What is a software audit? four types explained

24 February 2021
4 minute read
Best practice

What is a software audit? four types explained

24 February 2021
4 minute read

Whiteboard Wednesday Episode 4: What is a software audit? four types explained.

Whiteboard Wednesday is me, a whiteboard and learning about all things IT Asset Management (ITAM), every Wednesday!

This week we explore four types of software audit.


Please like, follow, subscribe to Whiteboard Wednesday updates, reach out on social media and say hello, and let me know what else you want explained on the whiteboard, and we’ll get it done!

What is a software audit? Four types explained

Abbreviated transcript:

A software audit is a check against what you’re actually using and consuming versus what you’ve agreed in the terms and conditions or the contract or the license agreement, whatever it is that you use to buy software.

The audit mechanism is a way of coming to see you to say, “Are you actually adhering to what we’ve set out in the terms conditions?” It’s a bit like a ticket Inspector, walking down the train, and inspecting that you’ve got the correct ticket, yes, you might have bought a ticket, but are you on the right fare, or using the right sort of ticket etc. Or it’s a bit like a house inspection, if you’re renting a house, they rented your house on certain conditions, and they pop around to make sure you’re looking after the property.

Four types of software audit to talk about today:

External Hard Audit

So, this is an audit kicked off by the publisher themselves.

It’s external to your company, because it’s a software publisher. And it’s a hard audit, because they are enacting the clause in the contract that says we reserve the right to audit you, and they’re coming in to audit you. So, it’s a serious issue. It costs them money. They’re not going to just do it on a whim. And obviously, there’s penalties against breaching this audit. So, this is to be taken seriously.

External Soft Audit

There are also external audits that we’re calling soft audits. And these are things like reviews.

You might have them called assessments, or diagnostics, or readiness assessment, cloud readiness assessment, this is an audit on behalf of the publisher, it might be a partner, it might be a third party. But it’s not a legal audit. It’s a soft audit that you have to actually give consent to and initiate. Sometimes these are useful, if you’re transforming your business with this publisher, and you’re growing in a certain direction, then that can be useful. It’s not so useful, if it is a sales driven exercise, and you don’t really want to do it. And is threatened like a legal audit but is actually a sales exercise. So, this is something to be wary of.

Internal Hard Audit

We then have our internal audits. So, I this is internal audit.

So, this is your internal risk team that might periodically do an audit of how you manage the risk in software. And generally speaking, this is usually quite welcome, because internal audit will assess your maturity in managing risk and will often recommend to the board or to the risk team recommendations about how you can improve IT Asset Management. So, this is generally to be welcomed because it gives power to your elbow to get more budget and to build and it practice.

Internal Soft Audit

And the last form is an internal audit, but it’s soft, and this is basically a dress rehearsal.

And what we want to do as best practice, is periodically we want to do a dress rehearsal of a software audit so that we’re ready should this one (external hard audit) come knocking

That’s recommended to do periodically for high risk software publishers.

Can’t find what you’re looking for?