Despite the growing availability of information and training materials about the critical value of Software Asset Management (SAM), many companies still find themselves unprepared when it comes to software compliance audits.
This may be because software license audits don’t always start clearly as an “audit”. Audits often evolve from a “friendly talk” between an IT administrator responsible for a specific technology and a software vendor representative. This is often a well-trained license expert or a third-party auditor. The customer is invited to take part in a “voluntary” compliance exercise that also identifies license gaps and areas of misuse.
If your company gets invited to a software vendor license audit, use this quick checklist to stay protected.
1. Don't ignore the audit request
Never ignore the audit letter. It won’t go away, and sooner or later they will follow up with you. Acknowledge the receipt and start preparing for the software audit process.
2. Engage your senior management and legal counsel
Immediately inform your senior management and legal counsel upon receiving an audit/engagement notification letter. IT staff must verify information before sending it back to the software vendor.
You should also inform any of your affiliated companies before you engage in an audit. In some cases, you might be pleasantly surprised to find out you are covered under other contracts. Or you might have a valid reason why you should not be participating in such activity.
Remember that audit engagement letters don’t always reach the right people. It might start somewhere down in the IT support chain and only reach senior management or the SAM Manager after the audit process is well underway. Discuss such cases with your IT teams so that they know how to respond.
3. Treat the audit as a project
Allocate the appropriate time, resources, and an internal project manager. Some vendors might require very detailed level installation/setup information, requiring lengthy questionnaires, data gathering instructions with scripts, and countless follow-up emails asking for further clarifications.
4. Check your own compliance first
To prevent compliance issues, be one step ahead of the auditors by performing your own in-house compliance check. Make sure you check and verify all the data and responses before sending them out to the auditors.
5. Freeze all license purchases
Don't buy new licenses, it may be seen as panic buying and not be considered in your final compliance position report. Audit outcome calculation approaches vary across the vendors and regions. Some vendors will ignore any new purchases made after the audit letter receipt date. As a result, you might end up paying twice for the “last minute” licenses.
6. Carefully read your software contracts and supporting documentation
Locate all contracts to ensure you understand the contract scope, including any regional or company affiliate restrictions. Understand permitted software usage and applicable licensing metrics. Some software vendors hide new changes in the small print or internet links of your purchase documents.
7. Effective communication management with auditing teams
Properly manage communication between your internal staff and external auditors. Only provide what is requested and make sure it aligns with your organization's security protocols. Consider an NDA agreement.
8. Ensure security compliance
Ensure the information provided to outside parties does not breach your organization's security protocols. Your IT Security Manager might not be comfortable releasing IP addresses to third parties. Consider an NDA agreement. Address any potential legal issues promptly.
9. Confirm auditor findings
Always double check the reports and analysis that you receive from the auditors. Some reports might look and sound very complex. Do not feel shy to ask for more details about the calculation methodology or to challenge the findings. Sometimes auditors make mistakes or assumptions when they do not have complete information.
Remember, you are the expert on your own environment! It’s your right to dispute calculation discrepancies or facts that you find are being misrepresented.
10. Mind your differing agendas
Remember it is not in auditor’s interest to optimize your license position, or to find your missing entitlement.
11. Use the audit to your best advantage
Use upcoming renewals, big purchases, or quarter or fiscal year-end to build a stronger negotiation position during a software compliance audit.
12. Once the audit is over, don’t lose momentum
Think about what you’ve learned during this audit experience. Use this as an opportunity to be even better prepared for the inevitable next time:
- Update your IT policies and Software Asset Management strategy
- Apply same knowledge for other vendor license management
- Maintain documentation of all the data provided and audit outcomes
Read the "Complete Guide to Software Audit Defense" for more information about navigating industry standards, optimizing business operations, and leveraging the audit report for better software management.