harri.carroll

Audit Defense Checklist

Blog Post created by harri.carroll Employee on Nov 22, 2017

Gartner says that there is a 68% likelihood, in any given year, of any one of your software vendors auditing you. When you multiply that figure by the number of software vendors you have, it's not a matter of if, more a case of when.

 

I regularly get asked by customers what is the best way to defend against vendor audits. Here is a five step checklist which hopefully will not only help you prepare, but assist you to create and document an internal process for how your business should respond to an external audit request.

 

STEP ONE - KEEP CALM & RESPOND

 

The worst thing you can do in any vendor audit is to ignore the request for an audit. The auditor will not go away. A polite, prompt response is required, ideally within a few days of the audit letter coming through.

 

You need to confirm the scope and products being audited, what constitutes a proof of license and what, under the vendors terms, constitutes an install of their software. In addition, you should agree on a schedule for the audit and if their timing is not convenient, then suggest an alternative. If a third-party is coming to conduct the audit, you need to agree to this too.

 

It is important that you understand and agree upon the scope of the audit. This is a good time to start planning what data sources you will need access to, what data you know will be a challenge to get hold of and what data you know may signify risks. The task of gathering all of the data should be assigned to a stakeholder by the working group.

 

Ask the auditor for clarification on what part of the business they are auditing. This may be a certain entity of your organisation or a certain agreement. If they do not stipulate what they are auditing, then you need to request clarification.

 

Step One Checklist

  1. Inform relevant stakeholders and the legal department.
  2. Respond promptly.
  3. Understand the exact requirements for the audit.
  4. Start creating a working group.
  5. Follow your pre-existing internal audit response process.

 

STEP TWO - CREATE A WORKING GROUP

 

The creation of a working group should be defined as part of your Audit Response process or policy. If you haven't already done so, you should create your working group as soon as possible, which may include external partners or your software reseller. Do not put all of the responsibility on to one person, as this will become a burden.

 

Senior management must acknowledge that resources will be required to comb through the data and ensure that all licenses and agreements have been gathered and that any transfer of licenses and agreements from mergers and acquisitions has been captured. Therefore, they need to appreciate that current projects may need to be put on hold to deal with the audit in a timely fashion.

 

The working group should contain key personnel from the major business units, including, Senior management, SAM, Procurement, Security, Legal and a Technical IT resource. Assign each member with a task or area of responsibility to ensure an even spread of workload, resulting in less of a drain on resources.

 

Step Two Checklist

 

  1. Formalise the working group.
  2. Assign each member with a task or area of responsibility.
  3. An example of the tasks for each member of the working group is listed below: -

 

 

STEP THREE - DATA GATHERING & VALIDATION

 

Best practice Software Asset Management functions manage their licenses and contracts in one central location. Our suggestion is that Snow License Manager acts as this central repository, which means that as long as it's up to date, you can export all of your entitlement data directly from Snow. It is important that you gather all entitlement data for the vendor that is auditing you, including upgrade/downgrade licenses, base licenses and even legacy data spanning back several years.

 

Some of the challenges that we see organisations face with entitlement data, is that they have missing licenses, no base or upgrade licenses or that entitlement from mergers and acquisitions has not been migrated properly. The auditor will want to map your license lifecycle to ensure the organisation is covered adequately for existing installs. Again, if you have added all of your entitlement information in Snow, this will be easy to prove. With Snow License Manager, you can export all of the license, inventory and usage information required, quickly and easily with a number of out-of-the-box reports. This reduces the amount of time spent on collating the data, giving you the opportunity to check the data for accuracy and understand where your risks may lie.

 

Sometimes, the auditor may suggest a SAM technology of their choice for the audit. Equally, a vendor may suggest another inventory tool or script such as MAP Toolkit for Microsoft. For example, IBM customers MUST use its License Metric Tool (ILMT) to gather information on Processor Value Unit software. You should validate all inventory data - do not just send the auditor a set of data without cross checking it. If the data is inaccurate, you have already started the audit on the back foot.

 

You should also ask your licensing partner or LSP (Licensing Solution Provider) for the entitlement data that they hold for you. Make sure that the information matches your internal entitlement data and that the license entitlement is for all of your organisation. If you have any queries about the data your licensing partner has for you, or you feel there is a discrepancy, then be pro-active in questioning it. It needs to be the most up-to-date report. For example, for Microsoft, you need the most recent MLS (Microsoft License Statement).

 

Don't be scared to challenge the auditor's findings and vendor's data. If something doesn't look right, or the vendor or auditor has missed certain pieces of entitlement information, then you are well within your rights to go back to them and say that the data is inaccurate.

