Audit – A Five-letter Word That Evokes Four-letter Responses
As regular as clockwork, many of our customers receive audit demands from their software vendors to determine if they are compliant. I’ve heard from some Snow customers that they receive four requests a year.
Audits put customers in a curious position of strength or weakness, depending on their situation. On the one hand, some customers will face costly penalties as vendors seek them out as easy targets. Well-prepared customers, on the other hand, can put themselves in a position of strength and renegotiate existing agreements and have leverage to secure new licenses cost effectively.
Although many vendors are moving applications to the cloud via subscription models that make it difficult to be non-compliant, audit activity remains high. Audits are a means for vendors to encourage you to move away from on-premise, adopt cloud applications and upsell new versions and licensing plans.
When will I be audited?
Whether seemingly random or planned, formal or informal, or disguised as self-certification, vendor audits are inevitable. Do you get numerous requests for audits every year? Triggers for them vary. A request may come through up to a year before an enterprise agreement renewal, and others as little as two months prior. Mergers and acquistions can also spark audit activity, another reason may just be simply an arganizational change at the vendor, or even just a change in account or sales manager.
There’s a lot of opportunistic auditing too, you can tell if you receive an impersonal letter – some vendors hedge their bets that if they send out a few dozen form letters then a handful of companies will respond.
When you get the audit letter, the first thing to do is acknowledge for request for audit. Then get prepared to work with the vendor as much as you work against them. Ensure which contract you are being audited under, as you may have multiple contracts with a vendor – it pays to be attentive to the detail.
Some vendors will accept data from a SAM solution like Snow, but many will ask to run proprietary scripts. If a vendor wants you to run a script, do it first in a test environment, or on just a few servers before running it across the full estate. Ensure it’s working properly and check the output, to safeguard that it only provides information about the products from that particular provider. There’s huge value for vendors to retrieve the data on all executables, as it reveals what other products you have installed, and can give them significant information of competitors’ software that they will look to leverage during renegotiation.
If the vendor accepts data from your SAM solution using their parameters, you immediately have the advantage. And not just while addressing an audit, you will be able to prepare a report and regularly determine how you are performing against it. This is exactly what one commercial manager at one of the world’s top 200 universities does, “The great thing is, it’s our data, our system,” he says, “We have now proactively reached out to our reseller and shared that information with them. They can ensure we remain fully compliant. And they can help us by seeing whether the model we have is optimal and can give us advice on whether we should move from perpetual to subscription licensing.”
So, what’s your best defense? Process and preparation are vital. Maximize the insight provided by your SAM solution to continually optimize your software estate ahead of an audit. “We do have a responsibility not to steal,” says a SAM Manager of a large retailer. “The analogy that I like to share is if you were to drive a thousand-mile road trip, you’d expect to refill the tank and even pay tolls on some roads. From a business perspective I expect to pay for all software usage under the terms [in my contract] that have been agreed. Optimizing the estate is not a one-off exercise.”
Once you’ve received an audit letter, what tactics should you employ? A good first step is to maximize the notice period set out in your contract with the vendor. Don’t just leap into action and invite the auditors in. As Richard Spithoven of B-Lay advises in his Diffusing an Oracle Audit blog series, take the time to get your ducks in a row. Do acknowledge the audit request and tell the auditors you will respond in the maximum time allowed. Oracle, for example, might push you to start an audit within two weeks, but there’ll be a clause in your contract, something along the lines of ‘within 45 days’ written notice’ – that’s nine weeks.
Pay attention to the detail. Avoid some of the common pitfalls, like assuming that one vendor’s licensing models will hold true for another. Prepare to answer the following questions: Are you compliant? Does your level and type of license entitlement match how you have deployed and are using an application? Vendors want to know if you are under-licensed. A stable SAM practice, as opposed to one-time inventory reports, enables visibility at a user, system, and entitlement level. Empowering you to quickly report compliance, support decision makers with actual usage trend information and identify optimization opportunities.
SINGULAR APPROACH
As soon as you start addressing an audit, establish a single point of contact for the vendor. Doing so puts you in control of the flow of information and ensures that the vendor receives only one set of data. However, that doesn’t mean to go it alone. You should have a core team made up of SAM, procurement, legal and other management represented to ensure your compliance, financials and contracts are correct. Verify and validate all the information that you submit.
As my colleague Patrik Burvall points out in part one of The Three Phases of SAM Maturity, determining compliance starts with gathering data about software usage across your entire estate, and ends with reconciling that information against entitlements and contracts. A good SAM solution will automate this process, helping you to establish a single source of truth. Pulling in the data from one or even multiple inventory sources into a SAM solution provides an accurate report of deployment, configuration, licensing, and usage providing you with the data you need to demonstrate what is being used in your environment and how. That insight is the secret weapon you can take to the negotiating table when faced with an audit request.
Shift the balance of power
When managing any vendor’s software, audits, or contract negotiations, a robust SAM practice enabled by people, process and technology is the best defense. Leveraging your own data puts you in the driver’s seat, giving you the advantage at time of audit and ahead of negotiation and renewals.
In an audit, the side with the best data wins. With no data or poorly cobbled together spreadsheets, you will be at a disadvantage when countering a vendor. Effective SAM gives the power back to you, with accurate visibility across the entire estate for deployment, configuration, licensing and usage.
But don’t just take my word for it, the recent audit experience of some of our customers and partners speaks volumes.
The SAM manager of a large foods company recounts that recently it has participated in eight audits a year. Though vendors included big hitters such as Microsoft, Oracle and IBM, using the data from Snow helped it argue a demand for USD 1 million down to nothing. In addition, it was able to cut costs through software optimization and shrank its software maintenance budget by 5%.
Similarly, an Australian Enterprise was helped by licensing experts SoftwareONE to bring down the initial request of AUD 1.7 million (USD 1.3 million) by 95% for a true up of its Microsoft licenses. Thulsi Williams, SAM analyst at SoftwareONE, says “We felt that the figures provided by the auditors were vastly different from the ones in the Effective License Position report that we had calculated. We used the data from Snow to defend our case for a vastly lower true-up cost.”
Being audited regularly? Got an enterprise agreement renewal due soon? Why not download our new eBook of Winning Strategies to Beat Audits from 5 Top Vendors, just click on the link below.
