Are you prepared for a software audit?

December 22, 2016
Catalin Iancu

Author

Catalin Iancu

SAM Consultant

According to Gartner, software audits have had an accelerated growth over the last several years, with software vendors using the auditing process as both a stream of revenue and a way to stop piracy. Gartner’s reports also include proactive recommendations for CIOs and IT Managers to invest in Software Asset Management (SAM) processes and tools in order to remain compliant with the T’s & C’s of licensing contracts.

In addition to Gartner’s advice, I would also recommend the improvement of communications and operational flow between the IT and sourcing departments, as it is essential that a procedure exists to track the software asset from the moment of the acquisition (financial records) until it is decommissioned. It is very important to track the type of acquisition of a software license (type of contract), the way it is used (installation), the rights to move it between different devices, and the financial/legal documents that appendix it.

Recently, many vendors have made a series of changes to their licensing models by using a multitude of metrics (per CPU, per Core, NUP, PVU etc), which only add to licensing’s already complex nature. As the IT environment evolves due to virtualization and cloud computing, IT decision makers are required to have an increasingly diverse array of knowledge, much of which does not include licensing expertise.

The frequent changes in licensing rules, coupled with the lack of a software management and control tool, are putting companies in a major financial risk of getting audited by the vendors.

Common criteria used for selecting audit prospects

Just like meteorologists looking for changes in weather patterns to predict the week’s forecast, software publishers look for patterns in a company’s history that trigger potential red flags for an audit. A small sampling include:

Mergers and acquisitions

In mergers and acquisitions scenarios, the transfer and consolidation of software licenses between the entities is done poorly or not at all. In this case, the new entity generally lacks sufficient licenses to remain compliant with their deployed software.

The correlation made by vendors between your acquisition history and your company’s official financial data

This implies the number of licenses is not on par with the economic growth of the company, such as number of employees, net worth, etc.

Audits by another vendor

We have seen companies that are engaged in an audit by a software vendor get targeted by other vendors as well.

Licensing contracts that are not renewed

This category includes companies that don’t present an interest in renewing their ongoing licensing contract or moving to another type of contract.

Types of software audits

A “soft audit” is the easiest type of audit. As for this procedure, audited companies need to create an inventory of their used licenses and send this info to the vendor. The information will then be verified against the acquisition history to determine compliance.

A “hard audit” is more difficult and expensive, and is done by an authorized auditor that will act in the best interest of the vendor. The auditor is legally empowered to examine the licensing proof, to make technical on-site checkups, and to supply the results of said audit to the software vendor.

The best audit protection is the implementation of an on-going SAM solution, which is the result of the collaboration between the partner and the customer’s technical/licensing personnel that will keep your company’s software compliance up to date.

The 5 stages of a software audit

If you get placed in a hard audit, then you can expect to undergo a process similar to the below:

Kickoff meeting

In this initial stage, the representatives from the auditor contracted by the vendor will schedule a meeting (usually a conference call) in order to present the stages of the audit and the timeline.

Data collection

The audited company will have to collect a series of IT infrastructure related information that will have to be presented to the auditor, like:

  • The hardware configuration of the devices;
  • A list of applications installed on their devices;
  • The users that access these devices and associated applications;
  • Proof of licensing (documents).

Onsite visit

In this stage, representatives from the auditor will visit the audited company to verify the accuracy of the supplied information, eventually to collect additional information.

Draft report

Based on the information collected during stages 2 and 3, the auditor will prepare a delta report of installed licenses versus purchased licenses. This report will be sent to the audited company for checkup of possible errors and discrepancies.

Three-way exit meeting

In this final stage, a virtual or on-site meeting will be set up with all interested parties of the audit process. The auditors will present their final report and will answer any questions regarding it. After this final stage, the auditor leaves the final commercial/legal terms to be negotiated between the vendor and the customer.

If you feel as though you’re at risk of a potential software publisher audit, then it’s best to be proactive and invest in an independent partner to mitigate the risk. Otherwise, once you receive that audit letter, the process can be quite long and even potentially more costly to resolve.

Leave a Reply