Software Audit Checklist

A software audit is typically considered to be an overwhelming and confusing experience, complete with a mountain of work you need to do in an unreasonably short amount of time. It provides you with stress and a sense of overwhelming helplessness that you’d just rather not deal with. Having an internal software audit checklist will make sure that you will have everything in order when the inevitable happens.

At MetrixData 360, we’ve been through so many software audits and have been able to help our clients succeed in seemingly hopeless situations. How? Kept a cool head, remained calm, and had a clear list of things to do at every stage of the software audit. Even if you aren’t in an audit yet, it is always better to be prepared because there’s a good chance you’ll be in one soon.

So we’ve taken a look at each stage and have compiled a software audit checklist of the most important things you’ll need to do.

Phase One: Notification

Upon receiving a notification that you have been selected for a software audit, you will need to do these first steps immediately.

1. Determine If You Must Respond

While you are legally obligated to participate in a software audit, not everything that is dressed up to look like a software audit is one. Reviews are similar to software audits in that they go through the same process.

However, reviews (or whatever flowery, less aggressive name your particular software vendor gives them) are not audits. They are voluntary, they often result in lighter fines, and they can be conducted internally.

Therefore, determine if you have to respond and plan accordingly.

At MetrixData 360, we advise that you respond to reviews and treat them with the same severity of a software audit since refusing a review often results in the same vendor sending you an audit, which you can’t refuse. It will set the process off to a rocky start, with your software vendor knowing you were dragged to the software audit kicking and screaming.

2. Get an NDA

Before any data is handed over to the auditors, you need to set up a three-way non-disclosure agreement between the third-party auditor, the software vendor, and your company. This will keep the third-party auditors from disclosing any data with the software vendor without your approval. While many companies have their own NDAs, you should be wary if the software vendor provides you with an NDA to sign, since it will usually have language that will offer you minimal protection. For just one example, a contract may have language that allows scripts to be run in your software environment but does not hold the software vendor legally responsible for any impacts that might have on your production environment.

3. Ensure that the Scope is Clearly Defined

In order to avoid scope creep, make sure that the scope of the audit is clear regarding the regions that will be included and if the vendor has several products, which products will be examined.

4. Begin Creating Your Own ELP

Immediately start to create your Estimated Licensing Position (ELP) by gathering data on the relevant products; this will give you a strong case to oppose the auditor’s findings, which will most likely have an over-inflated compliance gap. Your Estimated License Position should effectively compare your deployment data with your purchased licenses regarding the scope of the audit.

5. Designate a Single Point of Contact (SPC)

It is important to immediately establish who is responsible for corresponding with the auditors throughout the process. Having a single point of contact controlling the flow of information to the auditors will give you a clear picture on what the auditors know and where you stand with them. The SPC should be someone who has a strong understanding of negotiations, software licensing, deployment data and software contracts.

Phase Two: Kick Off Meeting

Scheduled to mark the beginning of the software audit, the kick-off meeting will be composed of (either in-person or online) the software vendor, their auditors, and any other stakeholders who will be involved in the process. The Statement of Work or its equivalent will be presented and topics including timeline and scope will be discussed.

1. Pay Close Attention to the Timeline

The auditors will want the process done as quickly as possible to ensure return on investment, but you need to push back against unreasonable turnaround times and fight for a timeline that works for you.

Unless you negotiate for more time, you could easily be left with having only fifteen days to slosh through thousands of rows of data.

Negotiate a timeline that works with your schedule because you shouldn’t have to sacrifice your time off, your busy season and your sleep just to meet an unrealistic and arbitrary deadline. Not to mention a rushed-out response will likely not provide you the solid defense you need.

2. Prepare a Defense for the Accuracy of Your SAM Tools

The auditors will most likely say that your SAM tools fail to collect all the data that they need in order to complete the audit. They will then demand to exclusively use their own. This will be the case even if you have an inventory tool that the auditing software vendor has approved.

However, it is in your best interest that your own tools are used. You should push for a position that allows the auditors to either supplement any missing data from your inventory tools with their own or extract data samples from your SAM tool to test its accuracy.

3. Clarify the Data Requirements

The auditors may be intentionally vague about a few things, including the metrics that will be used to count your deployment data; your licenses, your user counts, or your authorized users, etc.

You’ll need to make a point of clarifying what the auditors have left unclear to make sure you understand what exactly they will be asking for and why they need to see that data. Not everything they ask for will be relevant to the audit.

Phase Three: Data Collection

After the kick-off meeting has concluded, the data collection phase will begin. Often seen as the most time-consuming and costly part of an audit, the data collection phase will involve the auditors asking you and your staff to run scripts and pull data.

They will most likely not come on-site (think of the travel expenses they’d rack up if you had international locations!), but the auditors may visit to verify certain data points. They may interview staff, or they may observe your staff running specific scenarios.