 

Remember that each member of the working group plays a key part in getting through the audit and has their own roles and responsibilities. Gathering, validating and going through the audit process is not something that should be left on the shoulders of the Software Asset Manager - it is a team effort.

 

Step Three Checklist

 

  1. Gather and validate all of your entitlement data.
  2. Gather and validate all of your inventory data (using multiple sources).
  3. Gather and validate information from your reseller/LSP.
  4. Validate the information the vendor/auditor provides you.
  5. Work as a team, this is not just the SAM team's responsibility.

 

STEP FOUR - MANAGING THE AUDIT

 

By assigning a single point of contact, you can ensure that only agreed information is shared between the organisation and the software auditor. This should be a senior member of staff. All documents and communications must go through them as ultimately, the senior management team is primarily responsible and the liability for the software estate sits with them. Having a single point of contact reduces the risk of another member of staff proudly describing the environment they manage, which may be something that isn't on the auditor's radar.

 

If you know you have a software license shortfall, it is worth identifying new technologies or products that the vendor in question offers in order to improve negotiations at the conclusion of the audit. One strategy to minimise the cost of an existing shortfall (while simultaneously helping your organisation enjoy the benefits of the latest technologies) is to consider migrating to the technology that the software vendor would rather you deploy, as opposed to what you might currently be using. This also often works for the vendor, as revenue for new purchases is preferable to that same revenue from audits.

 

Also, you need to ensure that throughout the audit you hold regular meetings with both the internal audit board and the software auditors. Frequent updates and communication are a must in order to ensure all assigned internal stakeholders are fulfilling their roles and responsibilities. It is also a good chance to pre-empt the potential outcome of the audit and assess what the exposure is likely to be. Communication with the vendor is also important, as you may enter in to negotiations regarding fees for any non-compliance issues, additional licenses or migration to new technologies.

 

Ensure the auditor copies you on the findings of the audit and that the audit board prepares a summary report for senior management. Set realistic expectations of any potential shortfall or liability in the report and make sure that both key stakeholders and senior management team know all about the T&Cs within the contract, so you can counter any extravagant claims made by the auditor.

 

Step Four Checklist

 

  1. Make sure you only have one person communicating with the auditor.
  2. If you know you have a license shortfall, look at the vendor's new technologies or products as a negotiation tactic.
  3. Meet frequently with your working group to track progress.
  4. Hold regular meetings with the auditor to understand progress and findings.
  5. Get copies of the findings and prepare a summary report for senior management.
  6. Negotiate fees and payment terms based on a change in technologies or licensing shortfall.

 

STEP FIVE - LEARNING FROM THE AUDIT

 

It is important that you learn from the audit experience, but also give feedback to the vendor on how they dealt with proceedings. Don't forget you are the customer, so you have every right to provide constructive feedback on how you believe the audit process should be improved.

 

The conclusion of an audit will either be that you need to purchase new software licenses (or the vendor gives you an incentive to move to a new license model or technologies) or that you are declared compliant. Either way, the Software Asset Management journey doesn't stop there. SAM is an on-going program that drives benefits across the business and not just creating a solid audit defense.

 

Moving forward, all new license or contract information should be added to Snow License Manager to ensure you know what your new entitlement is and your license compliance position. The biggest test for an organisation is to keep the Software Asset Management momentum going once the audit has concluded. This is sometimes where organisations become complacent, as the business thinks that all of the hard work has been done. Even if the vendor is satisfied with the results of the audit, use the experience as momentum and an incentive to keep on top of your compliance and continue to improve your SAM processes. Regular spot checks on usage and compliance helps you keep the momentum going and on-going management of software licenses starts to become BAU.

 

Step Five Checklist

 

    1. Offer feedback to the vendor on the audit experience.
    2. Add all new licensing information into Snow License Manager.
    3. Review and improve existing SAM and Audit processes.
    4. Conduct regular spot checks on usage and compliance every month.
    5. Conduct an internal review/audit of your estate.

 

If you have a Software Asset Management framework in place, and the right audit processes and software policies, a vendor audit doesn't have to be a drain on resources, or the budget-busting activity that most view it as. With accurate SAM data, you can take control of the audit and turn it into a proactive exercise rather than something that is seen as disruptive and a nuisance.

 

Use this as the perfect opportunity to mature your SAM processes and ensure that you remain on top of your licenses moving forward.

 

Thanks to SAMBeastDavid for the content that contributed to this post, originally taken from his Snow Blog Practical Software Audit Defense: PT I & PT II.

Outcomes