One of the most asked questions that we, at The ITAM Review, get asked is “How can I prevent being audited?”. The answer is always the same – you can’t. The best thing any organisation can do is being ‘audit ready’. Being ‘audit ready’ requires a proactive SAM estate, which is ready for a software audit to be carried out with as little disruption to the organisation as possible.
Being proactive with your SAM program is the best way to be. Obviously there may be challenges or situations that arise that require you to be reactive, but even then the SAM team will be better prepared for such events. The idea of being proactive is that you are completely on top of the highest risks within your SAM estate, and you are prepared for any scenario. This includes the creation of mature SAM processes, having the right tool in place for your organisation, and having clear roles and responsibilities for SAM.
A number of factors need to be in place for a proactive SAM estate:
There are huge benefits to being proactive with a SAM program, regardless of potential audits. Being proactive helps an organisation be ready and prepared for any scenario, and also helps with the SAM programs success. Key benefits include reduced and greater visibility of risk, less waste and more efficient IT spending and smarter decision-making. Other advantages include:
Being reactive with a SAM program is dangerous as you are never in full control of your software, licenses, policies or processes. This can lead to non-compliancy, non-standardised software, no processes in place and software being procured from the wrong sources. In relation to being audited, having a reactive SAM program results in massive upheaval when the audit letter comes, with a number of resources effectively having to drop everything for the software audit.
Organisations with a reactive SAM program are scared of auditors, whereas those with a mature proactive SAM estate are so confident they are complaint that they invite auditors into their organisation.
Auditors look for non-compliancy and quick financial wins. Whilst no organisation is immune from being audited, the auditors are less likely to come knocking on the door of an organisation that is known to have a pro-active SAM estate, whether that’s known via word of mouth or if they’ve been audited before.
When established, pro-active SAM estates are audited, the level of disruption the audit causes to the organisation is limited, and more often than not the results of the audit are positive. If the auditors haven’t been able to generate a lot of money from the audit, the organisation in question are likely to be placed at the bottom of the auditors list for future audits.
Auditors’ talk amongst themselves. If, for example, Microsoft audit an organisation and find a number of non-compliances that add up to huge fines and new licenses, then they are going to report those findings to the press and fellow auditors. This in turn means that the organisation in question is likely to get a knock at the door from another big vendor.
Whilst this is a negative situation after a bad audit, it is a positive situation after a good audit. If minimal non-compliance is found, which in turn means a lack of revenue from fines and new licenses, vendors won’t report the situation to the press and auditors will tell fellow auditors that there is no real financial gain from auditing that particular organisation.
Once a pro-active SAM organisation goes through an audit, they need to remember that it doesn’t mean they can relax and stop their existing pro-active SAM program. There have been a number of cases where an organisation has jumped on the SAM wagon after a damaging audit, got themselves into a strong position and then decided their work is done. That couldn’t be further from the truth.
If you are audited, which is likely for one vendor or another, you must keep your SAM program going post audit, even if you come out of the audit favourably that’s no excuse to let up. Software asset management needs to be considered a living thing that needs constant attention, improvement and review. There are no excuses for having two bad audits in a row.
Having a pro-active rather than reactive SAM program implemented is the best defence against the auditors. The phrase ‘being audit ready’ is something that all organizations should be ready for. Audits may still be disruptive, and you may still have non-compliance issues, but at least you are aware of any potential issues before the audit so preparation is made. At the end of the day there are no excuses for using unlicensed software.