One of the best pieces of advice that I received from a SAM professional was to treat everyday as if your organisation was being audited. At the time I laughed off this comment as the threat of software audits and the process of going through an audit everyday seemed like a nightmare. But, they had a good point.
The amount of organisations that decide to invest and implement a SAM structure are doing so off the back of a bad audit experience. We have recently been conducting our SAM MSP review, and the main reason as to why organisations look to use their services is because they need a helping hand with software audits, or have recently gone through a negative audit. This means that SAM is instantly reactive as they are reacting to a bad audit that has had a negative impact on the organisation.
We have to face facts, the amount of organisations implement SAM because they see it as a form of audit defence. We all know that SAM is so much more than just a defence mechanism against audits, and we fear that organisations that react to audits by implementing SAM are missing out on the key benefits SAM can bring. The overall benefits of SAM are huge; from a risk, compliance, financial and governance perspective. Organisations panic, identify that SAM could be the answer to avoiding future audits, and then jump on the bandwagon without actually understanding what SAM is.
It turns out that this was brilliant advice. Treating everyday as if you are being audited ensures that (in theory) your organisation is at the top of their SAM and license management game and that you are following best practices and have sophisticated internal SAM processes and procedures. Every time that is an action that relates to software, stop and think how the action would affect the organisations ‘audit ready’ status and what an auditor would make of the environment.
Have the mentality of ‘what would an auditor do’ can take a bit of getting use to, but the rewards are clearly there to be seen. The SAM function will naturally become more sophisticated and proactive and the threat of a bad audit reduces. This mentality should be had across the whole SAM function; starting with audit trails, software request processes, deployment right through to the retirement of the software and it’s license.
It is important to point out that your organisation should have complete control over the audit process. This relates to the internal workings and the external element of the audit. Make sure you have a dedicated and clear process about how your organisation reacts to an audit and what users roles and responsibilities are. Having clear processes and roles assigned will make any external audits less of a disruptive practice and can reduce the time and resource that an audit takes up. This can save money on staff wages as they are able to get back to their jobs quicker, and also helps the organisation be more prepared and have less of a ‘drop everything’ mentality.
The auditor may automatically think that they are in control of an audit, but organisations can change that with a mature SAM function. Software audits do not have to be the nightmare that they are portrayed as. Firstly, you can se the scope of the audit when you initially agree on a software contract with the vendor. Depending on the size and investment that the organisation will be making, you may even have the option of removing the audit clause, or stating that the vendor can only audit the organisation after a certain period of time.
We have posted a number of articles around the internal audit or ‘review’ process. This is where you internal SAM or licensing function acts as if they are the external auditor and ensures that all risks are known and that an ELP (effective license position) is generated and is accurate. This allows the organisation to stay one step ahead, and have the ability to address any risks before external auditors find them. This will also help the organisations knowledge of their own licensing and software estate increase and become more comprehensive.
Audits are not going away anytime soon, in fact they are on the increase. A vendor at some point will audit your organisation, so you should start preparing and creating a defence as soon as possible. It is a major revenue stream for software vendors and if you look at the recent financial reports from the vendors you can see that they actually made more revenue out of software audits than they did out of new business.
We love to hear your opinions here at the ITAM Review, so please get in touch with us or leave a comment. How does your organisation deal with software audits, and how do you prepare for them? Would you consider your organisation as a mature SAM function with a grasp of the ‘audit ready’ concept? Or do audits give you nightmares? Let us know and get in touch!
Are your ITAM tools keeping pace with audit requests? The ITAM Review are back on 20th November 2015 to host another ITAM Tools Day – offering organisations the opportunity to hear directly from leading SAM and ITAM tool providers about their tools and experiences in the market. So come along to get up to speed on the latest developments in ITAM tools innovation, raise queries with software tool vendors directly and connect with industry peers. Register here. It’s free!