We often refer to the concept of being ‘audit ready’ within the ITAM industry, and it is something that any organisation with an ITAM function strives to achieve. Due to the structure and nature of organisations, being ‘audit ready’ may look different for different organisations. However, the underlying principles and required data remains the same.
Firstly, being ‘audit ready’ does not necessarily relate to being 100% complaint; as most SAM professionals know 100% compliancy is an unrealistic target for the majority of organisations. An organisation may reach 100% compliancy for a certain software vendor, but the chances are that with the changing nature of modern day business and the reliance on software, that someone, somewhere will install a copy of that vendors software without a license. That’s fact.
Audit Ready is exactly that; making sure that you are in the best position possible should your organisation receive the dreaded audit letter. This is part of a mature, proactive SAM function that have already invested a lot of time, effort and resources to get to a stage in which they can build an audit readiness process/team.
Being audit ready reduces the disruption that an audit has on an organisation and also places the organisation in control over how the audit is conducted. It also means that before any audit takes place, the organisation are fully aware of their software licensing risks and understand how much money (potentially) it could cost in software licenses if they are audited. Some organisations even have a budget for fines and licenses from software audits, although this suggests that organisations that do that would rather pay auditors off than making sure it doesn’t happen again.
We have provided a checklist for required data below.
|Inventory Data||Inventory data from a number of different tools would be ideal in this situation. One inventory solution may have missed certain machines; it is vitally important you have has much trustworthy data as possible. In some cases, some vendors (like Microsoft) will use their own tools or scripts in order to discover installs.|
|Entitlement Data||This includes things like past license agreements, software contracts, individual license purchases etc. Should go back far enough so that any downgrade paths are clearly shown and that you can prove you are entitled to use the software that has been installed.|
|Product Use Rights information||What can you do with the license you have purchased? There may be valuable information in the PUR that could prove that you are using the software illegally, or that you are not optimizing your licenses.|
|Software Usage stats||Not a vital part of being audit ready, but knowing how often and what components of the software that your users are using will help you to address high risks. Risks such as overspend, non-compliancy and not optimizing software license usage should all be considered risks that a usage tool can help address.|
|Assigned Roles and Responsibilities||Assigned roles and responsibilities need to be clearly defined and communicated to avoid audits draining key organisational resources. As long as there is a clear process in place, and that each user knows their role, then audits become a lot less disruptive and time consuming. Furthermore, by having a dedicate audit response team it means that the organisation will be in a far more proactive position to negotiate a successful audit response.|
|Results from any internal audits||If the SAM estate within the organisation is mature enough to be at the stage when they are proactively conducting internal audits, then the results and actions from said audits should be compiled and used as a form of audit defence. Organisations can estimate financial shortfalls, or how many licenses they will need should they be audited.|
|SAM or Licensing expert (resource)||Last, but not least, it is a massive help having a SAM or software licensing expert to help gather all of the required data, be able to interpret it and then make a number of suggestions for positive actions in order to be audit ready. Audits are a complicated subject and need experts to help manage and negotiate any shortfalls.|
In an ideal world the answer would be yes; however in the real world the answer is no. It is important to focus on being audit ready for the top 10 biggest software vendors that are currently within your estate. These are usually identified as ‘Tier 1’ vendors. Tier 1 vendors are usually those with the most complex license metrics and pose the biggest risks to your organisation from a compliancy point of view and a financial point of view.
Once you have identified your Tier 1 vendors, it is then important to prioritise which vendors you urgently need to get to a stage of being ‘audit ready’. It may be the case that you are aware of an up-and-coming audit, or that you are about to renew your licensing agreement with that particular vendor. Either way, trying to manage all ten vendors and get them up to the high levels that audit readiness requires is going to be a massive challenge and will take a lot of time; so take it one step at a time.
It could be the case that once you have sorted out your Tier 1 vendors that the processes and methods used for those vendors can be filtered down to other vendors within your organisation. Tier 2 vendors are likely to be far less complex and pose a far smaller financial risk to the organisation, but still pose a threat to the overall compliancy of the organisation and the financial software spend per year.
So, we have explained the basic principles of being ‘audit ready’ and have provided you with a number of ways in which your organisation can achieve ‘audit readiness’.