Practical Software Audit Defense: Pt I
Software Audits have been a challenge for organizations for years – whether from software publishers themselves, through their auditing partners such as Deloitte and KPMG, or the number of industry watchdogs around the world such as the Business Software Alliance (BSA), the Federation Against Software Theft (FAST) or the Software & Information Industry Association (SIIA).
Most software publishers now have some form of software audit practice and some are aggressively pushing license compliance audits as a revenue source. Gartner[1] states that ‘the likelihood of an organization experiencing two or more audits annually is as high as 68%’ so it’s best to be well prepared.
Recently, we spoke to Andréa Perrot who is an experienced Software Asset Management practitioner who works for our partner Trustmarque about how to defend a software audit, and how to come away with a positive outcome. Here is our practical guide for managing any vendor’s audit.
STEP ONE: STAY CALM AND RESPOND
“The chance of receiving a software audit letter from a large vendor such as Microsoft, Oracle, Adobe, SAP or IBM is high, regardless of your organization’s structure or size,” states Andréa Perrot, Senior Solutions Consultant at Trustmarque. “It’s nothing personal against the SAM team, it’s part of the audit cycle,” she adds.
As we explained in our Microsoft Audit v Review blog, the worst thing you can do in any vendor audit is to ignore the initial request. The auditor will not go away. A polite, prompt response within a few days of the audit letter coming through will make what follows easier and more amicable. It is important that you understand the full scope of the proposed audit, including what license agreements, products and parts of your organization will be subject to scrutiny.
You’ll also need to establish what the vendor or auditor requires in terms of proof of license and what constitutes ‘software usage’. You should work with the software auditor to agree a schedule for the software audit and if their timing is not convenient then suggest an alternative. If a third-party is coming to conduct the audit you need to agree to this too.
Step One checklist:
- Inform relevant stakeholders and the legal department
- Respond promptly
- Understand the exact requirements for the software audit
- Start creating a working group
- Follow your pre-existing internal audit response process
STEP TWO: CREATE A WORKING GROUP
The creation of a working group should already be defined as part of your Audit Response process or policy. If not, the working group needs to be formed. “Create your working group as soon as possible, this may include external partners or your software reseller. Do not put all of the responsibility onto one person as this will become a burden,” states Andréa.
Andréa continues by emphasizing that senior management must acknowledge that (if the work has not already been done as part of an effective SAM program) resources will be required to comb through the data and ensure that all licenses and agreements have been gathered and that any transfer of licenses and agreements from mergers and acquisitions has been captured.
Senior management may need to approve extra resources, such as licensing specialists, to help with the audit the working group should contain key personnel from the major business units, including Software Asset Management, Finance, Procurement, HR, Legal and a technical IT resource. Assign each member with a task or area of responsibility to ensure a spread of workload resulting in less of a drain on resources. An example of the tasks for each member of the working group is listed below.
| Stakeholder | Task |
| Senior Management | Only point of contact for communications between the auditor and organization. Overall responsibility for SAM |
| Software Asset Management | Data analysis looking at risks and optimization |
| Finance / Procurement | To gather all of the entitlement and contract information |
| HR | To ensure that a growing or diminishing workforce will be accounted for when budgeting future license counts |
| Legal | Understand the legalities of existing contracts and proposals made by the auditor |
| Technical IT | Gather all of the inventory data |
Once the working group’s roles and responsibilities have been defined, it is now time to gather the required data for the software audit and verify that it is an accurate representation of your estate.
STEP THREE: DATA GATHERING & VALIDATION
Entitlement data
In the example above, the Finance and Procurement teams have responsibility for gathering all of the entitlement data related to the software audit. Best practice Software Asset Management functions manage their licenses and contracts centrally from a solution like Snow License Manager.
This means that, as long as it’s accurate, you can export all of your entitlement and license compliance data directly from the solution (as shown below).
