Our Sean McIntosh was recently interviewed as he is a presenter at the upcoming Compliance Manager Summit where he will discuss how to challenge your audit findings.
Out of every $1 million in noncompliance found in a Microsoft audit, about 50 percent will be wrong, says Sean McIntosh of MetrixData360, a consulting firm specializing helping organizations with license compliance and audits.
And the worst part is that a lot of companies won’t even argue effectively.
“Some people, when they get a call from a vendor, assume they have basically no rights,” says McIntosh, a featured presenter at the 2017 Compliance Manager Summit (March 13-14 in San Francisco). “Often, when software auditors throw a lot of legal terms and conditions around, companies will just cave in, turn over their data, and pay up.”
But this is changing. More companies are challenging their audit findings, negotiating better settlements, and pushing back.
McIntosh is an expert on the tactics and grey areas that software vendors of all kinds (and their auditors) use today to drive up the cost of compliance settlements. Although he’ll go into detail at his Compliance Manager Summit session, here are a few key points.
Know the rules
“It really doesn’t matter what software vendor your dealing with because they all follow a very similar approach to audits,” says McIntosh. “They put a data request in and compare that data against their entitlement data and find the gap—the largest gap possible by applying the most conservative rules possible.” However, the first thing you should do, says McIntosh, is go back and read the contract that you signed to confirm what your rights actually are. Know exactly what data you have to turn over, how many licenses you purchased, and a host of other terms you agreed to that may enable you to lessen some of those gaps.
For example, in one audit that McIntosh worked on with a client, he found that Microsoft was applying the most current product rights and conditions, but the actual application in use was a few versions older. “When the current product use rights were applied to their SQL Server licenses the initial gap was upwards of $2 million. But when we applied the correct usage rights—the ones assigned at the time of the license agreement—their gap was really around $500K.”
Microsoft auditors will always try to impose the most current usage rights because they are almost always the strictest. “The company was within their legal rights to follow an older version of usage specifications, but it still took a lot of arguing with the auditors,” McIntosh says.
Know your own data
Although companies often will just turn over usage data (or access to usage data) to software compliance auditors, McIntosh says, not so fast!
“When you get involved with one of the boutique auditors hired by Microsoft, make sure you get an nondisclosure agreement in place that allows you to review any and all data the auditor plans to send on to Microsoft,” McIntosh cautions.
The reasons you want a data review are many, but generally you want a chance to explain any abnormalities and offer proof to the contrary, says McIntosh. “There can be a lot of technical errors in the first pull of your data, that, if Microsoft gets a stab at it they will forecast an audit finding base on it. So it’s important to work with the auditor to find simple and easily explained anomalies, supply the data to back up your story, and remove these from the final data submitted on to Microsoft.”
For example, another MetrixData360 client owned the rights to 500 copies of Microsoft Office Professional that they were not using. The client had installed 500 copies of Office Standard that they did not have entitlements for. “In a situation like this the auditor will demand that the company buy 500 copies of Office Standard, which is technically correct, but that’s not the way it really works in most cases,” says McIntosh. “In a negotiation, you can fairly quickly get that auditor to accept the licenses for Pro in place of Standard.”
Escalate above the auditors
Another tip McIntosh has for companies as a last resort to challenge their audit findings is to go over the auditor directly to the software vendor.