Without Further Delay – Here Is The Top 10 List Of Silly Things Software Auditors Say:
#1 Its A SAM Engagement, Not An Audit.
If you believe this, I have a bridge to sell you in Brooklyn. There was actually an element of truth to this at Microsoft around 10 -15 years ago but, not anymore. You can’t say no to it and once the software auditors disguised as SAM specialists are in the door, they will follow the same process as an audit. Really the only difference between a SAM Engagement and an audit is the remediation. We have written a few great blog posts on the difference between a SAM Engagement and an Audit and you can check them out below:
- How Does A Microsoft SAM Differ from an Audit.
- Whats The Difference Between a Microsoft SAM Engagement and an Audit.
#2 This Will Only Take 4 Weeks.
It starts off simply enough and the software auditors say that the audit will only take 4 weeks. Phew! That doesn’t sound so bad does it? Then you start thinking about it and realize that you have a large, complex environment. Some of it may be effectively fire-walled from your SAM Tools for regulatory or security reasons. The software auditors will likely then tell you that they won’t accept output from the SAM Tool you have poured time and effort into enabling (I’ll get to that soon enough) and instead insist that you to run their proprietary scripts, Active Directory Scans and perhaps Microsoft MAP. Oh, and they may also want screenshots from various consoles.
Lets just assume that you can get approval to run these scripts, or for the sake of expediency that your security department ceases to exist and you have all the server admin access that you need. Now you need to ask yourself, why you are in a rush in the first place? You didn’t ask to be audited nor should the timeline really matter to you. You have a business to run. MetrixData 360 can of course help you out and show your organization how to push back. In my opinion, the only way an audit gets done in 4 weeks is if you blindly and rather naively agree with everything the software auditors present and then cut a big fat check to the software publisher.
#3 We won’t accept outputs from your SAM tool.
I told you I’d get to this one! You’ve been diligent and invested a SAM Tool like SCCM. You spent time, money and resources to get it up and running and you’re pretty confident that at a push of a button you can give the software auditor what they are asking for and prove that you are on side with your software licensing compliance. Brace yourself as the software auditors explain that they won’t accept outputs from your tool and instead insist you run their proprietary scripts. I always giggle when Microsoft won’t accept outputs from SCCM/System Center as I think it speaks volumes about that tool.
Software Auditors will typically stand firm on their non acceptance of your SAM tool output in a formal audit but, there will be more flexibility in a SAM Engagement. The reason for this is that SCCM/System Center struggles to properly/accurately identify SQL Editions. It may be to your benefit to supplement your SQL inventory with a quick targeted Microsoft MAP scan that will confirm the actual editions deployed vs auditors “assumed editions” deployed.
#4 We Need This Data Point and We Need It In 5 Days.
There will come a point where the Software auditors will make a licensing data request and give you a ludicrously short time period to collect the data. They will say it seriously and act surprised when you explain that it is not possible to capture a full data scan of a 40,000 seat environment spread out over a large geographical area. Even though you want to comply with their request, its simply impossible within the time frame they insist on. The Software Auditor’s reaction will be pretty predictable. Shock, surprise and a haughty, “how much time do you think you need?”. This is often then followed up with, “we expect to finish this engagement in 4 weeks”.
This is where you calmly try to provide a reality check for them about the time and effort which is required to fulfill these sorts of requests. Its worth noting that most software auditors have never walked a mile in your shoes. They have never had to do anything other than pour over deployment and licensing data. They certainly don’t know or more accurately, don’t care about how impossible the request may seem. My advice is to take a hard stance and push back with a realistic time frame to compile the requested data and do your best to keep to that date while focusing on your day to day business tasks. If its looking like you will miss the date let them know in advance and re-set expectations.
#5 This Report Contains All Your Entitlements.
At some point the software auditors will want to do a complete pull of all the software licenses (entitlements) that they have on file for your organization and present it to you. You’ll look and it and quickly see that they are missing a substantial amount of your estate. Perhaps they missed company names that you formerly did business under, acquired or they missed an entire geographic region all together.
The other big “gotcha” is that this report will not include OEM licenses, retail boxes or any valid license acquired outside of a volume licensing program. Just because licenses were not acquired via a volume licensing program, does not make them invalid but, you need to be able to prove it.
