Crowd sourced audit defence strategies – Survey results part 3/3
Thank you to everyone who contributed to our community survey back in July 2020.
The results were compiled over the summer of 2020 and shared during our online conferences for EMEA, North America and APAC last year. I’m now pleased to share the results in full.
This is part three of a three part series:
- In part one I explained the basics of audit defence (what is audit defence?)
- In part two we explored the survey results (Which software publishers are currently auditing?)
- In this final part I will share audit defence strategies from the ITAM Review community
Survey Introduction – Audit Defence Strategies from the community
Audit Defence – Building a strong defence against ambiguity in software contracts
The objective of the survey was to understand how the threat landscape had changed as a result of COVID-19. Audits are a tried and tested method of revenue generation for software publishers, so we wanted to assess how things had changed as a result of the pandemic. We looked at audit volumes, frequency of software audits and impact it is having on your business.
ITAM best practice suggests that IT Asset Managers should regularly assess their software portfolio for potential risks. Risk of software audit and the time-consuming process of going through the audit process and potentially paying settlements – is a very real and present risk for many ITAM Review readers. I would urge readers to look at the publishers currently auditing mentioned in this survey, especially the aggressive ones, and compare it to their own portfolio, and prepare accordingly.
Crowd Sourced Audit Defence Strategies
In this final article of this series I will share audit defence strategies from the ITAM Review community. Whether you are new to audit defence or an old-hand, I hope you will find the results useful.
We asked ITAM Review readers:
“…Please share any audit defence strategies or change in tactics you that you have used to successfully reduce the impact of audits”
I have collated the results into four main areas. If you have any additional ideas please share them in the comments below or start a discussion here.
1. Audit Defence Fundamentals
Fundamental building blocks of audit defence strategy
- Stay compliant! – The first piece of advice is perhaps painfully obvious but the objective is to stay compliant in the first place. Due to the nature of software compliance audits, your interpretation of “compliant” might not match that of your software publisher, so it won’t make you immune from risk, but it will give you a strong foundation. We obviously recommend that you build a robust IT Asset Management practice and treat your investment in IT like an asset in order to manage the risk of software audits.
- Three-way NDA – A non-disclosure agreement is signed to ensure the software publisher (and their auditor if they are using one) treat your organisation’s data confidentially. Not only is this good practice, it is also a good way of smoking out unauthentic audit requests.
2. Be Prepared
What steps can we take to prevent audits happening in the first place?
- Internal Education – One of the resounding themes of your survey responses was the importance of internal education to build up your defences. Many of you are reporting that audits are coming through “the back door” rather than through formal audit letters. An example is a software publisher phoning a service desk, persuading an operator to help them with some analysis or perform a script, and before you know it the publisher has jumped to 2+2=5 and slapped a speculative audit settlement on you. “Leakages” of this nature are prevented via internal education of the risks of audits and directing enquiries to a central team or central point of contact.
- Audit-grade License Statements – The community survey recommends building audit-grade license statement balances (also known as Effective License Positions or ELPS). This is a summary of your entitlement and consumption that would stand up to scrutiny by an auditor. This means you don’t just click a button on a SAM tool, but actually scrutinise the output as an auditor would. If you don’t have confidence doing this yourself, hire ex-auditors, consultants or partners that can help. Someone who has had their fingers burnt through a few audits is well qualified to give you pointers.
- Risk assess your software publisher portfolio – As I have mentioned in the previous parts of this series, best practice is to risk assess your software publisher portfolio. In particular –
A. Licensing complexity is a risk, if the licensing model is difficult to understand it represents a risk because complexity leads to greyness and ambiguity, which can be used against you in the face of an audit.
B. Measurement complexity is a risk, How difficult is the license model to measure? If it is difficult to measure and quantify consumption – it’s a risk.
C. Unscrupulous Market Behaviour is a risk, If you are witnessing unscrupulous or aggressive behaviour in the market from a publisher you manage – it’s a risk to be assessed
3. Have a plan
Audit Policy – The most important advice when it comes to audit defence is to have a plan. Have a playbook for how you will respond and manage audit requests. Build a policy, sign it off at the highest level, follow it diligently and refine it after each audit. The goal is that all emotion is stripped out of the process and your organisation follows a play book to de-risk the whole process. To quote from survey respondents “ [You must] grab the steering wheel and you drive the audit. You don’t let the vendor drive the audit.”
