Quest Software is a software company founded in 1987, with headquarters in California and 53 branch offices in 24 countries. Quest is best known for their database product Toad. Other offerings include software as a service, security, cloud backup and recovery and offerings for AWS and Microsoft Azure cloud management.
In 2012 Quest was acquired by Dell. Four years later Francisco Partners and Elliott Management Corporation acquired Quest Software together with Dell Software and relaunched the two entities as Quest Software.
Since its acquisition Quest’s compliance program is in motion with a notable increase in volume of audit campaigns. Francisco Partners, former owner of Attachmate Corporation, is notoriously known for their aggressive compliance practices with rapid legal escalations. Word on the street is that their involvement in Quest has had a similar effect, take the Nike lawsuit as an example.
This article is meant to provide a quick overview and prepare you for the moment when you’ll receive an audit letter from Quest.
Overview of Quest audits
Quest performs different types of audits, which vary depending on the type of the engagement and party responsible for carrying it out. These can be self-audits, audits led by Quest’s own license compliance department, third party audits typically led by one of the Big 4 (Deloitte, PWC, EY or KPMG) or a combination. The level of inquiry, effort and time spent is set by the audit model, self-audits being the least intrusive and easiest to execute.
Independent of the model, Quest audits typically include four major phases. All phases have an equal weight in determining the final outcome of the audit.
1. Kick-off & Audit Scope
The Kick-off & Audit Scope phase determines how invasive the audit will be. It generally is the first sit-down with the auditors and decides the tone of the entire process. It determines the reach of the audit, from headquarters to subsidiaries to servers and workstations potentially making use of the software.
It is critical to get a clear understanding of what is required and mandatory by rule of law. Any information shared outside of your contractual obligations may have negative repercussions on your organization.
The product scope typically encompasses all Quest software products. However, emphasis will be mostly on Toad and SQL Navigator installations.
2. Data Collection
The Data Collection phase is usually the most time consuming and resource intensive phase for your organization. If not already in place, SAM (Software Asset Management) responsibilities need to be assigned within the team. The terms and conditions set in the Kick-off & Audit Scope phase need to be clearly understood and reflected in the Data Collection process. All collected data should pass an internal quality control filter which should ensure that it includes all required information and that no information outside of the scope is shared with the auditor.
The coverage of your SAM tool should be at least 90% for workstations and 100% for servers. If it’s lower, Quest would work with you to address the gap in some way. Our research indicates that the preferred tools for data collection are Active Directory and SCCM (System Center Configuration Manager), for which Quest will provide their own SQL queries which would collect the required data. However, if the requested data can be supplied by other tools, the submission will be validated by Quest nevertheless. In addition, screenshots and license key scans via scripts provided by Quest will be requested as well.
3. Reporting & Reconciliation
Once all the relevant data has been collected and handed over to the auditor, the Reporting & Reconciliation phase will commence. The auditor will analyze the data provided in accordance with your license agreement, contracts and respective licensing rules and metrics for the products in scope. The deployment data will be reconciled against the entitlement data, resulting in a report which will serve as basis for the discussions in the Settlement phase.
At this point in the process, the auditor already provided you with a report of the software used, the software entitled and the delta between the two. Before accepting any of the conclusions derived from this report, make sure you have a clear understanding of it. This is of fundamental importance when reviewing it and spotting any inconsistencies. Make sure to support any claims with clear evidence.
Although around for quite some time, since its acquisition in 2016, Quest Software has been building up quite a sizable license compliance program. In this relatively short amount of time, due to its aggressive auditing style Quest has gained notoriety among top software auditors.
Regardless of who’s name is on the audit letter, your best defense tactic is to be prepared and educated in the matter so that you don’t allow vendors and auditors dictate the terms of the audit.