Dealing with a software vendor audit can be time consuming, stressful, and costly exercise. Preparation is key, as is having formal software audit practices and underlying IT asset management (ITAM) and software asset management (SAM) processes in place.
This blog offers some practical guidelines on how to manage a software audit situation without panicking, hiding under your desk, or running screaming from the building.
Please read on for the following seven tips:
- Start with the end in mind
- Understand the different licensing types
- Know your vendor’s intentions
- Live by the mantra that “practice makes perfect”
- Get organized
- Facilitate the big day
- Conduct formal post-audit reviews.
1. Start with The End in Mind
When designing your SAM process(es), start with a mindset that you could be audited by a software vendor tomorrow. Thus, it’s important to build checks into your process from the outset (rather than making it a “thing to do later”).
Also define the process for audits in your SAM procedures. Build up a bank of templates for things like response emails, meeting requests, and communications so that any auditor or vendor has a consistent, professional experience.
2. Understand the Different Licensing Types
At a process level, make sure that you are able to cater for the various licensing structures applicable to your organization. And where possible look for license types that best suit your organization.
Examples of such licensing structures include:
- Single user/per seat licenses
- Multiple user licenses
- Per site location licenses
- Per region licenses
- Enterprise wide licenses
- Subscription licenses
- Capacity-based licenses.
An enterprise with mature SAM processes and an automated toolset (for discovery and management) may find it more effective to have a per-user or per-seat license structure rather than site/location/business licensing to avoid over licensing.
An enterprise with a less mature process and where PCs aren’t locked down may be better off using organization- or site-wide licensing to avoid a shortfall.
When setting out your SAM process(es), make sure you capture the software vendors’ audit rights. While audit rights are standard in any enterprise software agreement, it’s much easier to negotiate license audit behaviors and limits during the purchasing stage rather than immediately before an audit. Things to talk about (with software vendors) could include audit frequency, intrusiveness, and provisions for meeting any short falls in the event of inadvertent non-compliance.
3. Know Your Vendor’s Intentions
When you receive an audit notification, your first step should be to contact the vendor and request the scope of the audit. Is it production only? A particular site? Only one product? Ask for the scope of the audit in writing so you can prepare correctly. For example, the vendor might only be interested in certain products, specific locations, defined time periods, or a particular department or subset of users. If you know this, you can plan accordingly and focus your efforts on what will matter.
Another question to ask is: Who will be carrying out the audit? The vendor themselves? A watchdog association such as FAST (Federation Against Software Theft) or BSA (Business Software Alliance) or a third-party accounting or consulting firm?
Make sure that any documentation such as NDAs are in place. It can be useful to suggest a checklist approach at this stage. For example, the scope, any restrictions, and any particular confidentiality nuances to prevent any errors or sensitive information being published inadvertently.
4. Live by the Mantra that “Practice Makes Perfect”
Run an internal test audit first, with support from other departments or teams where available. If you have an internal audit, compliance, or risk department, use them. This way, if you have missed something, you can put it right immediately, and privately.
Carrying out an internal check on license compliance will also help ensure that you’re familiar with auditing procedures; and, by mapping hardware to the software in question, both you and your organization will have a better understanding of how everything fits together.
Ultimately, uncertainty over which software maps to what hardware can be seen as a red flag during an audit – so make sure that your asset register or configuration management database (CMDB) is up to date so that there’s an accurate, central point to check.
5. Get Organized
Ensure that all your process, procedure, and work instruction documentation is up to date, has been reviewed recently, and is in a central location.
Make sure that things like headers, footers, and version control information are correct – as lack of attention to detail could raise vendor concerns in other areas. Also ensure that everyone knows where to go for the documentation and for any questions.
A final piece of prep work is to consider having a change freeze around the software to be audited. By protecting and ring-fencing the software, it means that no changes could take place that could inadvertently affect software licensing.
6. Facilitate the Big Day
Make sure the auditors have somewhere they can setup that will act as their center of operations. It sounds basic, but any audit could potentially cover secure or sensitive information – so ensure that is taken into account when booking a suitable meeting room or work area.
Ensure that only authorized personnel with the appropriate software-audit training talk to software vendors and external auditors. This will help to prevent any confusion or misinformation, for example mixing up development systems with productions services.
Also, make everyone aware that a software audit is being undertaken. Prior to the start of the audit, it’s useful to communicate the nature of the audit, what to do if asked a question, and who to refer the auditor to if you don’t know or are unsure. Remember, the golden rule for staff should be: if in doubt, check the process documentation or ask for help.
7. Conduct Formal Post-Audit Reviews
Once the audit is over, ensure that any wash-up or review meeting includes an opportunity to review findings prior to settlement, and validate that the auditor has included all licenses to which your organization is entitled.
Also, look at any observations or potential process improvements to make one or both of your software license management activities and the next audit easier.
What do you think of my software audit tips? What would you add? Please let me know in the comments!
