IAITAM Preview: Audit Defense – What Every CIO Should Know

11 April 2014
8 minute read
Best practice

IAITAM Preview: Audit Defense – What Every CIO Should Know

11 April 2014
8 minute read

Bernhard Boehler

Ahead of the IAITAM Spring Conference taking place in Las Vegas, April 28 – May 1, I interviewed Bernhard Boehler, Co-founder and CEO at Aspera, about his presentation  “Audit Defense – What Every CIO Should Know”.

In just a few words, tell us what it is you do. What does an average day look like for you?

Well my kids call me Dad, but after breakfast with my family is over, I’m just Bernhard. Officially I’m Co-founder and CEO of Aspera. That means I meet quarterly with the USU board and travel regularly between Germany and the United States. My typical day involves a marketing or sales meeting, preparing slides for the next conference, WebEx meetings with US customers, and then driving home to see my family and fly in my micro-light into the sunset.

Your session at the IAITAM conference will be focused on audit defense. Why do you see this as an important topic?

Simply put, a software audit is a headache – so much so that when the process is over, most organizations try to put it behind them and move on as quickly as possible. My presentation focuses on the “gotchas” of an audit after settlement has been reached. Things like: the settlement is made on a global level, but local non-compliance still exists and needs to be balanced out. These are things that most enterprises don’t realize until the next audit comes around and these mistakes come back to work against them.

The entire audit process can be a daunting process for anyone, how do you recommend sharing responsibility and tasks?

This is a question I get asked a lot, so I created a PowerPoint slide that outlines which departments should be on the audit team and what their tasks include:


What do you think is the biggest mistake that a CIO can make when it comes to audits, and how can they be avoided?

The #1 challenge for CIOs is dealing with the financial and legal actions after the audit is settled. There is a large sum of expenses from the audit – not just the purchasing of missing license quantities. IT should not foot the entire bill alone; and the CIO’s challenge is to create a cost distribution plan that is acceptable to the other involved stakeholders and that fairly distributes all the incurred expenses.

Often with things such as audits people search for a “quick win”. Do they exist? If yes, what are they? If no, why not?

Yes, there are numerous ways to improve a company’s perceived under-licensing on the spot.

Verify the auditor’s purchase reports to look for missing licenses, which negatively impact the enterprise’s licensing position! In an audit, it’s common practice for the auditor to give the audited organization a report of its purchasing history from the publisher. In principle, the report shows all the licenses the enterprise owns from that particular publisher.  In reality these reports are usually incomplete because they only contain certain types of license acquisitions. For instance, in an IBM audit, the auditor’s purchase report will not contain acquisitions made outside of IBM’s Passport Advantage. The purchase reports for Microsoft audits often do not contain System Builder Licenses, or licenses acquired through Open Agreements. And most reports do not contain licenses that a company purchased from a business acquired by the publisher, but before the products were integrated into the publisher’s product line. Certain licenses transferred within the organization, or attained by the organization through M&As, also may be missing from the report. And any locally acquired licenses will not be there either.

Check the scripted reports for errors that lead to over-counting, including double counting of software installations, ghost installs (false positives), incomplete product names (e.g. missing editions), wrong product name/edition, high watermarks, and counting deactivated cores.

The best defense to improve the license position is to not blindly trust the auditor’s reports. This is why it’s important to have a Software License Management program. A Software License Management Tool helps an enterprise to verify its own data before it’s handed over to the auditor, as well as check the auditor’s reports and recognize potential errors and opportunities to improve perceived under-licensing. If the company finds discrepancies it can produce the proof of entitlement through the tool, and thereby prove to the auditor that licenses are missing in the purchase report. Moreover, the company can use the tool’s automated software recognition features to uncover errors in the scripted reports before they’re submitted to the auditor.

And finally, the compliance report generated automatically by the tool may reveal licenses previously not considered. If the company is using multi-metric products, then applying licenses with a different metric may eradicate under-licensing. The tool will enable the company to try out different license metrics to evaluate the best licensing situation, and empower the company to argue against the auditor’s possibly less-than-favorable application of alternative metrics.

What is your advice for staying in control of an audit?

The best way to prepare for – and stay in control of – an audit is to avoid it all together by implementing a software license management plan, which includes:

  • Having the appropriate staff resources & processes in place
  • Having tools to support these resources and processes. Specifically the tools should verify the quality of the data and rapidly produce preemptive, documented and verifiable compliance reports
  • Assertively analyzing the auditor’s results, using your own data as a baseline, to check for missing records and errors (because there will be missing records and errors)
  • Using data and documented processes to defend against discrepancies until the results are corrected and agreed upon by all parties

In the end, the worst thing that can happen is that an organization is exposed without any steadfast license management program in place, and is therefore forced to accept the auditor’s results— discrepancies and all.

Your presentation specifically targets CIO’s but do you have any advice for IT Asset Managers?

Actually, my presentation is targeted at IT Asset Managers and CIOs. SAM projects are often made a low priority (for various reasons) until it gets uncomfortable in the C-suite due to an impending audit. The first half of the presentation shows how IT Asset Managers can communicate the business case for SAM using audits as the driving factor.

There’s a ton of advice I could give IT Asset Managers—the advice in and of itself should be its own interview. But, in that case, I would let my good friend and co-founder Christof Beaupoil do the talking. Throughout 2013 Christof gave a presentation called, A 10-Step Guide to Audit Defense. The presentation is a step-by-step explanation of the entire audit process for IT Asset Managers to follow. He talks about strategies to use internally to defend the company and advises about pitfalls to look out for between the enterprise’s data and the auditor’s. The presentation was so popular that we made it into a recorded webinar and created an Audit Defense Package around it.

I don’t want to plug the webinar, but you asked for the advice! You can see it here.

If you could only give one piece of advice on this topic what would it be?

The best way to prepare for and stay in control of an audit is to avoid it all together by implementing a preemptive software license management plan.

What is the most important lesson you have ever learned when it comes to ITAM?

Of all the lessons I’ve learned about ITAM over the last decade, it’s hard to pick just one as the most important. But if I have to choose one then I would say it’s the “quality in = quality out” rule. SAM is only as successful as the data it’s built on, and the data it’s built on is only as good as the processes established to execute a company-wide inventory and purchase collection. Finally, these processes are only as strong as the amount of internal management support needed to get them off the ground.

Any final pieces of advice?

Don’t wear socks with sandals; it negates the point of sandals.

Can’t find what you’re looking for?