This audit defence / software contract negotiation checklist has kindly been shared by Chris Moffett for The ITAM Review community. Thanks Chris!
This list contains items that are nice to have, negotiable or non-negotiable for inclusion in your next audit defence or contract negotiation.
If you have any other items to add to this list or have an alternative point of view please contact us.
To learn how to defend against software audits with your peers join our free audit defence workshop on the 12th April in Amsterdam, further details itassetmanagement.net/events .
Finalization of audit includes a non-audit clause that will extend for a minimum of 4 years.
Purchase of licenses for agreed non compliance will be processed via defined reseller.
No non compliance penalties other then license purchases for non compliant areas will be assessed.
All communication regarding the ongoing audit must be communicated through dedicated audit response team and publisher/auditor must not attempt to discuss environment, installation count or any other audit related data with other employees
Establish a cost due to lost work effort that must be paid by publisher/auditor if, upon completion of audit, there are no areas of non-compliance identified. (assuming we offered to self report and they declined)
Provide publisher/auditor with specific AD extract your company is comfortable using for the completeness review.
Identify a percentage (i.e. 5% or less) of non compliance would not constitute a need for license purchases or penalty payments.
Method for extracting/defining devices that are used for DR/BCP/Dev.
Identifying software installations that are trial version and not a licensable product.
Scope of audit should be based on a specific group (i.e. specific business unit or division).
Scope of audit should include a specific list of domain(s).
Scope of audit should include specific geographic locations.
Scope of audit should include specific device types (i.e.desktops, laptops, servers, etc)
Scope of audit should include specific list of OperatingSystems. (i.e. Windows Desktop OS only, etc)
Determination of start date and grace period of installs thatmight be found after last pull of purchase data occurred.
Auditor to identify which values within the AD extractidentifies a machine as “in-scope” or “out of scope”.
All sensitive data (i.e. computer name) is redacted withdummy value.
3rd party auditor must perform audit.
If no third party auditor, your company has the right to disagree with the findings.
Dispute resolution/mediation process must be defined prior to audit commencement. This includes identifying which terms still hold (i.e. no audit for [x] years) should no agreement be decided upon.
Define how to determine a product is a full installation. (i.e. if a .dll is installed but no executable, etc)
Your company may choose to complete a “Self Audit” and provide report to Supplier or third party auditor.
If instances of non-compliance are identified your company shall true-up any coverages at the then current discounted cost; no other penalties and/or fees shall apply.
Entitlements must be agreed and confirm prior to starting any other action.
Auditors must be onsite when reviewing deployment data and all data must remain on a company provided laptop that has no network connectivity.
Your company provided laptop for audit exercise must be returned to audit response team employee assisting in the audit at the end of each day.
Only summary level data can be taken off site upon completion of ELP creation.
Only company (x) discovery tool can be used when gathering deployment data.
Finalization of audit includes a non-audit clause that will extend for a minimum of 2 years.
Definition of which products are in scope and how those products are licensed. (i.e. per user, per install, etc)
Publisher/Auditor must provide a list of product key words, executable or process names, and install paths for products that will be pulled back by inventory tool
Upon completion of the audit, supplier shall verify that company (x) is fully compliant
Supplier and third party auditor must have current NDA in place with your company
Supplier and third party auditor must agree to your company’s current NDA terms
This article explores three companies innovating in the ITAM market using AI. Before we look at AI for ITAM, let’s recap recent developments on how ITAM can help with AI. ITAM for AI I’ve been exploring ...
Flexera has announced its intention to acquire Spot by NetApp. In a nutshell. This puts Flexera on a path towards a billion dollar ARR company. Flexera says it is focussing its efforts where spend is growing ...
We’re excited to share an initiative that could change how we approach careers in IT Asset Management. Certifications have been a cornerstone of professional development, but they tend to stop at the basics. Whether you’ve been ...
Podcast
No time to read? Want to stay up to date on the move? Subscribe to the ITAM Review podcast.
Effective data management is crucial for successful IT asset management. Leveraging a structured approach like the PDCA (Plan-Do-Check-Act) cycle can help structure your efforts. This approach should be easy to integrate into the existing processes and/or ...
This article is by Elise Cocks; IT Asset and License Management – Director; Freddie Mac On the 17th October, the NIS 2 directive came into force across the European Union. This cybersecurity legislation sets strict standards ...
We’re now over a decade on from Adobe’s controversial switch to subscription (SaaS) licensing for its key products. Salesforce, the pioneers of SaaS, is in its 25th year of operation. SaaS expenditure continues to grow by ...
In the face of growing environmental concerns and the urgent need for sustainable practices, the role of ITAM is expanding. Today, ITAM professionals are uniquely positioned to drive sustainability initiatives within their organisations. Sustainability in ITAM ...