Software audit preparation is becoming more and more important as publishers view audits as revenue streams instead of simple compliance tools. In this game of company overlords and intimidating auditors with charts streaked with red, it can often feel as though you are powerless to stop your software vendor from marching in and walking away with double your yearly budget. In this series, we are going to discuss ways you can prepare for an audit before the software data hits the fan.
Putting out the Sparks Before They Burst into Flames
The best software audits are the ones that don’t happen. Some vendors treat SAM reviews like routine check-ups and there’s little you can do to avoid it simply being your turn. That being said, there are strategies you can implement that lower your risk of facing a software audit in the first place.
Maintain a Good Relationship with Your Software Vendor.
As is the case in any relationship, communication is key. Keeping an open dialogue with your vendor and making you are upfront in regard to any decreased spending or changes in your company’s growth, so that your vendor feels like they are in the loop about your software.
Negotiate the Audit-Clauses in your Contract
In every software contract, there is a clause that states the right to audit. In the rarest of rare cases you might be able to remove the clause entirely from your contract but by the time your contract is up for renewal, you’ll be hard pressed to get your vendor to agree to such a deal twice. That being said, you still might be able to edit the clause a little bit. The first thing you can alter is how long the down period between audits is allowed to be (usually it’s a year). The second thing you might also be able to include in the clause the amount of time a vendor can go without contacting you during the auditing process before the software audit is considered closed. This is a valuable thing to have in your contract, since some vendors can leave an audit dormant for months before kicking things up again. Another possible point you might want to fight to have included in the contract is what time period can be classified as your ‘busy season’ and therefore the ‘no-audit’ zone. Auditors can’t come in and steam roll a business, that’s already in most contracts. If you’re an Airplane company, you can’t deal with an audit the week before Christmas and the resources that are sapped by the auditing process would handicap your revenue, so be certain that timeframe is specified.
Understand Licensing Models Before you Sign Up for Them and Do Not Sign Up for Models That You Cannot Manage
Complexity is a breeding ground for human error and if your head is spinning when the vendor is laying out the system you’re signing up for, make sure you do your homework and do your best to understand where your money is going. That way, there will be no surprises when the auditor’s data findings come in. If you think that an overly complex system is something you just can’t manage, you can always find another contract with a system that can suit you better. Unless you already have systems in place, it’s more likely you won’t be able to account for hundreds of licences and profiles with just a couple of spreadsheets.
Understand the Big Risk Factors and Show Microsoft You have Processes Under Control
Software Audits come in many shapes and sizes and it’s impossible to predict when an audit might come but there are things that increase your chances of being audited such as
1.Having undergone a significant decrease in your spending with the vendor.
2.Having a complex infrastructure with multiple locations that can range to an international scale. This will make it easy for things to be missed.
3.Having frequent mergers and acquisitions
4.Having an overly complex profiles and multiple licenses with the vendor
5.Having your spending with that vendor not match recent company growth
Understanding these risks can help you proactively try to counteract them. If your company has an overly complex structure, show your software publisher the systems you have in place that will keep track of them. This will demonstrate to your vendors that you are prepared, organized and have everything under control.
For a more detailed look into the difference between SAM Reviews and Software Audits, see our How does a Microsoft SAM differ from an Audit?
When you Feel the Storm Brewing: How to Get Ahead of the Software Auditors
But what if these tips were helpful to know five months ago? What if, for you and your business, most of these ships have already sailed and that leaves you on the beach, panicking as you’re waiting for the inevitable software audit to breathe down your neck. Not to worry, there are still things that can be done to prepare yourself.
Set up your Audit Team
The first thing you need on your side in the shadow of an approaching audit is a team of experts, but what should that team consist of? It’s tempting to throw the problem at IT since this is a tech problem, isn’t it? According to BizTech’s article How to Prepare for a Software Audit, while you will need the IT department on the team to help you collect data, they won’t be helpful leading the process and the same is true if you hand the whole thing over to the procurement specialist or your financial rep. These people will be useful on the team but not leading it. Software audits have an intense legal aspect to them and they should be led by attorneys with experience in dealing with software audits. On the team you should also have people from upper management and pick someone (preferably someone who knows how much and how little to say) to be the point of contact with the vendor and the software auditors.
Get an NDA in Place with Your Auditor
A non-disclosure agreement is critical if you are dealing with a third-party auditor hired by the software vendor. This will keep the auditors from taking the king’s share of your data and bringing back to the vendor far more than what they should be privy to, given the scope of the audit. Imagine what would happen if your software vendor knew you were buying more products from their competition than you ever bought from them. Relations with that vendor might suffer as a consequence. A Non-disclosure agreement will also state that everything the auditor’s plan to give the software publisher needs to pass under your eyes first. This has its advantages because you’ll know what your license position is before the publisher does and you’ll be able to check for any mistakes, clear up any grey areas and write letters to the vendor in order to explain yourself and propose mitigation strategies for the future before the data is sent over to the publisher.
Understand the Scope of your Vendor’s Software Audits
Look over the vendor’s past audits (if possible) and make note of what your vendor usually looks at. If your company has multiple locations, make sure you understand which branch and which region (if your company reaches an international scale) has which products. That way, you can anticipate what sort of access your vendor will ask for. You might have to push them to ask for a scope during the auditing process so that you don’t have to face the unpleasant effects of scope creep. Scope creep occurs when an audit continues on into product after product and region after region until the auditors eventually find something that will give them the profit they originally anticipated when they first began the auditing process.
Make Sure you Have up to Date Entitlements, Contract Stacks, etc
Nothing says prepared, organized and under control better than up-to-date contracts and date entitlements. If your contracts have renewal dates (also called the end date, it is found most often with maintenance contracts, and typically includes one year minus one day after the contract’s start date) make sure that they have not expired. Have the renewal conversation with a software vendor well before the auditing process has taken place, as it might overly complicate the process and effect data results.
