How To Survive a Software Audit – six-step guide to make sure you are on top of things
The threat of an impending software audit causes many CIOs to lose sleep. It is understandable when you consider how vendors like SAP have been pursuing their customers with non-compliance suits that carry price tags in the hundreds of millions. Most organizations focus on their ERP, HR and general office software, supplied by vendors such as Oracle or Microsoft.
Specialized applications are often overlooked, unless there is a heavy investment in them, so you will find that an engineering company will monitor their Autodesk licenses while software from other vendors, such as Ansys, is overlooked, because there are only a few licenses. The risk of a software audit where you have bought software via an on-site agreement, such as a perpetual license, remains the same for any software as it does for the AutoCAD or ArcGIS license.
However, software compliance need not be an issue if the organization takes an active interest in adhering to the contents of their license agreements. Too many companies rely on their vendors to tell them about their licensing costs, where they should be monitoring these costs themselves. We discuss some actions to be taken to take control of license management that will make audit nightmares a thing of the past.
Do You Know Where your Licenses Are?
The answer to this may seem obvious, but specialized software has a nasty habit of entering an organization by stealth. It is purchased to fill a legitimate need, but ownership and management is often vested in the department that needed it, such as transmission engineering or geological exploration. IT may not even be aware that it is on site. So a reconciliation of what software is being used is a very good start and may turn up some surprising results.
Do You Know the Specific Details of each License Agreement?
You may be out of compliance if the fine detail of the license agreement has not been analysed. Gartner Group have studied the risks of license governance for some time and have found that actual reading and dissection of what the license agreement says is often neglected. They mention some amusing cases, such as an agreement where the user had to surrender their first-born son in return for using the software (6 people signed up). Another vendor included the promise of a cash reward to any user who signed up for their application. Four months and 3000 sales later, someone actually claimed. Gartner also points out that it is not necessarily your biggest vendor that will conduct a software audit.
This may seem like a great deal of work, but it is a once-off exercise that is very valuable. There can be holes in some of the strictures that the vendors place on the user. Cerno produced a report on this, identifying 8 weaknesses in Oracle’s standard licensing agreement, which is worth a read if you want an idea of what is reasonable and generally accepted under US and UK law and what is an imposition. This ranges from vendor’s right of access to what assistance the user company is required to provide. The customer who knows their rights has the upper hand when it comes to an Oracle audit, and this probably applies to many other vendor agreements.
It is also recommended that you keep all your old license agreements, as deviations from the original agreement may have crept in over the years.
Review your Software Policies
Licensing models are becoming more complex and your software policy may not be covering all bases. Some of the important points to be covered include:-
- who manages the licenses – ideally this should be centralized for all applications, but if not rules and responsibilities that will ensure compliance must be documented
- access and entitlement, based on whether the user is an employee or a contractor.
- BYOD and BYOA (Bring your own device/application). If a user brings in their own laptop running AutoCAD and a few other applications, this can contravene your agreements, as well as theirs.
- cloud applications. Most companies assume that cloud usage removes the need for audits (it does) and therefore compliance too (not so).
- other forms of licensing, such as SaaS, token and embedded licenses.
- if you have been involved in recent mergers and acquisitions, your policies and license agreements will not be aligned, and this may have been overlooked.
This is not an exhaustive list, for instance, you may have outsourced your licensing management to a third party which is covered by an SLA. The management of the outsourcing must be clearly defined.
Are You Relying on Your Vendor’s License Management?
Most vendors supply you with a license manager, usually from specialist license management companies like Flexera or Gemalto. These applications manage licenses from the vendor’s perspective, not yours, although some of the newer license types, like embedded licenses are more customer-centric. The provided software is designed around accumulating costs for the vendor to charge you. In some cases, such as with Autodesk Token-Flex, these costs can be excessive if you do not understand the nuances of how the token time units work.
It is just not viable to build manual processes to calculate costs from your perspective, so investing in an agnostic license management application is your best bet. Not only does a good application calculate usage costs, it can be used to optimize license usage and can save you thousands of dollars or more annually. OpenLM specializes in license management for engineering and scientific software, and even has extensions for other commercial software and custom-built products. There is competition from Flexera and a few others, but your best option is to evaluate the products that appeal to you. We are confident that we will come out tops.
With your own license manager software you can now calculate license costs which you can use as evidence in the case of an audit.
Who does your Vendor use for their Audits?
We mentioned Cerno earlier; they are a specialist company who assist organizations with software audits. They recently published a very interesting report “Sleeping with the Enemy”, which points out that, if you share the same “Big 4” auditor as your vendor, they are more likely to side with the vendor in the case of a dispute. Each of the auditing firms has a software audit arm that is contracted by the vendor to perform and pursue audits.
You can access the report here.
Cerno lists six British local authorities which were audited on behalf of Microsoft by their own external auditors, as well as a British University that was audited by KPMG, their Auditors, for SAP. This is a clear conflict of interests, no matter how much the Auditors can claim an arm’s length relationship and objectivity.
Build your own Audit Lab
Forewarned is forearmed. Why not set up a ‘lab” for performing random self-audits. This will both keep everyone on their toes with regards to license compliance, it will ensure that you are compliant. Implement processes and procedures for conducting an audit and become an active participant in license compliance, rather than a passive one. You can re-use these for the day when a vendor decides to call. You may require some external advice initially, but once you have implemented the processes and educated the organization on your software policy, “auditophobia” will become a thing of the past. OpenLM can also assist in this regard, as well as helping you find efficiencies and cost savings along the way.