Despite the growing availability of information and training materials about the critical value of Software Asset Management (SAM), many companies still find themselves unprepared when it comes to software compliance audits.
This may be because software license audits don’t always start clearly as an “audit”. Audits often evolve from a “friendly talk” between an IT administrator responsible for a specific technology and a software vendor representative. This is often a well-trained license expert or a third-party auditor. The customer is invited to take part in a “voluntary” compliance exercise that also identifies license gaps and areas of misuse.
If your company gets invited to a software vendor license audit, use this quick checklist to stay protected.
Never ignore the audit letter. It won’t go away, and sooner or later they will follow up with you. Acknowledge the receipt and start preparing for the software audit process.
Immediately inform your senior management and legal counsel upon receiving an audit/engagement notification letter. IT staff must verify information before sending it back to the software vendor.
You should also inform any of your affiliated companies before you engage in an audit. In some cases, you might be pleasantly surprised to find out you are covered under other contracts. Or you might have a valid reason why you should not be participating in such activity.
Remember that audit engagement letters don’t always reach the right people. It might start somewhere down in the IT support chain and only reach senior management or the SAM Manager after the audit process is well underway. Discuss such cases with your IT teams so that they know how to respond.
Allocate the appropriate time, resources, and an internal project manager. Some vendors might require very detailed level installation/setup information, requiring lengthy questionnaires, data gathering instructions with scripts, and countless follow-up emails asking for further clarifications.
To prevent compliance issues, be one step ahead of the auditors by performing your own in-house compliance check. Make sure you check and verify all the data and responses before sending them out to the auditors.
Don't buy new licenses, it may be seen as panic buying and not be considered in your final compliance position report. Audit outcome calculation approaches vary across the vendors and regions. Some vendors will ignore any new purchases made after the audit letter receipt date. As a result, you might end up paying twice for the “last minute” licenses.
Locate all contracts to ensure you understand the contract scope, including any regional or company affiliate restrictions. Understand permitted software usage and applicable licensing metrics. Some software vendors hide new changes in the small print or internet links of your purchase documents.
Properly manage communication between your internal staff and external auditors. Only provide what is requested and make sure it aligns with your organization's security protocols. Consider an NDA agreement.
Ensure the information provided to outside parties does not breach your organization's security protocols. Your IT Security Manager might not be comfortable releasing IP addresses to third parties. Consider an NDA agreement. Address any potential legal issues promptly.
Always double check the reports and analysis that you receive from the auditors. Some reports might look and sound very complex. Do not feel shy to ask for more details about the calculation methodology or to challenge the findings. Sometimes auditors make mistakes or assumptions when they do not have complete information.
Remember, you are the expert on your own environment! It’s your right to dispute calculation discrepancies or facts that you find are being misrepresented.
Remember it is not in auditor’s interest to optimize your license position, or to find your missing entitlement.
Use upcoming renewals, big purchases, or quarter or fiscal year-end to build a stronger negotiation position during a software compliance audit.
Think about what you’ve learned during this audit experience. Use this as an opportunity to be even better prepared for the inevitable next time:
Read the "Complete Guide to Software Audit Defense" for more information about navigating industry standards, optimizing business operations, and leveraging the audit report for better software management.