ARTICLE

Reducing Impact – Software License Compliance Audits

By Phara McLachlan
March 14, 2014

With the increase in compliance activity that is going on in the business world, is there anything that you can do to avoid a license compliance event in the future? Not really, short of not buying software to help run your business, but who can afford to do that? Vendor compliance audits are fast becoming inevitable for mid- to large-sized companies.  For the vast majority of organizations, the question is not if you get audited, but how many times and that larger organizations get audited more often.

Reducing Impact

You may not be able to avoid a software license compliance audit, but you can start now to reduce the impact that an audit may have on your organization by implementing some best practices for software asset management (SAM). These practices can reduce some of the red flags that non-compliant companies reveal to those vendors who audit.

Software Asset Management Best Practices:

  1. Established policies and processes for how software is used, distributed and managed within the enterprise.
  2. A software discovery method/tool for determining what is installed and/or being used throughout the enterprise.
  3. A repository for storing software license data (contracts, purchase records, etc.).
  4. A periodically scheduled self-audit process rooted in the same methodologies used by vendor auditors that allow you to address any over and under licensing. The added benefit to this is cost control.
  5. Centralized procurement processes to eliminate the many ways that software (and other assets) can be over or under purchased.
  6. A goal to negotiate better software license agreements, rather than accepting the stock “boilerplate” contract that a vendor will offer.

License Compliance Red Flags:

  1. “If something smells fishy, it probably is.” The “smell test” concept is a universal concept that applies to license compliance. If something does not seem right to an account manager with a customer, it probably isn’t and should be looked into.
  2. Conflicting/Correcting statements such as “Last week I told you I thought we were using 500 licenses, but I found out that we are using only 350. ”Why the difference?  What changed?  What method did you use to arrive at that count?  These are questions you should be prepared to answer if you make conflicting statements to a vendor account manager.
  3. Most end-users want the increased functionality that comes with using the most recent version of a software product. Unwillingness to upgrade to a more current version may come across as suspicious, as a validation of licenses in use usually accompanies an upgrade or purchase of upgrade licenses.
  4. There may be a perception among end-users that they can overcome a shortfall in licenses by changing the licensing model under which they are purchasing and may request to explore other licensing models. Most publishers will automatically desire an audit in this situation, as they have set metrics for determining the exchange of licenses from one model to another and will need to determine what is currently in use to accomplish this.
  5. Shifts upward in the employee base, with no accompanying purchase order are another red flag. The acquisition or merger of two companies often becomes public knowledge, as does any company growth.  Most companies like to toot their horn with this positive news and a good account manager will be on top of changes to their client base like this.  Usually, more employees translate to more licenses being required to use the software and the vendor will be expecting a dialogue to address this.

In the end, the more a vendor account manager knows about and is involved with your efforts to manage your software licenses, the better off you are.  The idea behind this is that the more a software vendor knows about your internal compliance initiatives, the less likely they will be to initiate an unexpected audit of your contract, as the expense will be perceived as unnecessary!

By implementing these changes and addressing these issues, you can be much better prepared for the inevitable vendor audit.

Steps after the Letter Arrives

Once you’ve received the audit notification letter, the following steps should be taken to disseminate, cooperate, aggregate, and mitigate for this and future audits:

  1. Disseminate – There are certain internal organizational entities that must be notified when a software audit is imminent, so as to give them time to prepare for it and assign a person to be a part of the audit response team.
  1. Legal – Whether it is internal or external, your legal department should be notified and given a copy of the audit notification letter. They are in the best position to counsel on what legal steps there may be to lessen the impact of the audit process. Hopefully, they have experience in software licensing and can add that experience to the process.
  2. IT Management – IT management that is not aware of the audit, but ought to be notified may include senior management up to the CIO level. Systems and/or Network administrators may need to be notified if their systems will be impacted by the audit process.
  3. Senior Management – Depending on our corporate culture and how involved senior management wants to be, you may need to notify even the CEO of an upcoming audit.
  4. Purchasing – Both internal procurement staff and external software fulfillment agents need to be notified so that they can provide the relevant purchase data for proof of license ownership. The vendor will bring their own purchase data, but do not count on their data to be accurate. It is quite possible that you may show information in your files that adds to what they will bring, as fulfillment agents do not always pass on the purchase information back to the vendor in a timely manner.
  1. Cooperate – Being cooperative throughout the audit process will make the process go more smoothly and have less impact on your time and business. Of course, that does not mean you should agree to everything the auditors ask of you, but you should weigh carefully your responses to reasonable requests and avoid an escalation of rhetoric based on an emotional response. The auditors have a process to follow that may be flexible and it may not, depending on the vendor. It’s more or less the same process they use for all of their customers. Working cooperatively with them to accomplish the scope of their audit eliminates the red flag that is being thrown when unreasonable responses are the result of reasonable requests.
  1. Schedule audit date – There may be a requested audit date or range of dates in the notification letter, but these are still usually negotiable. Find a date that works best for you and offer it, or a range of alternatives, as a counter-proposal to the auditors. At times, on-site audits are scheduled in the same geographic area to reduce travel costs and maximize the usage of time by the auditors and there may be less flexibility in a situation like that, so be prepared for this type of response to your counter-proposal.
  2. Be responsive to inquiries – Giving the same courtesy of a quick response to inquiries by the auditors that you would give to any of your customers can go a long way to building that level of trust you want during the audit process.
  3. Ask lots of questions – Knowing what is in store for you throughout the audit process helps to ease your own mind and can help to set up your expectations of what the final result will be of the audit. The auditors should provide some information about their process and scope, but be prepared to ask lots of questions to fill in any gaps you may feel are there.
  1. Aggregate – Having at hand all of the relevant information to prove your case is essential to your audit preparation activities.
  1. Collect purchase records – As mentioned, your purchase history is absolutely essential to proving what you’ve purchased and are entitled to use.
  2. Collect proofs of purchase – Any proofs of purchase you have (Certificates of Authenticity, purchase invoices, license certificates, etc.) need to be gathered in case they are asked for.
  3. Contract/software license agreement – Obtaining a copy of your contract and/or software license agreement puts you on even ground with the auditors, as the audit scope is always determined by the contract you have with the vendor. The contract is the audit baseline.
  1. Mitigate – Reducing the impact of the audit on your business operations as much as possible, as well as reducing the risk that future audits are going to negatively impact your business is the goal of mitigation.
  1. Self-audit – Conduct a self-audit to give yourself a heads up on what may be an approximate outcome of the audit. Self-auditing should also be an integral part of any license management program and will do much to maintain compliance on a go-forward basis.
  2. Audit Response Team – Assign an audit response team and a point of contact for the audit process. This person is responsible to acquire what the auditors need, for all communication, and to liaise between various parties within the company.
  3. Frontloading – Reduce the audit’s impact on your business through frontloading the audit process. This means that you do as much as possible before the auditors actually arrive on-site. For instance, if there are documents to be provided, send them to the auditors and if there is data to be collected, collect it and send it to the auditors for processing. Don’t wait until they arrive. Through frontloading, your “opening meeting” could actually turn into a “closing meeting” because all of the work was done before the auditors arrived.