While common audit triggers include a reduction in spend and recent M&A, not all vendor audits look alike. Some are disguised as free ITAM/license assessments (e.g. Microsoft^® SAM Assessment, Adobe Software Insights Review) to help organizations get more value and stay secure.

Another type of audit is a cybersecurity audit. These are often triggered by your internal audit team or by commercial requirements to have a security certification (e.g. ISO27001, SOC2, etc.). We also find that organizations who’ve encountered a significant security incident conduct third-party audits to identify gaps.

While audits are time-consuming and can be expensive, they can be a blessing in disguise if organizations heed the wake-up call and get their software asset management house in order. Here are three benefits of being audit-ready.

1. Eliminate the practice of paying for software your organization isn’t using.

When you take a look at your effective license position, you are understanding what you’ve purchased against what’s installed and licenses allocated or assigned. If you’re not compliant, then the next question is the software actually being used, and can it be uninstalled? If you perform this activity >90 days before your next audit and are able to get to a positive position, your risk of being fined reduces significantly.

The side benefit of understanding usage data is your organization has one more lever in renewal negotiations if you aren’t using the licenses you’ve purchased. Here are a couple of examples of customers who leveraged usage data to mitigate risk, and reduce license costs.

• Sasol was able to identify license compliance violations to the tune of $28.6M. On top of that, they’ve been able to save an additional $5.4M by optimizing licenses and rationalizing their application portfolio with other vendors including Prometheus GWOS, K2, OMADA, Autodesk, AirWatch, OpenText, Acquire Sentinel, Cloudera, and VMware.
  
• Telkomsel was able to identify $740,000 in license compliance risk. Additionally, they’ve been able to find savings of 10% of their Oracle license costs in addition to $74,000 in potential savings for Microsoft subscriptions.

2. Improve your cyber-security posture.

If you can’t see it, you can’t secure it. Fortunately, many organizations are now seeking to follow this advice, especially with guidance from the United States federal government for all agencies to obtain a complete software inventory.

Organizations can improve security and visibility of IT assets by:

• Identifying the use of unauthorized applications and blocking use (as Max Life Insurance did)
• Identifying free and unauthorized SaaS applications not known by IT (as Christchurch City Council found more than 200 unknown applications in use)
• Locating applications with vulnerabilities and applications end-of-life and end-of-support that are at risk because they are no longer eligible for patching

3. Minimize interruptions and get more value from your team.

The time spent preparing for a vendor audit can consume your team for weeks with all the manual processes involved. With automated reporting of application usage against entitlements, organizations can get near-real-time visibility into how licenses are used to ensure compliance. For instance:

• Telkomsel was able to reduce the time to prepare for audits by 90%.
• Dorset Council used spreadsheets to report on installations of applications and servers. By having all these details in Snow, they were able to reduce processing and analysis time from 2-3 days to 5 or 10 minutes.
• Investec saved an estimated 200 hours by pulling in-depth reports on demand, eliminating the need for time-consuming and complex manual work and the expense of external consultants.

We often hear that organizations only have enough time to proactively manage the top 3-5 vendors. What impact could you drive if you had data for your next 50 vendors at your fingertips?

The post 3 Reasons to Love Software Audits appeared first on Snow Software.

It doesn’t have to be this way. Software audits are disruptive, but there are ways you can lighten the load and mitigate your risk. Before any audit notification comes in, it’s crucial to have effective hardware and software asset management processes in place to ensure your inventory and license compliance positions are current and accurate. This will smooth out reporting and reduce the risk of submitting inaccurate data. 

Common audit triggers

Before we dive into the ground rules of software vendor audits, it’s important to note the events that typically prompt most audits. They include: 

• Change in spend
  • Reducing support and maintenance spending during renewal
  • Moving support and maintenance to a third party
  • Changing licensing model
• Historical proof of entitlement (PoE) requests
• Clause in contract
  • Periodic audits usually aligned to renewal dates
  • Contact termination
• Mergers or acquisitions
• Unhappy employees notifying the vendor of compliance issues

Exercise caution when your vendor offers an assessment review. These reviews may be a veiled attempt to find you out of compliance. Rather than sending any data to the requestor, simply state your information security guidelines for not sending company confidential data to third parties. Soon thereafter, review your usage and address any known issues for that vendor because a proposed assessment review is very often a precursor to an audit.

Once the vendor has informed you of their intent to audit (sent by either letter or email from the vendor or third-party auditor to the person who last signed the contract or renewal), your internal process should launch quickly. Here are 10 steps for successfully navigating a software audit.

The 10-step process

1. Notification. Don’t ignore an audit request. Once the notification letter arrives, notify your ITAM team promptly with “private and confidential” added to the communication. All communication surrounding the audit should be marked as such to avoid any legal repercussions. Don’t make any changes to your current state — limit the deployment of new installations and do not uninstall any applications unless you’re decommissioning the device. 
2. Assemble the audit board. Gather your key stakeholders and don’t assume everyone understands the audit process. Cleary define roles and responsibilities and set timelines.
3. Put the team to work. The first step is to gather and review all license entitlements, contacts and agreements associated to the audit. Then engage with all the necessary areas of the business and review your audit objectives while considering previous audit recommendations. Set a primary point of contact toward the auditor from that point on and continuously circulate all documentation and reports.
4. Acknowledge the letter. Receipt of the request for audit is required and your agreed upon point of contact should handle this communication. Clarify which products are included in the audit at this time.
5. Propose a non-disclosure agreement (NDA). Most software publishers and auditors will typically agree to negotiate NDAs to control the handling of audit data. It protects all involved.
6. Meet with the auditor. During your first meeting, clearly define the scope of the audit, including products, legal entities, geographical locations, etc. The auditor will discuss the required data, form of evidence, and how they want you to provide it to them. The auditor may also mention scripts or tools they want to use to gather data. If they do, they should review this for you.
7. Gather the data. Only collect data that has been defined and in a form that is agreed to by all parties. Normally an audit is focused on network discoverable devices. It’s prudent to identify any standalone devices and their ownership that could be in the audit’s scope. Relay all findings back to your audit board for review and sign-off.

Note: Where possible, it’s a best practice to use tools already within your estate to gather audit evidence, e.g., Snow Spend Optimizer, SCCM, etc. 

• Submit the data. Once you have obtained and understood all the required data, prepare it for submission to the auditor. Redact or anonymize any sensitive information, and don’t omit or manipulate any data.
• Carefully review the results. The auditor will evaluate your submitted evidence against the vendor’s entitlement position and produce a reconciliation report. Never agree to the findings in the first instance — you need to validate the results first and be prepared to challenge them. 
• Settle and close the audit. Often the settlement is a considerable amount, and you can negotiate with the vendor. Once all parties agree to a final figure, you can negotiate a waiver not to audit for 2-3 years. Then, it’s time to rectify the issues identified in the audit. This reconciliation comes in the form of training and an update of centralized ITAM tools. 

Shortlist on what to do – and not do

Software audits are usually lengthy and often take between 3 and 18 months. Here’s a summary of our suggested steps to help streamline the process and position you for a successful outcome:

Additional resources

Though it can be enormously helpful, this short guide is just the starting point for an optimized and successful audit journey. Audits can be challenging (and costly) without clear visibility and manageability of your assets. Check out how our approach to Technology Intelligence can guide you through your audits while providing you with comprehensive visibility to create more efficiencies, save money and minimize risk. Contact a Snow specialist for more information and guidance. 

The post 10 Steps to Navigating a Software Audit appeared first on Snow Software.