When the Software Auditors Come Knocking
Software Audits. These two words strike fear into the hearts of many bold businesses. At their worst, software audits can be time-consuming and causing tremendous damage to the relationship with your vendor, leaving you frustrated when their representatives even dare to walk through your door. Not to mention the impact to your IT budget when the process is over. What exactly is a software audit though? At Metrixdata360, we’ve helped our clients through hundreds of software audits and we know exactly what to expect.
Definition of Software Audits
A Software Audit is conducted either by a software vendor or internally done by the organization to ensure the business is operating within the use rights of their specific software contract and to make sure that the use of that software aligns to the licenses they have paid for. Any areas where the client is underpaying for the software they are using would be referred to as a compliance gap. Compliance gaps can result in steep financial penalties that are almost never budgeted for.
How a Software Audit is Started
The software vendor will typically communicate the intent to audit through a formal letter in the mail. If the vendors are requesting a Software Asset Management (SAM) review, which is slightly different than a full-blown software audit, the news might come in the form of an email or a phone call. For a more in-depth examination of the difference between a SAM review and a Software audit please visit our article SAM Review vs. Audit.
Whatever the notification medium, it will specify whether there will be a software audit partner (some vendors use internal resources and others fire audit firms like KPMG or Deloitte) and the time frame. According to technology attorneys Scott and Scott, it is important during this period to determine whether or not you’ve received a SAM review or a formal audit. SAM reviews are conducted internally and voluntary, but audits are something that you are legally obligated to adhere to.
The Time Frame of a Software Audit
The time frame for a software audit may be negotiable, but the notification itself does require action sooner rather than later, as some software audit requests have a required response time of just 15 days.
The First Three Things You Need to do When You’ve Been Selected for an Audit
- Send the vendor confirmation that you’ve received their request, that they have the right to audit but that the time frame needs to be reviewed for when you want things to begin. This will buy you more time to get yourself organized.
- If there are third-party auditors involved, it is paramount that you discuss a three-way Non-Disclosure Agreement (NDA) immediately.
- Define a scope for the upcoming software audit. Make sure the vendor clearly outlines which software products they are auditing for. If your company has multiple locations, make sure you determine what region, or in which division the software audit will be conducted. All of this is done in order to avoid scope creep.
Who is Vulnerable to a Software Audit?
The broad answer is anyone with a software licence can be audited but there are things that do cause the ears of software companies to perk up and look to you with suspicion. If your company matches any of the following criteria, a software audit might be looming on the horizon.
- You’ve undergone a significant decrease in your spending with the vendor.
- Your company has a complex infrastructure with multiple locations that can range to an international scale. This will make it easy for things to be missed.
- You frequently conduct mergers and acquisitions.
- You have overly complex profiles and multiple licenses with the vendor.
- Your spending with that vendor does not match recent company growth.
According to Enhansoft, it’s important to establish whether or not you are comfortable to live with these risks and face the fact that you might one day very soon be confronted by an audit.
Watching What You Say Around Your Vendor’s Rep
Information can also be gathered by members of the software publisher’s company. We call it corporate espionage.
Let’s say someone from a software vendor has come into your company to talk about new products and during that conversation it comes up that one of your branches has started a new project that will eventually require 10,000 new licences. That vendor representative will get back to their office and tell the sales department that in a few short months 10,000 new licences are coming their way! Except…it doesn’t. Perhaps the project was postponed or cancelled on your end. However, the sales department of the software vendor is breathlessly waiting, but the order never comes. In response, the vendor starts writing up your software audit because for all they know, projects have commenced involving their software that they are not apart of.
We’re a Small Company, Will that Affect Our Chance of a Software Audit?
Typically, software audits are geared towards larger companies since they tend to have more licenses and are therefore more prone to have gaps in their compliance based on the sheer volume of software that they are handling.
It is also a matter of risk and reward for the software vendors. One of the reasons vendors perform software audits is to turn a profit from the auditing process, so small businesses with small licenses might not be worth the effort and their chances of receiving an audit are fairly low.
Hope During a Software Audit
Audits can feel like you’re sloshing through an endless swamp of confusing data while staring down a row of stone-faced auditors, it’s a daunting task for any business to face. Knowledge and the time to prepare will be the best weapon you have at your defense. At Metrixdata360, we can give you both the time and the information that you desperately need to get through this software audit with your yearly budget relatively unscathed.