Here’s part 2 of what our Wisdom USA sponsors had to say in answer to our question “How much of a focus should software audits be for an ITAM manager in 2020 and beyond?”.
Audits are inevitable. It’s not a question of IF you’ll be audited, but rather WHEN. Once an audit begins, it should be the ITAM manager’s number one priority as a negative outcome can cost their organisation large penalties.
The ITAM manager’s role is to maintain compliance while minimizing costs. They must always be prepared for audits but that is the bare minimum for building out a robust ITAM organization and strategy. By creating an effective IT Asset Management strategy, they can minimize the risk of large gaps in their IT compliance. It’s key that this strategy be built proactively instead of being a reactive response to a negative audit experience.
Relegating an ITAM manager to a solely reactive audit defense role doesn’t serve the organization well. The silver lining of an audit can be that it becomes the catalyst for organizations to invest in and build out a stable ITAM function, enabling this oft-overlooked area to get the executive sponsorship and investment needed to build a program. A successful ITAM manager is proactive, partnered with both IT and the business and has visibility/sponsorship of leadership to support growth and not just reduce costs.
Instead of the audit, focus on your audit risk profile.
I’d love to say software audits won’t be a worry for ITAM managers in 2020 but, while it might be a new decade, vendors are still auditing their customers. SaaS-focused companies might not perform audits – they can see exactly what their customers use in the cloud – but other software vendors use them as a useful tactical lever to get customers into unnecessary cloud spending.
So, you can still expect to get audited every few years.
If you focus on reducing penalties during an audit, then you’re taking an expensive approach to audits. A better mindset is: “I know exactly how much risk or exposure the organization is willing to accept, and I will implement operational measures to identify, monitor, reduce, and control the risk.”
You might have a known exposure of $200,000, but remedying this, short of buying more licenses, would consume a lot of internal resources. So, you roll the dice and hope for the best. Yup, it happens, more often than you’d expect. These are tactical decisions made at executive levels – not to ‘ignore’ the risk but disregard it.
Risk starts with your contracts. Go beyond basic license management and check your contracts’ ambiguity. Ask yourself, “If I read this clause multiple times, to multiple people, do they all understand it the same way.” If not, you have ambiguity that may or may not be to your benefit (likely not your benefit). Why has “SAP indirect access” littered your google alerts for the past 3 years? Ambiguity.
Once you found the ambiguous clauses that open the door to risk during an audit, you must choose an interpretation. Google is your friend here. Have others found success (or not) with your chosen interpretation? Ask your legal/contracts team how your organization should interpret that clause. What are the costs/impacts to licensing with each interpretation from your online search? You could take a conservative, risk-averse approach (usually more expensive) or an aggressive approach. I call this determining your Risk Profile. When it’s determined, you will always know your level of risk, even if your organization decides to ‘disregard’ it.
Your Risk Profile exists primarily from your contracts’ ambiguity, so take action to remove it. I’ve seen major contracts negotiated to modify or include clauses that eliminate ambiguity in vendor wording. You must be a big player, at least large enough to be taken seriously. Such tactics also risk triggering… yup, an audit. So, get your house in enough order that you can play hard ball with your vendor, without exposing the risk you’re trying to protect yourself from.
Audits remain a focus for ITAM managers in 2020, regardless of how much of your software is SaaS. You need a compliance management approach that does more than just ‘find’ potential problems, you need one that assigns a cost and risk profile against each problem.
The various cloud delivery models disrupting the marketplace today come with a whole new set of software licensing challenges and complexities. Auditing cloud-based subscriptions is largely unchartered territory and therefore poses its own set of challenges. Namely the nuances around IaaS, PaaS and SaaS and where responsibility for compliance sits. Liability will always remain with the customer, but actions by the service provider could have major impacts on compliance.
Publishers will no longer be asking whether you have enough licenses, but rather whether you are using them correctly. For example, acceptable use policies may prevent organizations in the gambling industry from using cloud services with phrasing such as “Customer may not use services for – Illegal Activities. Any illegal activities, including advertising, transmitting, or otherwise making available gambling sites or services.”
“There is little to no precedent set as of yet. As organizations look to the courts to settle all these gray areas, ITAM managers can expect a rise in audits and likely an increase in litigation costs.”
Questions that will likely arise in 2020 and beyond include:
The devil is very much in the details. The cloud comes with more documents than just the license agreement. All of these need to be properly interpreted and appropriate controls need to be implemented to ensure compliance with new terms and conditions contained in them.
It’s clear to see there is a theme. Audits will continue to be part of an ITAM manager’s life, but they shouldn’t be the primary focus.
The landscape is changing – SaaS, IaaS, PaaS, Containers, Serverless, Low-code/no-code, Open Source (and more) are all impacting the way that organisations see, consume, and manage IT and assets. It is these technologies that IT asset managers must seek to understand and start to implement processes and guardrails to control costs and ensure compliance.
Two things to consider:
So software audits will continue, but cloud will potentially make them more difficult AND will require plenty of your time and focus. I think it’s fair to say that, whatever happens, ITAM is going to increase in importance for organisations looking to reduce costs, protect data, and ensure compliance.