1. Verify that Any Employees Who will be Interviewed are Prepared

Make sure everyone who will be interviewed by the auditors is aligned on what will and won’t be said. While you should never strive to hide things from the auditor, you should have a clear understanding of what your stance is with the vendor. You will also need to ensure that employees give answers that are complete and accurate.

2. Review all Data Requests

Your Single Contact Point (SCP) needs to be reviewing all data requests sent from the auditor to make sure the requests are reasonable and within the scope of the audit. Keep asking questions and make sure you always understand why the auditors are asking for something and understand the impact each piece of data will have on your overall stance with the vendor.

The SCP should also review each piece of data that is sent to the vendor so that you fully understand your stance with the vendor.

3. Your SCP Should Be Your Only Contact with the Vendor

All communication with the vendor must be done exclusively through your SCP. Again, this is not done to keep things from the vendor, this will simply make it easier to keep effective tabs on your position with the vendor during the process. You need to know what the vendor knows to effectively frame your argument during the negotiations.

4. Review Data Quality

Make sure that all the data you give to the auditors are of good quality and do not conflict with each other. You also need to check that the data released is not providing any unnecessary data that can be used to make assumptions against you.

Phase Four: ELP Creation

After the data has been gathered, the auditors will present you with their Estimated License Position (ELP) of your software environment, which will consist of your deployment data, compared against your licenses to create a compliance gap. They will ask you to review their findings before they send it over to the software vendor to correct them on any errors.

The ELP will be composed of thousands of rows of data and will be tremendously difficult to read through in the amount of time the auditors will give you.

1. Compare the Auditor’s ELP with Your Own

Being able to cross compare the auditor’s findings with your own will allow you to effectively challenge auditor’s conclusions. Common tactics for challenging the auditor’s findings include:

2. Negotiate the Timeframe

After the data has been sent off and the fact-finding portion of the audit is closed, the vendor will begin setting up a timeframe for purchasing any license shortfalls. It is important to realize this is not a settlement but a negotiation at this point, so push for a timeframe that works for your company’s goals and interests, not the vendor’s fiscal goals.

Phase Five: Negotiation and Settlement

Going off of the compliance gaps the software auditors have found, the vendor will sit down with you to hash out a negotiation for how you will make up for any shortfalls.

This is often where companies feel disheartened, tired, and cornered. They just want the issue to go away and feel as if the compliance gaps the auditors have found is set in stone.

It’s important to remember the data is up for interpretation and you have more wiggle room than you might think. It’s important to stay positive during this stage, with the help of MetrixData 360, our clients were able to greatly reduce their compliance gaps and the amount they had to pay out.

1. Consider the Multiple Stakeholders

There are many people involved in the audit from the vendor’s side that are reporting to managers with different agendas from one another. Stakeholders involved in the audit include:

All of these different teams might be compensated in different ways: one team might be paid based on the revenue they manage to obtain, while another on whether this audit is conducted according to legal standards or on how satisfied you are with their work.

When the vendor’s representative says they need to obtain internal approval, these are the people they are consulting. You need to word your requests in a manner that appeals to all stakeholders involved.

2. Stay Calm

Take comfort in the fact that you have done everything you possibly can to prepare for this software audit. Do not be pressured into timelines. Do not be forced into a settlement that is not accurate because you were not given enough time.

3. Be Prepared

Be ready to research the licensing terms and other claims the vendor makes.

4. Leverage

Be willing to leverage senior executives within your company and the vendor’s. A well-timed call to the right person can be very effective to unblock a stalemate in the process.

5. Stay Focused

Your goal is to purchase only what you need. Often software audits are used as a sales tactic.

Just when you feel cornered in the software negotiations, you can expect to be pushed towards purchasing new products. You must stay focused and strategic with your software purchases regardless of the pressure the software audit puts you under.

Coming to the Meeting with the Right Persona can Make all the Difference! Learn the type of personality it takes to Win Contract Negotiations in our article: 5 Key Traits to Winning Contract Negotiations.

6. The Four Factors

During the negotiation process it is important to remember that it is a balancing act between four key factors.

7. The Closing Statement

Make sure you get a closing statement after final figures have been decided at the end of the negotiation. Some vendors may indemnify you from future audits by looking back past the date the audit closed. A closing statement will give you the freedom of not having to worry about another audit from that vendor for a minimum timeframe or else they will be at liberty to audit you using findings that date back prior to the close of the audit.

Have a Strong Defensive Strategy for your Next Software Audit!

Software audits can be exhausting and probably far outside the scope of what you were thinking your job would look like. However, it is possible to get through just fine by following the software audit checklist, remaining calm, staying focused, and having the right people on your side. Question everything the software vendor asks for, and don’t be afraid to push back when you don’t agree with certain findings. Let’s not dance around the issue, the vendors are here for your money whether it is owed to them or not and you need to know how to defend yourself.

MetrixData 360 not only takes care of all the heavy lifting during a software audit, but we’ll teach you what we’re doing so that you’ll be prepared the next time around. If you’d like to learn more about our software audit services, you can contact us and one of our sale’s reps will get back to you in under 24 hours.