In this blog post we’ll show you a common approach to dealing with Software Audits.
Imagine for a moment you’ve received an audit letter from the big bad software publisher, called Delphi. Delphi has a reputation that it’s aggressive in audits and routinely targets its customers on common 3-year cycle. The publisher changes their product names, their licensing terms, their license grants, and their sales teams every few years. They routinely changes their T&C’s via a customer portal, which contains their customers’ license entitlements, license terms, and standard licensing terms.
What do you do? Play defensively? Do you go on the offensive? Play the empathy card, in the hopes to delay the discovery?
Typically clients become disoriented from their exposure to an audit. Normally logical and rational minds tend to stress-out over these types of action. Don’t FREAKOUT. The world is not ending. The sky is not falling. As long as you’ve not been willfully pirating software; your organization will survive.
My advice to clients is as follows, audits aren’t one-size fits all. Every audit is a unique experience with unique nuances, with unique scenarios, with unique people. Each audit is unique but your approach shouldn’t be. Here is my best advice to how to approach this fictitious Delphi Audit.
Audit Response Cheat Sheet
- Appoint a Single Point of Accountability – who will be the champion for the audit? It is essential that you appoint someone that is fairly senior in the organization but isn’t the ultimate authority. It’s important for this individual to have the latitude to make decisions, but also defer to a higher authority. Personally, I’d avoid using someone from legal; in-fact the best individuals are usually from IT who are technically versed BUT have a solid grasp and understanding of your business.
- Form a Team – Include the all relevant stakeholders from IT (meaning those who are responsible and accountable for the product covered by the publisher) as well from the support services (Finance, Legal, and probably HR – for internal communication purposes).
- Respond to the Audit letter – Send the by registered mail; and when confirmation of delivery has occurred you can transmit it via Email. Its important to understand all action in an audit situation need to0 be recorded as if there was going to be a trial. It’ll never get there but it’s important for you to proceed with that in mind. (include an NDA, guiding principles, etc.)
- Gather data – Assemble your records and run your reports against the publisher. This data should include Purchase-side data (Purchase Orders, Invoices, Receipt documents, Proof of Entitlements, Contracts, etc.) and Discovery Data (VM infrastructure, installbase, etc.).
- Create internally an Effective License Positions (ELP) – This is a document that shows your entitlements vs your consumptions for the publisher. These are not easy to build but will serve you well in your audit. You can make key decision on how the audit will proceed from this document. EX. if you have huge liabilities you could delay the audit; if you are in good shape you could accelerate the audit.
- Deal with the Audit – This is the stage where you allow the publisher or third-party auditors to conduct their discovery. It will come sooner or later but it will come.
- Auditors produce a report – Push for the auditors to produce a full ELP. They typically DON’T like doing this because if means they need to legally disclose the licenses or software you are not using. Be vigilant and stick to your guns. Having a publisher certified ELP is definitely advantageous.
- Review and correct the Auditors report – Inevitably the auditors will make faulty assumptions, use erroneous data, or misclassify test/dev/QA environments to bloat the compliance issues. Make sure you review this with a fine tooth comb as if you agree and there is an error, the likelihood of getting it corrected is very low.
- Auditors submit the agree to report to Publisher – This is just the auditors providing their data back to the publisher. It is important that you understand this is where the real negotiations begin.
- Publisher submits their response – This can be the good, the bad, the ugly and everything in-between. If you have mis-installed, mis-configured or mis-consumed licenses then you’ll need to negotiate. The first offer needs to be rejected.
- Agreement – When all parties are satisfied with the audit and response there needs to be a legal letter created that outlines the statues and the close out of the audit. This should include language to limit the publishers ability to audit for X number of years and that there is no other legal recourse for these activities possible.
Some clients (particularly large companies with a mature SAM practices) perform these audit defences by themselves. At times they may exercise the “phone a friend” option calling a subject matter expert and we are happy to help in these situation. In most circumstances clients tend to want to bring in the A-team to deal with Audits as it isn’t part of their core operations and is a distraction from their strategic goals. Regardless, at Beaconize we help clients in different ways when it comes to audits:
- Create a quick but accurate discovery of license consumption;
- Understand your entitlement and contractual obligations;
- Generate an ELP for the publisher; and/or
- Develop a full audit defence strategy.
If your organization has decided to tackle a software audit on their own, it’s nice to be able to call an expert and have them provide you specific advice. Feel free to email us at Beaconize to schedule a discussion and see if we can help.