How to Conduct a Self-Audit for Software Compliance

By Phara McLachlan
January 12, 2020

If you’ve ever been lucky enough to experience a software compliance audit by a vendor or third-party, you’ll know just how stressful and inconvenient they can be, especially when you are not prepared and are unsure of your license position. Implementing a software asset management (SAM) program is an efficient way to mitigate the stress and risk of a vendor audit and a key element in this program is the self-audit. Conducting a periodic self-audit of software products from major vendors, especially those with active compliance audit programs, can remove much of your uncertainty and prepare you for the almost inevitable audit notification letter from a vendor.

To conduct a meaningful self-audit, you must first understand what it is the vendor would look for if they were conducting the audit. This knowledge will come from the vendor’s contract, as the contract will always be the baseline that the vendor will audit against. The contract states what is required by both parties to maintain the business relationship, including the software license agreement and any addenda – an audit clause that details the who/what/when of any audits the vendor may conduct or that the customer may conduct of the vendor, the license types and models, any record-keeping requirements, self-audit requirements, or reporting requirements, and any maintenance requirements. There may also be a schedule of what was purchased under this contract that becomes a baseline or starting point against which software usage can be compared. There may also be limitations on where this software can and/or cannot be used (for example, are you permitted to use it outside of the U.S. or even outside of the state?)

Information Gathering

Once you understand the terms of the contract under which you will be conducting your self-audit, you can begin to gather the relevant purchase data, validating the schedule in the contract and identifying additional licenses purchased since the contract was signed. Armed with this data, you can begin to put together a clear picture of how many software licenses you are entitled to use in your organization. Your purchase data can be gathered from multiple sources, e.g., internal procurement databases, internal IT asset management systems, fulfillment agents/resellers, and the vendor itself. To get the complete picture, check all of these resources for information and don’t rely on just one. It’s possible that a reseller through whom you’ve purchased software has not passed on that purchase information to the vendor yet, so follow up on all of it to get the most information to build your purchase data picture.

Obtaining a precise count of how many software licenses are deployed

The first step in maintaining an accurate picture of your software licenses is maintaining a central repository that holds all of the data pertaining to software purchases, including receipts, serial numbers, terms and conditions of your contracts, deployed hardware, and software installations. Once you have this, utilizing a third-party discovery tool and ITAM tool is easiest and most accurate to access data. There are many types of tools to do the job, with some of them possibly even a part of software you already own. If your self-audit is part of an ongoing SAM program, then you probably already use some type of discovery tool and/or central repository of some sort. When obtaining your data, make sure to get multiple discovered counts taken over the course of a few days or, even better, a few weeks. The nature of software usage in an organization is such that there tends to be a kind of ebb and flow from day to day and week to week, often due to laptops connecting into the network on an irregular basis, but also due to normal business operations. Take and use your highest count in your comparison to purchase data.

In the absence of a software discovery tool and/or IT asset management system, an old-fashioned “sneaker” audit could be undertaken, where you check each workstation and server in the organization (or a sample thereof). Of course, this is less accurate, and requires many resources, but is not unheard of.

Whatever discovery method you use, the final step is to compare the count of what has been purchased to the count of what has been deployed and is being used. Simply put, if you have purchased more licenses than you are using or are using exactly what you have purchased, your license position is in a compliant state. If you are using more licenses than you have purchased, your license position is in a non-compliant state and you need to purchase additional licensing in order to become compliant. Although this seems rather obvious, when you don’t know for sure how many licenses you are using at any given time, it’s very difficult to evaluate compliance. And, in fact, most organizations do NOT know what they have in terms of licenses, giving software vendors opportunity to use audits as an additional revenue stream! In addition to know the license count, you must be sure to use them in the manner stated in the software contract. Many contracts will include terms and conditions on how each license can be used, and deployed which is required to remain in compliance.

Now, You are Ready

Once these steps are completed, and you have addressed any non-compliance to the contract terms or to the purchase and use of the software licensing, you are prepared for any vendor audit with knowledge of your license position. If, however, fortune does not favor you to undergo a vendor audit any time soon, you have at least maintained your audit terms and are managing your software licenses in a manner consistent with the self-auditing aspects of a good SAM program. At least for this software product or vendor, you have peace of mind, and that has benefits of its own..