Whether it is the publisher directly or the third party auditor, software audits follow a script. Their objective is to follow this process as closely as possible to minimise costs and reach their goals. However, you need to follow YOUR playbook not theirs. Cool, calm and calculated rather than running around like headless chickens panicking about a new audit request.
Your job is to not get mangled through that process, but to acknowledge their audit request and then follow your own well thought out internal process. This is the strongest recommendation from all the survey results. This internal process will cover things like setting the scope, so that the initial audit request doesn’t bleed out into other product lines and territories, the communications process, timings and so on.
4. Negotiate
- Push back – Don’t be afraid to push back. This, I’m afraid, only comes with experience of audits. For example once you’ve done ten audits with Micro Focus, you would typically know their routines, the art of the possible, what’s acceptable and when to push back. Don’t be afraid to push back. If you don’t have the experience to do this, go and find it. It will be worth the investment versus any potential eye watering settlement figures. You need to review and challenge any findings. Just because the audit representative is wearing a shiny suit and comes from a big company, it doesn’t mean their results are perfect. They might be acting on imperfect information. Review it, challenge it, and look at all the underlying data and make sure that it’s accurate and represents your organization.
- Settlement versus Turnaround – There is often a balance between settlement and turnaround. There is often an opportunity to reach a quick settlement in exchange for a quick turnaround. The publisher is much more likely to settle for a small settlement if it means the audit does not drag on for eons. This might be a valuable tactic based on how you value your position. You need to decide how successful you will be. It’s a bit like a legal dispute in the courts. Do we do a quick out-of-court settlement and settle for a low amount to make it go away? Or do we drag it through the courts and end up in the Supreme court and end up with an eye-watering fine at the end of it? It’s balancing that trade-off.
- Ooh, Shiny – Think about the strategic products of the vendors. Often, if you can imply that you’re interested in some of their strategic cloud products or whatever is the shiny thing that they’re selling this month, there’s a possibility to remove or drastically remove a settlement if you buy that product. Sadly this is the game of modern software audits. Audit, Bargain, Close. Find a discrepancy and put you on the back foot due to this issue (Bad cop) then suggest that all of this will go away if you were to upgrade or otherwise buy something of strategic importance to them (Good cop). It’s a mucky way of doing business, but it’s the norm. All the while you are not looking at competitive solutions or assessing your real demand, because you are tangled in the audit process.
Thank you again to everyone who contributed towards the survey. If you have any additional ideas please share them in the comments below or start a discussion here.
Can’t find what you’re looking for?
More from ITAM News & Analysis
-
The Next Frontier in ITAM: AI-Powered Innovations from Onyx, Samplify, and ServiceNow
This article explores three companies innovating in the ITAM market using AI. Before we look at AI for ITAM, let’s recap recent developments on how ITAM can help with AI. ITAM for AI I’ve been exploring ... -
Flexera Expands Cloud Capabilities with Spot by NetApp Acquisition
Flexera has announced its intention to acquire Spot by NetApp. In a nutshell. This puts Flexera on a path towards a billion dollar ARR company. Flexera says it is focussing its efforts where spend is growing ... -
Shaping the Future of ITAM Personal Certification
We’re excited to share an initiative that could change how we approach careers in IT Asset Management. Certifications have been a cornerstone of professional development, but they tend to stop at the basics. Whether you’ve been ...
Podcast
ITAM training
Similar Posts
-
Data Management Best Practices
Effective data management is crucial for successful IT asset management. Leveraging a structured approach like the PDCA (Plan-Do-Check-Act) cycle can help structure your efforts. This approach should be easy to integrate into the existing processes and/or ... -
NIS 2 Directive - ITAM's Important Role in a Ransomware Response Plan
This article is by Elise Cocks; IT Asset and License Management – Director; Freddie Mac On the 17th October, the NIS 2 directive came into force across the European Union. This cybersecurity legislation sets strict standards ... -
It's About Time It Was Easier to Manage SaaS Applications
We’re now over a decade on from Adobe’s controversial switch to subscription (SaaS) licensing for its key products. Salesforce, the pioneers of SaaS, is in its 25th year of operation. SaaS expenditure continues to grow by ... -
Digital document solutions - why every ITAM professional should be managing one
In the face of growing environmental concerns and the urgent need for sustainable practices, the role of ITAM is expanding. Today, ITAM professionals are uniquely positioned to drive sustainability initiatives within their organisations. Sustainability in ITAM ...
