10 Steps to Navigating a Software Audit

Let’s be honest — when you get word that one of your software vendors is going to audit you, your heart rate quickens and your stomach drops. These in-bound inquiries are almost always time consuming, and they can be very costly to an organization.

It doesn’t have to be this way. Software audits are disruptive, but there are ways you can lighten the load and mitigate your risk. Before any audit notification comes in, it’s crucial to have effective hardware and software asset management processes in place to ensure your inventory and license compliance positions are current and accurate. This will smooth out reporting and reduce the risk of submitting inaccurate data. 

Common audit triggers

Before we dive into the ground rules of software vendor audits, it’s important to note the events that typically prompt most audits. They include: 

Exercise caution when your vendor offers an assessment review. These reviews may be a veiled attempt to find you out of compliance. Rather than sending any data to the requestor, simply state your information security guidelines for not sending company confidential data to third parties. Soon thereafter, review your usage and address any known issues for that vendor because a proposed assessment review is very often a precursor to an audit.

Once the vendor has informed you of their intent to audit (sent by either letter or email from the vendor or third-party auditor to the person who last signed the contract or renewal), your internal process should launch quickly. Here are 10 steps for successfully navigating a software audit.

The 10-step process

  1. Notification. Don’t ignore an audit request. Once the notification letter arrives, notify your ITAM team promptly with “private and confidential” added to the communication. All communication surrounding the audit should be marked as such to avoid any legal repercussions. Don’t make any changes to your current state — limit the deployment of new installations and do not uninstall any applications unless you’re decommissioning the device. 
  2. Assemble the audit board. Gather your key stakeholders and don’t assume everyone understands the audit process. Cleary define roles and responsibilities and set timelines.
  3. Put the team to work. The first step is to gather and review all license entitlements, contacts and agreements associated to the audit. Then engage with all the necessary areas of the business and review your audit objectives while considering previous audit recommendations. Set a primary point of contact toward the auditor from that point on and continuously circulate all documentation and reports.
  4. Acknowledge the letter. Receipt of the request for audit is required and your agreed upon point of contact should handle this communication. Clarify which products are included in the audit at this time.
  5. Propose a non-disclosure agreement (NDA). Most software publishers and auditors will typically agree to negotiate NDAs to control the handling of audit data. It protects all involved.
  6. Meet with the auditor. During your first meeting, clearly define the scope of the audit, including products, legal entities, geographical locations, etc. The auditor will discuss the required data, form of evidence, and how they want you to provide it to them. The auditor may also mention scripts or tools they want to use to gather data. If they do, they should review this for you.
  7. Gather the data. Only collect data that has been defined and in a form that is agreed to by all parties. Normally an audit is focused on network discoverable devices. It’s prudent to identify any standalone devices and their ownership that could be in the audit’s scope. Relay all findings back to your audit board for review and sign-off.

Note: Where possible, it’s a best practice to use tools already within your estate to gather audit evidence.

Shortlist on what to do – and not do

Software audits are usually lengthy and often take between 3 and 18 months. Here’s a summary of our suggested steps to help streamline the process and position you for a successful outcome:

What to doWhat not to do
Promptly forward audit letter to ITAM team.Most importantly, don’t do anything that could have legal repercussions or give the impression you have tried to manipulate the results of an audit.
Clearly confirm receipt of the audit request to the auditor.Do not delete instances of the software in question from numerous machines that you believe may be out of compliance. If an audit is resolved in court, even the semblance of impropriety could be costly.
Add “Private and Confidential” classification to all communication about the audit.Do not give the vendor immediate access to the data.
Define audit board RACI.Do not share any data with an audit vendor without the audit board’s authorization.
Get all parties to sign the NDA.Do not run any scripts for the audits without the audit board’s authorization.
Make sure that you understand the data before sending to the auditor. 
Only give the data required to the auditor and make sure that your audit board is happy with the data. 

Additional resources

Though it can be enormously helpful, this short guide is just the starting point for an optimized and successful audit journey. Audits can be challenging (and costly) without clear visibility and manageability of your assets. Contact us for more information and guidance.