A software audit is typically considered to be an overwhelming and confusing experience, complete with a mountain of work you need to do in an unreasonably short amount of time. It provides you with stress and a sense of overwhelming helplessness that you’d just rather not deal with. Having an internal software audit checklist will make sure that you will have everything in order when the inevitable happens.

At MetrixData 360, we’ve been through so many software audits and have been able to help our clients succeed in seemingly hopeless situations. How? Kept a cool head, remained calm, and had a clear list of things to do at every stage of the software audit. Even if you aren’t in an audit yet, it is always better to be prepared because there’s a good chance you’ll be in one soon.

A Typical Software Audit is Broken Down into Five Stages:
Phase One: Notification
Phase Two: Kick Off Meeting
Phase Three: Data Collection
Phase Four: ELP Creation
Phase Five: Negotiation and Settlement

So we’ve taken a look at each stage and have compiled a software audit checklist of the most important things you’ll need to do.

Phase One: Notification

Upon receiving a notification that you have been selected for a software audit, you will need to do these first steps immediately.

    Determine If You Must Respond

While you are legally obligated to participate in a software audit, not everything that is dressed up to look like a software audit is one. Reviews are similar to software audits in that they go through the same process.

However, reviews (or whatever flowery, less aggressive name your particular software vendor gives them) are not audits. They are voluntary, they often result in lighter fines, and they can be conducted internally.

Therefore, determine if you have to respond and plan accordingly.

At MetrixData 360, we advise that you respond to reviews and treat them with the same severity of a software audit since refusing a review often results in the same vendor sending you an audit, which you can’t refuse. It will set the process off to a rocky start, with your software vendor knowing you were dragged to the software audit kicking and screaming.

Related: For a Deeper look into the difference between a Software Review and a Software Audit, you can check out our article: Software Asset Management (SAM) Review vs Audit: What’s the Difference?

    Get an NDA

Before any data is handed over to the auditors, you need to set up a three-way non-disclosure agreement between the third-party auditor, the software vendor, and your company. This will keep the third-party auditors from disclosing any data with the software vendor without your approval. While many companies have their own NDAs, you should be wary if the software vendor provides you with an NDA to sign, since it will usually have language that will offer you minimal protection. For just one example, a contract may have language that allows scripts to be run in your software environment but does not hold the software vendor legally responsible for any impacts that might have on your production environment.

    Ensure that the Scope is Clearly Defined

In order to avoid scope creep, make sure that the scope of the audit is clear regarding the regions that will be included and if the vendor has several products, which products will be examined.

    Begin Creating Your Own ELP

Immediately start to create your Estimated Licensing Position (ELP) by gathering data on the relevant products; this will give you a strong case to oppose the auditor’s findings, which will most likely have an over-inflated compliance gap. Your Estimated License Position should effectively compare your deployment data with your purchased licenses regarding the scope of the audit.

    Designate a Single Point of Contact (SPC)

It is important to immediately establish who is responsible for corresponding with the auditors throughout the process. Having a single point of contact controlling the flow of information to the auditors will give you a clear picture on what the auditors know and where you stand with them. The SPC should be someone who has a strong understanding of negotiations, software licensing, deployment data and software contracts.

Phase Two: Kick Off Meeting

Scheduled to mark the beginning of the software audit, the kick-off meeting will be composed of (either in-person or online) the software vendor, their auditors, and any other stakeholders who will be involved in the process. The Statement of Work or its equivalent will be presented and topics including timeline and scope will be discussed.

    Pay Close Attention to the Timeline

The auditors will want the process done as quickly as possible to ensure return on investment, but you need to push back against unreasonable turnaround times and fight for a timeline that works for you.

Unless you negotiate for more time, you could easily be left with having only fifteen days to slosh through thousands of rows of data.

Negotiate a timeline that works with your schedule because you shouldn’t have to sacrifice your time off, your busy season and your sleep just to meet an unrealistic and arbitrary deadline. Not to mention a rushed-out response will likely not provide you the solid defense you need.

    Prepare a Defense for the Accuracy of Your SAM Tools

The auditors will most likely say that your SAM tools fail to collect all the data that they need in order to complete the audit. They will then demand to exclusively use their own. This will be the case even if you have an inventory tool that the auditing software vendor has approved.

However, it is in your best interest that your own tools are used. You should push for a position that allows the auditors to either supplement any missing data from your inventory tools with their own or extract data samples from your SAM tool to test its accuracy.

    Clarify the Data Requirements

The auditors may be intentionally vague about a few things, including the metrics that will be used to count your deployment data; your licenses, your user counts, or your authorized users, etc.

You’ll need to make a point of clarifying what the auditors have left unclear to make sure you understand what exactly they will be asking for and why they need to see that data. Not everything they ask for will be relevant to the audit.

Phase Three: Data Collection

After the kick-off meeting has concluded, the data collection phase will begin. Often seen as the most time-consuming and costly part of an audit, the data collection phase will involve the auditors asking you and your staff to run scripts and pull data.

They will most likely not come on-site (think of the travel expenses they’d rack up if you had international locations!), but the auditors may visit to verify certain data points. They may interview staff, or they may observe your staff running specific scenarios.

    Verify that Any Employees Who will be Interviewed are Prepared

Make sure everyone who will be interviewed by the auditors is aligned on what will and won’t be said. While you should never strive to hide things from the auditor, you should have a clear understanding of what your stance is with the vendor. You will also need to ensure that employees give answers that are complete and accurate.

    Review all Data Requests

Your Single Contact Point (SCP) needs to be reviewing all data requests sent from the auditor to make sure the requests are reasonable and within the scope of the audit. Keep asking questions and make sure you always understand why the auditors are asking for something and understand the impact each piece of data will have on your overall stance with the vendor.

The SCP should also review each piece of data that is sent to the vendor so that you fully understand your stance with the vendor.

    Your SCP Should Be Your Only Contact with the Vendor

All communication with the vendor must be done exclusively through your SCP. Again, this is not done to keep things from the vendor, this will simply make it easier to keep effective tabs on your position with the vendor during the process. You need to know what the vendor knows to effectively frame your argument during the negotiations.

    Review Data Quality

Make sure that all the data you give to the auditors are of good quality and do not conflict with each other. You also need to check that the data released is not providing any unnecessary data that can be used to make assumptions against you.

Phase Four: ELP Creation

After the data has been gathered, the auditors will present you with their Estimated License Position (ELP) of your software environment, which will consist of your deployment data, compared against your licenses to create a compliance gap. They will ask you to review their findings before they send it over to the software vendor to correct them on any errors. The ELP will be composed of thousands of rows of data and will be tremendously difficult to read through in the amount of time the auditors will give you.

    Compare the Auditor’s ELP with Your Own

Being able to cross compare the auditor’s findings with your own will allow you to effectively challenge auditor’s conclusions. Common tactics for challenging the auditor’s findings include:

Investigate any area of the auditor’s case that you know, suspect, or even feel to be inaccurate.
Look into which team provided the data that the auditors used in their inaccurate assumptions and ask for validation.
Seek clarification on unclear items and have the auditors explain what they’re planning on telling your vendor.
Highlight any disagreements that you have on the auditor’s findings, submit explanations for any grey areas or propose plans to fix any shortcomings.

    Negotiate the Timeframe

After the data has been sent off and the fact-finding portion of the audit is closed, the vendor will begin setting up a timeframe for purchasing any license shortfalls. It is important to realize this is not a settlement but a negotiation at this point, so push for a timeframe that works for your company’s goals and interests, not the vendor’s fiscal goals.