Categorised as Product

3 Reasons to Love Software Audits

By Jennifer Kuvlesky

Published on Feb 06, 2024

Editor’s note: This post was originally published January 24, 2023 and was last updated on February 6, 2024.

While common audit triggers include a reduction in spend and recent M&A, not all vendor audits look alike. Some are disguised as free ITAM/license assessments (e.g. Microsoft^® SAM Assessment, Adobe Software Insights Review) to help organizations get more value and stay secure.

Another type of audit is a cybersecurity audit. These are often triggered by your internal audit team or by commercial requirements to have a security certification (e.g. ISO27001, SOC2, etc.). We also find that organizations who’ve encountered a significant security incident conduct third-party audits to identify gaps.

While audits are time-consuming and can be expensive, they can be a blessing in disguise if organizations heed the wake-up call and get their software asset management house in order. Here are three benefits of being audit-ready.

1. Eliminate the practice of paying for software your organization isn’t using.

When you take a look at your effective license position, you are understanding what you’ve purchased against what’s installed and licenses allocated or assigned. If you’re not compliant, then the next question is the software actually being used, and can it be uninstalled? If you perform this activity >90 days before your next audit and are able to get to a positive position, your risk of being fined reduces significantly.

The side benefit of understanding usage data is your organization has one more lever in renewal negotiations if you aren’t using the licenses you’ve purchased. Here are a couple of examples of customers who leveraged usage data to mitigate risk, and reduce license costs.

• Sasol was able to identify license compliance violations to the tune of $28.6M. On top of that, they’ve been able to save an additional $5.4M by optimizing licenses and rationalizing their application portfolio with other vendors including Prometheus GWOS, K2, OMADA, Autodesk, AirWatch, OpenText, Acquire Sentinel, Cloudera, and VMware.
  
• Telkomsel was able to identify $740,000 in license compliance risk. Additionally, they’ve been able to find savings of 10% of their Oracle license costs in addition to $74,000 in potential savings for Microsoft subscriptions.

2. Improve your cyber-security posture.

If you can’t see it, you can’t secure it. Fortunately, many organizations are now seeking to follow this advice, especially with guidance from the United States federal government for all agencies to obtain a complete software inventory.

Organizations can improve security and visibility of IT assets by:

• Identifying the use of unauthorized applications and blocking use (as Max Life Insurance did)
• Identifying free and unauthorized SaaS applications not known by IT (as Christchurch City Council found more than 200 unknown applications in use)
• Locating applications with vulnerabilities and applications end-of-life and end-of-support that are at risk because they are no longer eligible for patching

3. Minimize interruptions and get more value from your team.

The time spent preparing for a vendor audit can consume your team for weeks with all the manual processes involved. With automated reporting of application usage against entitlements, organizations can get near-real-time visibility into how licenses are used to ensure compliance. For instance:

• Telkomsel was able to reduce the time to prepare for audits by 90%.
• Dorset Council used spreadsheets to report on installations of applications and servers. By having all these details in Snow, they were able to reduce processing and analysis time from 2-3 days to 5 or 10 minutes.
• Investec saved an estimated 200 hours by pulling in-depth reports on demand, eliminating the need for time-consuming and complex manual work and the expense of external consultants.

We often hear that organizations only have enough time to proactively manage the top 3-5 vendors. What impact could you drive if you had data for your next 50 vendors at your fingertips?