Verify the Accuracy/Completeness of your Hardware and Software Deployments
Deployment refers to the installation of software on your servers and it is one of the metrics used to calculate your usage of that software. The metric will then either take into account your hardware (how many servers do you have using the program?) or users (how many user accounts have this program or how many users are on the program at any given time). Make sure that both data findings are up to date and ready to go because this will most likely be used in the auditing process. It will save you a lot of time and will allow you to better check the auditor’s data if you have this already available.
Build your Own Estimated License Position (ELP)
During the gathering of data, the auditors will come up with an estimated licensing position for you. According to Software Media’s article Microsoft License Verification Process FAQ, an estimated licensing position is a rough outline that states how much you are under on your software use, areas of improvement, or critical weak points. The auditors hired by your vendor will come up with their own licensing position for you during the software auditing process and it can easily inflate your compliance gap to horrendous levels (and very rarely will they show you where you are overspending). One great and easy way to counter this is by having your own licensing position ready to compare the auditor’s findings with.
The Comfortable Lies We Tell Ourselves
Many companies we’ve come across over the years tell themselves pleasant stories that allow them to sleep easy at night. That is until their software audit arrives and they find that their perfect defensive strategy was held up only by wishful thinking. If you are telling yourself any of the following statements, it might be time to have a closer look at your audit preparation strategy.
“Any application installed on a server is licensed via Citrix”
There are two products that come from Citrix: XenApp and XenDesktop but the one we need to worry about is XenApp. XenApp lets you install software on your server and then it manages the software that you have on your desktop such as Adobe Acrobat and Office. The thing that people often don’t realize is that Citrix has its own licencing metric that doesn’t necessarily coordinate with the metrics of the software that you are installing through Citrix. A licencing metric is how any particular vendor decides to measure your purchase. As an example, Microsoft charges you by the number of devices using the software but Citrix charges you by the users on Citrix at any given time (concurrent users). So if you have 1,000 devices but only 500 users on Citrix at any given time, Citrix will ask for 500 licenses but Microsoft really wants 1,000.
“These servers are owned by our Service Provider so, we don’t have to license them”
Many companies hire a third-party to manage their servers. These service providers install products, set them up in a company’s systems and manage any technical difficulties that might arise. Since it seems that these service providers have everything under control, many companies think their job is done. The truth of the matter is, if the software is on the company’s server, it’s the company’s responsibility and they are liable if the software is improperly licenced. Even if a third-party service provider has their licenses all in a neat little row, the company might still need to buy their own licenses. Should the service provider try to buy the licenses for the company, they might be violating the software vendor’s terms of use. Don’t let this matter fall to someone who is technically not responsible if something goes wrong. Even if your service provider is doing a great job, have your licenses lined up and organized as well.
“We don’t have a list of users to devices, so I guess you can just make assumptions”
Never allow the auditors to make assumptions, because it will never be in your favour. The third-party auditors are not on your team, in fact they more likely will be paid based on how large they can make your compliance gap. So they will not give you the benefit of the doubt. They can easily claim you owe double or triple then what you actually do in your licensing position. If the vendor sees those numbers before you’re given the chance to explain yourself or clear up any grey areas that might lower the number closer to reality, then that inappropriately high number will be your starting point during the negotiation process.
“These are test/dev servers, but we don’t have a full list, and I don’t manage them so I don’t know why all those users have access”
Many vendors allow for you to sample their products before installing them with full licences. These are called test/dev and they aren’t priced or licenced at the same rate as products in production (the ones your whole company uses). The vendor will outline terms that will classify a product as test/dev and usually that includes a limited amount of user access. This is because hypothetically it is only your IT department that will be using and testing these products while they are in test/dev. Many companies don’t learn what sort of criteria a product has to meet to be classified as test/dev and often will let their products accidentally slip from test/dev into full production territory while still improperly licenced. Make sure you understand what qualifies a product as test/dev and then make absolutely certain that those qualifications are met and maintained.
“But my Microsoft Account Rep or reseller said….”
Vendor Sales Reps, including Microsoft are highly trained to sell you licenses, first and foremost. They are trained to present to you high pricing proposals that include many products and “extras” that may not suit your business needs or accurate cover everything you require. They may come across as though these are fixed rates that are non-negotiable. There is also no way to validate what a Microsoft Account Rep did or didn’t say. To avoid getting into a confrontation that puts your word against the Account Rep, it’s best to maintain the philosophy ‘unless it’s written down, it didn’t happen.’ What’s more, don’t trust the Microsoft Account Rep over your own data, even if what you’ve been told is true, it’s far better to have it backed up with tangible evidence.
“We have a SAM Tool and it says…..”
There are many SAM tools that claim to be able to track your software activity and collect data for any impending audit, but plenty of vendors do not actually accept the data these programs collect. Often businesses will have to fight in order to convince the auditors to use their SAM tools over the ones the auditor’s will bring in themselves. It is also not guaranteed that these SAM tools will gather everything an auditor asks for. Every vendor uses a different licensing metric. So, it is important that these tools are not your only source of auditing aid for any upcoming software audit.
No one particularly enjoys software audits, but one thing that is worse than a software audit is a software audit that is unorganized, ill-prepared and banked on pleasant half-truths. So, take some time to see if there’s anything you can do to lower the risk of an audit or prepare for one if you feel like it is already on the way. So, when the software vendors and their auditors walk through your door, they won’t find you sleeping with your ears stuffed with easy wishful thinking. Instead, they’ll find you ready for a fight. For more information on how to prepare for a software audit, please visit our Learning Center.