#6 Thats Not An Entitlement!
I love Hunter S. Thompson and I always have found him to be an endless source of great and weird quotes as the man was a living meme. Well, buckle up because things are about to get weird! We talked about how the entitlement report that the software auditor initially provides will lack any software license purchased outside of a volume licensing program. The auditor will agree that you may have OEM or retail boxes that have valid licenses kicking around in your environment. Your challenge will be providing evidence that yes, you did indeed buy OEM/Retail boxes and having the auditor accept it.
Depending on the publisher, some auditors will accept photocopies of jewel cases, other will want accounting records or physical retail boxes. Its a good idea to check and understand what they will accept as a valid license. Personally, I’ve had the experience of going through this process of asking what they will accept, gathering it and then being told that they will not accept any OEM license as a valid entitlement. This was with Adobe and we were ultimately able to get them to accept a few thousand OEM licenses in that case. Just be prepared for an uphill battle and reach out to us if you need help or have questions.
#7 Of Course We’ll Remove Those Items From The Spreadsheet.
This one is one of our team of analyst’s pet peeves. The auditor provides you with the the ELP (Effective License Position) and upon review a whole bunch of errors jump off the page at you. These errors of course inflate the gap. You prove that several of the line items need to be removed and provide extensive details such as: Its a Dev/Test server, its not a SQL Server – It only contains SQL bits, Its double counting multiple copies of Microsoft Office on the same PC. The “friendly” software auditor agrees with you verbally that these items will be removed. This usually leads to the feeling that you’ve made some great progress towards a reasonable resolution.
A few days go by and they provide an updated ELP to you. A quick glance shows that most or all of the items they agreed to remove are still there. Now, you need to explain again why they need to remove them. Basically, a rinse and repeat. We generally find that the larger the dollars associated with these line items, the harder it will be to get them removed, even if its pretty obvious they shouldn’t be showing as a gap. The reason for this is that the auditor will often lack the empowerment to remove anything substantial from the ELP. This then becomes a negotiation with the software vendor/account team.
#8 This Is Cut and Dried
Software auditors love to make it sound like they deal in facts and absolutes….You know, like a real auditor. The truth is that this isn’t a forensic accounting audit. In many cases, the software vendor may outsource the audit to an accounting firm. Sounds good right? Keep in mind you are not their client, the software publisher is. They don’t come out and say it but they are not governed by the same principles that they would in a forensic audit. Their goal is to drive revenue for the vendor and/meet a sales number.
I guess what I’m trying to say is that, software auditors will make things seem like they are black and white when the reality is, that we are dealing with grey areas. Here at MetrixData 360 we specialize in helping you get right to the optimum deal.
#9 Everyone In The Organization Needs the Highest Edition of a Product
Auditors often make the assumption that everyone in the organization needs the highest and coincidentally the most expensive edition of a product. Oh, we see you have a shortfall of Office licenses and they will propose Office Professional Edition to deal with it. Really? Or you have a shortfall on developer tools and the auditor proposes that the best way to cover the gap is to purchase Visual Studio Enterprise.
You don’t always need to buy the flagship product offering. Just like for Office 365 not everyone needs E3 or E5. Sometimes E1 is just fine depending on what your users need and use.
#10 This Isn’t A Negotiation, Its an Audit!
We made it to #10! Despite what the software auditor tells you, an audit/SAM Engagement is ALWAYS a Negotiation! A rule of thumb we use internally is that when you are given a compliance gap by an auditor, 80% of it is junk that with detailed licensing knowledge and when presented back to the software auditor properly, can be removed. 10% of it is open to interpretation and negotiation and the final 10% is a usually the real gap.
We know from experience, most organizations won’t have the deep licensing knowledge and vendor specific skills required to push back effectively. Give us a call and lets see if there is an opportunity for us to help you!
We specialize in helping organizations defend themselves in software audits and SAM Engagements. In you are in an active engagement or are just concerned that you are at risk just drop us a line and we will be happy to chat with you about it. We’re here to help defend you and help you to be proactive in terms of audit preparedness!