It is important that you gather all entitlement data for the vendor that is auditing you, including upgrade/ downgrade licenses, base licenses and even historical data spanning back seven plus years. Some of the challenges organizations face with entitlement data is that they have missing licenses, no base or upgrade licenses or that entitlements from mergers and acquisitions have not being migrated properly.
The auditor will want to map your license lifecycle to ensure the organization is covered adequately for existing installs. Again, if you have added all of your entitlement information in Snow License Manager this will be easy to prove.
Data from your technologiesWith Snow License Manager, you can export all of the inventory and usage information required quickly and easily with a number of out-of-the-box reports to save both time and money. You can export all of your license, inventory, and usage data within minutes, giving you more time to check the data for accuracy and understand where your risks may lie.
If you do not have a SAM solution, you will need to gather all of your inventory data from sources like SCCM, Active Directory or ADDM. This isn’t ideal as it isn’t ‘audit-ready data’, but it is better than not having any transparency of your estate.
Another challenge is that the organization will not be aware of the previous install numbers and risks so whatever the auditor tells them will have to be taken as a given as they have no data to challenge the auditor with. The auditor will use a SAM technology of their choice (which is often Snow License Manager, as it used by more SAM enagement partners worldwide than any other license management technology).
Equally, a vendor may suggest another inventory tool or script such as Microsoft’s MAP Toolkit if none is already implemented. IBM contractually obliges customers to use its License Management Tool (ILMT) to gather information on Processor Value Unit software, with some auditors then using Snow License Manager to better process and reconcile this data against entitlements.
You should alwas validate your IT inventory data yourself – and ideally do it before any data is presented to the auditor.
Definitely do not send your own data to an auditor without first sanity-checking it, and never accept an auditor’s data without ideally checking it against your own technology and reports.
Data from license providers and other partners If you don’t already have it, you should ask your licensing partner (what Microsoft now calls an LSP – Licensing Solution Provider) for the entitlement data that they hold for you. Make sure that the information matches your internal entitlement data, and that the license entitlement is for all of your organization (includes any M&A entitlement).
If you have any questions about the data the licensing partner has for your organization, then now is the time to ask. You must have the most up-to-date report. We mentioned previously that when gathering the working group, senior management needs to understand the resources and time required to complete an audit. Many partners, especially Microsoft Licensing Solution Providers, have their own SAM or licensing team, so it is worth asking what extra support they can provide during an audit.
For example, it may be an IBM audit and you identify that you do not have an internal IBM licensing expert. During a software audit for vendors such as IBM, Oracle, SAP and Microsoft, it is vital that you have someone with expertise in the vendor’s licensing models and contracts. Your licensing partner may have such a resource, so during the initial data gathering process, you should identify what additional licensing or SAM support they can provide.
Question the Software Audit data
“You must absolutely challenge the auditor and vendor’s data. If something doesn’t look right, or the vendor or auditor has missed certain pieces of entitlement information then you are well within your rights to go back to them and say that the data is inaccurate,” states Andréa Perrot. Remember that each member of the working group plays a key part in getting through the audit, and has their own roles and responsibilities. Gathering, validating and going through the audit process is not something that should be left on the shoulders of the Software Asset Management team – it is a team effort.
Step Three Checklist:
- Gather and validate all of your entitlement data
- Gather and validate all of your inventory data.
- Use multiple sources
- Gather and validate information from your reseller/LAR
- Validate the information the vendor/auditor provides you
- Work as a team, this is not just SAM’s responsibility
In part two we’ll look at how you actually manage a vendor audit, and what you should take away from an audit to ensure you are prepared for future audits.
In order to successfully manage an audit and understand your risks, you need to have complete visibility of your estate.
We’ve produced an e-Book about how to remove Blind Spots from your Network.
[1] Competitive Landscape: Software Asset Management Tools. Published: 26 August 2016. Analyst(s): April Adams, Hank Marquis, Gary Spivak