Software licence audits are inevitable. Software vendors are very active in auditing enterprises over the entitlements of the software they have whether or not it is being used. Despite Adobe’s recent announcement that they are ceasing audits in order to focus on SaaS, audits remain a huge revenue-generator for software vendors, giving them opportunities to sell more licences and invoke fines. This is not a one-off trend – according to Gartner[i], the likelihood of an organization experiencing two or more audits annually is as high as 68%.
Today too many organisations are being caught out with escalating costs. Audits represent disruption, pressure and unbudgeted cost. So what are the pitfalls and how can they be avoided? The most obvious unbudgeted cost to the business is when the organization is not compliant with the terms of the software it’s using. If the software in use is not licenced for the way it’s being used, whether the organization is aware of it or not, there will be a fine.
But disruption, pressure and unbudgeted costs also comes from the sheer volume of information required to conduct the audit. The more software and the larger the organization, the bigger this gets. The time and resource needed to just gather this information can be a drain. Gathering platform and vendor independent reports, vendor specific reports or usage and entitlement mapping is massive task. The organization must comply in making available any information the vendor requires and if that information isn’t already structured in the way the vendor wants it, then additional work will need to be done.
Organizations are also faced with challenges in terms of agreeing responsibility and roles to manage the audit process. Who is supposed to be the main point of contact for the auditor? Who is responsible for finding the information they need? If there was a merger or acquisition, who makes sure relevant data is gathered from across the whole business? If the organization doesn’t know this already, further disruption and pressure can follow.
To limit the impact an audit can have preparation is key, and that preparation has to be far reaching. It’s a re-focus on people and processes to ensure these are aligned and able to cope with the disruption.
Preparation in the first instance requires proactively tracking licences. In other words, know what the auditor is looking for far in advance, and proactively manage any potential issues, so the business can be confident that an audit will be seamless and without issue. Don’t let the auditors reveal anything the business didn’t already know about its licences. Make sure you, not the software vendor, has the upper hand in negotiations thanks to arguments that are based on fact, not guess-work. Go beyond this, and ‘show the working’ as much as possible, having the right level of detail available when it’s needed. If an organization is having to rely on the vendor or a third party to pull up the data and passively accept their findings, it could be an expensive mistake.
Next, prepare people. Know who the project manager is, be ready to re-allocate their other responsibilities or projects, estimate how much time the project will take them. Calculate who else the project manager will need to work with. Are the organization’s software purchase responsibilities held outside of IT? Make sure all stakeholders are consulted and informed. Has there been an acquisition recently? How will the audit of the acquired company’s systems and transferred licenses be managed?
Finally, make sure the tools to take these proactive steps are to hand, to make sure the level of insight needed is available. Once these decisions are made, and even after an audit is completed, remember that software installations and their usage in an organization can change quickly. Many software vendors change their applications’ licence agreements for each version, the way you use them can change too. If your organisation changes, for example, if you open a new office, or the business contracts: repeat the process of self-audit.
Just as a vendor audit relies on the baseline of software installs and usage data reconciled against the organization’s entitlements, a proactive approach to vendor management starts with the same dataset. The difference is that it gives the organization the ability to gain the visibility needed and take the required actions, without the pressure of an actual audit.
This proactive approach is the only way to be audit-ready and limit the cost to the organization. Preparation is a long-term, iterative process, allocating resource and time to ultimately allow the organization to move away from being on defence, and instead on the offense.