This article has been contributed by Christof Beaupoil, President and Co-founder, Aspera Technologies Inc.
Software compliance audits are always an inconvenience for the affected companies, especially when it comes to time and money. In conjunction with effective Software Asset Management (SAM), however, there are a few key strategies that can help businesses to better manage the process towards a successful outcome.
It’s a fact that software vendors take advantage of a company’s ever-changing IT infrastructure to increase their revenues from software licenses. Through the virtualization of IT environments, the growing use of cloud solutions, and the concept of Bring-Your-Own-Device, companies are deploying software differently than originally intended. As a result of these new usage scenarios, the license requirements are different, and therefore the risks of violating license terms and conditions grow exponentially.
Software vendors leverage this insight by exercising compliance audits to spot check their customers’ software usage. It is an open secret that major software publishers owe a large portion of their license revenues in 2012 to audit income.
The actual audit inspection is commissioned to an accounting firm whose auditors conduct the process and require the customer – the contractual buyer – to provide total transparency into their IT systems. In fact the greatest challenge during an audit is to achieve a satisfactory agreement with the auditor, as variations in the license data from both parties are inevitable. These variations occur not only because of ambiguous license conditions which leave room for open interpretation, but also because the software publishers often have only partial information about the customers’ license portfolio due to varying purchase channels, restructurings, mergers and acquisitions.
The use of a License Management System (LMS) gives companies the chance to centrally manage existing licenses and their underlying product use rights, and thus to negotiate on par with the software vendor in case of a software audit. What’s more, there are tangible strategies for each stage of an audit which organizations can follow to keep their internal efforts and external costs as low as possible.
The audit is announced to the customer in an official letter from the software publisher. Within the letter the contracted auditor is named, as well as start and end dates and the scope of the audit.
The targeted company should remain calm in this situation and should under no circumstances buy more licenses right away. These licenses would not be applicable to the results of the audit. Additionally, changing the relevant system installations, such as uninstalling the software, is strongly discouraged. The auditor can detect these actions which may lead to legal consequences.
The best audit is one that can be prevented. Therefore, the company should first challenge whether the contracted accounting firm is suitable to conduct the audit. A good argument to use is the firm’s other engagements with the software publisher, for example if the accounting firm is also the financial auditor of the publisher—or of the customer. It’s also not uncommon for there to be no legal basis for an audit because sometimes there is no corresponding audit clause in the relevant contracts. So doing a bit of preliminary investigation could go a long way towards preventing an audit outright.
If the audit cannot be prevented it is critical to set basic conditions: first, the company should designate a single person to handle all communication with the auditor and should not pass on any preliminary or “raw” information to the auditor or the publisher. Next, the publisher should be required to make a clear statement about the scope of the audit; in other words, which products and system platforms will be affected. If the audited company is part of an international organization this phase of the audit can take months to complete. Especially in the case of large corporations it’s hard for software publishers to identify which legal entities–and which companies–in which countries–belong to the corporation, and can therefore be included in the audit. Only when the scope is fully clarified can a start date be determined.
Understanding the timeframe gives the company the necessary time to prepare for the audit. The most important preparation step is to build an internal audit team. It is recommended, in addition to IT staff members, to involve representatives from the legal and sourcing/procurement departments. Furthermore, the team should have license experts (local license managers), as license conditions from various publishers are so complex that it’s impossible for one person alone to keep track of them all. An LMS can be helpful here, because these systems map out the processes, roles, and responsibilities.
As soon as the scope of the audit is fixed, the team should define what information the auditor will be given access to, and in what form it will be passed on to him. It is absolutely essential to contractually bind this definition to a non-disclosure agreement and to include a designated time period in which the data can be passed on to the contracted auditor. At the end of an audit it is highly recommended to only hand over the compliance balance to the auditor and not the underlying so-called raw data.
Software publishers and the auditor are interested in getting as much access as possible to the customer’s data. Therefore, they offer the company support in the form of scripts that scan all the sources from which the auditor would like to gather data. These so-called workbooks perform deep scans into the system configurations. A company that does not have its own methods in place to gather information is fully reliant on the information gathering methods of the auditor.
The use of a License Management System provides a company benefits in this situation, and defined processes enable the company to collect its own information. Through established workflows it’s possible to provide reliable and auditable data regarding maintenance renewals, upgrades, and license renewals, while internally evaluating the compliance position. In this case, the company can refuse to deploy external scripts and tools, therefore avoiding the risk of the auditor’s workbooks gathering information the company does not want to give to the publisher–such as information about competitors’ products in use. After the data is collected the auditor is entitled to verify its plausibility through spot check sampling. For companies that do not have an LMS it is recommended to first gather purchase and entitlement data to determine what licenses actually exist.
A critical phase during the data gathering concerns the actual application of the licenses. Here the challenge–especially for large organizations with complex IT architectures–is that metrics are complicated and do not always have clear rules for interpretation. As a result of incomplete license portfolio information provided by the publisher, auditors can mistakenly account for an inflated license demand, and therefore report that more licenses are required than are really necessary. A catalog using the manufacturer part number (also known as the SKU), which contains information about license conditions and rules for calculating the required number of licenses, makes it possible to determine the licensing requirements of each software product.
Data will need to be provided again and again throughout the audit, which the auditor then assesses and gives back for approval. The customer should not always accept these interim assessments without discussion. This is why it’s important to insist on long timeframes. So-called “Quality Gates” also serve as a good solution. This means that a new phase in the audit can only be started if both sides have accepted the outcome of the previous one.
At the end of the audit the compliance balance is presented, which the auditor most likely generated manually. It is based on the publisher-supplied license data and the customer’s usage data, together with the additional information the audited company gathered in the collection phase.
Since license metrics are known for being applied differently depending on the situation, there are often two different results. Therefore, in preparation for the concluding discussion with the auditor, “counter-audits” are very valuable. The company generates a compliance balance using its own tools and compares this to the balance created by the auditor. It is advisable to discuss and resolve thresholds for possible discrepancies with the auditor before accepting and signing-off on the final compliance balance.
If under-licensing is shown as a result of compliance deficiencies then additional licenses need to be purchased, and sometimes–under certain circumstances–with retroactive maintenance payments. In this case a product-independent agreement should be sought in the negotiations with the publisher, rather than to negotiate individually for each software product.
Software Asset Management in general, and the results of software audits, should be understood as a continuous cycle: agreements as a result of acknowledgements made by the software publishers should be included in the calculation of future compliance balances. These concern, for example, the publisher agreeing to exceptions, such as bundling or the selection of a metric in certain usage environments. Using a License Management System to record and continuously apply these exceptions will help companies confidently prepare for audits in the future
The worst mistake that a company can make is to underestimate the amount of work an audit requires and to sit back and passively accept the audit terms, processes and results produced by the auditor. Armed with formal audit response procedures which minimize both organizational disruptions and costs, proactive preparedness is possible—and ultimately the key to a successful audit outcome.