Practical Software Audit Defense: Pt II
In part one we focused on the initial steps required when responding to a software audit demand. In part two we explain how you can effectively manage a vendor review and what you should do at the conclusion of a vendor audit.
STEP FOUR: MANAGING THE AUDIT
By assigning a single point of contact, you can ensure that only agreed information is shared between the organization and the software auditor.
As explained in part one, this should be a senior member of staff. All documents and communications must go through them as ultimately, the senior management team is primarily responsible for the state of the organization’s software estate.
Andréa Perrot, an experienced Software Asset Management practitioner, agrees. “Having a single point of contact reduces the risk of another member of staff proudly describing the environment they manage which may be something that isn’t on the auditor’s radar. It will be now!”
If you know you have a software license shortfall, it is worth identifying new technologies or products that the vendor in question offers in order to improve negotiations at the conclusion of the audit.
One strategy to minimize the cost of an existing shortfall (while simultaneously helping your organization enjoy the benefits of the latest technologies) is to consider migrating to the technology that the software vendor would rather you deploy, as opposed to what you might currently be using.
This also often works for the vendor as revenue for new purchases is preferable to that same revenue from audits.
COMMUNICATION
Also, you need to ensure that throughout the audit you hold regular meetings with both the internal audit board and the software auditors. Frequent updates and communication are a must in order to ensure all assigned internal stakeholders are fulfilling their roles and responsibilities. It is also a good chance to pre-empt the potential outcome of the audit and assess whether you need any additional services or expertise.
Communication with the vendor is also important as now is the time to negotiate any fees for non-compliance issues, additional licenses or migration to new technologies. This is when the organization and the vendor agree on a realistic payment structure for paying off said fees. You want to structure payments to avoid other large expenditures, otherwise, it can lead to financial difficulty.
AUDIT REPORT
Ensure the auditor copies you on the findings of the audit and that the audit board prepares a summary report for senior management. Set realistic expectations of any potential shortfall or liability in the report and make sure that both key stakeholders and senior management team know all about the T&Cs within the contract so you can counter any extravagant claims made by the auditor.
Step Four Checklist
- Make sure you only have one person communicating with the auditor
- If you know you have a license shortfall, look at the vendor’s new technologies or products as a negotiation tactic
- Meet frequently with your working group to track progress
- Hold regular meetings with the auditor to understand progress and findings
- Get copies of the findings and prepare a summary report for senior management
- Negotiate fees and payment terms based on a change in technologies or licensing shortfall
STEP FIVE: LEARNING FROM THE AUDIT
It is important that the organization learns from the audit experience, but also gives feedback to the vendor on how they dealt with proceedings. Don’t forget you are the customer so you have every right to provide constructive feedback on how you believe the audit process should be improved.
The conclusion of an audit will either be that you need to purchase new software licenses (or the vendor gives you an incentive to move to a new license model or technologies) or that you are declared compliant. Either way, the Software Asset Management journey doesn’t stop there.
SAM is an ongoing program that drives benefits across the business, and not just a solid audit defense. Moving forward, all new license or contract information needs to be added into Snow License Manager to ensure you know what your new entitlement is and your license compliance position.
The biggest test for an organization is to keep the Software Asset Management momentum going once the audit has concluded. This is not the time for complacency or to think that the job is done – even if the vendor is satisfied with the results of the audit. “The conclusion of an audit can be a dangerous time, as the business thinks that all of the hard work has been done. They can relax now and focus on something else.
“This isn’t the case at all. Use the audit experience as momentum and an incentive to keep on top of your compliance, and even improve SAM processes. Regular spot checks on usage and compliance helps you keep the momentum and ongoing management of software licenses, and it even starts to become BAU,”
-states Perrot.
Step Five Checklist
- Offer feedback to the vendor on the audit experience.
- Add all new licensing information into Snow License Manager
- Review and improve existing SAM and Audit processe
- Conduct regular spot checks on usage and compliance every month
- Conduct an internal review/audit of your estate
PROACTIVE AUDIT DEFENSE
If you have Software Asset Management in place, and the right audit processes and software policies, a vendor audit doesn’t have to be the scary, resource draining, budget-busting activity that most view it as. With accurate SAM data, you can take control of the audit and turn it into a proactive exercise rather than something that is seen as disruptive and a nuisance.
Use this as the perfect opportunity to mature your SAM processes and ensure that you remain on top of your licenses moving forward. Learn how Snow License Manager 8 can help you avoid a negative audit experience.
Read our blog series and watch our videos to understand more, and then give us as a call to arrange a demo! Start taking the proactive steps to audit defense today.
Thanks to Andréa Perrot, Solutions Manager at Trustmarque, for her help and contribution towards this blog post.