication channels to manage the audit process will allow for a structured approach to the audit.

Understanding Your License Agreement

The license agreement is the contractual agreement relating to the application’s use. This agreement needs to be clearly understood, along with the agreement and all of its rights, entitlements and limitations. Audit details, and timelines around the audit itself will be defined in the agreement. Ensure that your legal department is a part of the audit preparation strategy, as the contract audit is a legal issue.

Define the Scope of the Audit

Managing and controlling the scope of the audit is key in order to avoid scope creep, unnecessary disruption and cost. The license agreement needs to be seen as the basis for the scope of the audit, with specific rights for the provider and the user. Assess the license agreement to determine if the vendor has the right to audit in the first place, as well as understand (i) the vendor’s definition of compliance, (ii) what products and versions the vendor is entitled to audit, (iii) the scope of the audit, (iv) what level of assistance is expected, and (v) when the vendor will conduct the audit. Ensure that you have written details of the scope and manner of the planned audit assessed and agreed upon by your legal team. Ensure that the required confidentiality agreements are signed by the auditors, along with assessing their reference details to ensure that they comply with your security policies. Further, you will need to request prior testing of any potential software that will be used in your environment as part of the audit in order to avoid disruption. Finally, define a vendor responsibility agreement to specify the levels of disruption that are to be expected and tolerated and avoid starting the audit until your legal department is satisfied with the terms and details. Ensure that you assess the situation around the current agreement as early as possible, as renewal periods can provide leverage with the final negotiations.

Working through the Audit

If you have already completed a software audit with the vendor, use the true-up agreement data as the new baseline for any audits going forward. Removing software or buying additional licenses will not be effective, as this will be easily discovered by the people trained to track this information. Ensure that one person is tasked with the responsibility of managing all communication, and ensuring that the scope of the audit is maintained. Be sure to have all data organized, structured and automated in order to avoid raising additional questions about the integrity of the data which may result in additional resources being lost to the audit. Avoid providing data that is outside of the information that is requested as this will be likely to do more harm than good.

Creating your Audit Response

Avoid responding to the audit findings until the entire report is complete to avoid tying up additional resources. You will want to involve your legal and accounting departments after receiving the final report to ensure that the interpretation is in line with the license agreement, as well as to assess whether any settlements can be negotiated as a component of a new contract. With the complex nature of software and the upside for the vendor it is inevitable that your organization will be audited. Without an active software asset management program in place it will be difficult to have any real response to audit requests without significant commitments of resources under the pressures of the audit. Preparing for the software audit requires an ongoing software asset management plan. Software asset management needs to be automated with the fluid nature of the products and the need for speed and accuracy. With an active and automated software asset management plan you will be able to avoid potential audits, and / or drastically cut the required preparation time, and likely uncovering some additional software savings.

About Provance

For over 13 years Provance™ IT Asset Management software has been used by enterprises and governments to drive down IT costs, increase service management efficiency, and reduce risk. The Provance IT Asset Management Pack complements the Incident, Problem and Change Management capabilities of Microsoft® System Center Service Manager with powerful IT Asset Life Cycle Management and Software Asset Management.  Supporting ITIL® and the Microsoft Operations Framework, Provance strengthens IT effectiveness of companies at every level of the Microsoft Core Infrastructure Optimization model. Provance is a Microsoft Gold Certified Partner with Competencies in Software Asset Management and Systems Management, and a System Center Alliance member.

[1] Frank DeSalvo. “Preparing for an Impending Software Audit.” Gartner Oct 27, 2009