Mastering audit defence: Strategies for success

Through my time in the world of SAM, I have seen a wide range of responses to the news of an audit letter landing, from pure panic to misplaced nonchalance. The obvious risk to everyone is being found incompliant, having difficult negotiations against a publisher holding all the cards, and ultimately a large unbudgeted spend that leads to some tough conversations with the finance department.

The often-overlooked side is the resource costs for pulling data, scrambling to make changes, and negotiating the outcomes.

The CIO of a large London law firm once told me he'd calculated the resource costs at over £100k for an IBM audit, which I'd assume he would have much preferred to spend on exciting innovation projects instead. Safe to say, apart from for those with masochistic tendencies, audits are never fun for those on the receiving end.

However, the reality is that the negative impacts of an audit can be minimised with some fairly straight forward steps, and so you too can learn to no longer fear the audit engagement. Here's some thoughts from my many audit experiences, and considerations to take both ahead of time, and when the notification hits:

Have a plan:

• Have one main contact for all audits (Single Point of Contact - SPoC)- this will help increase control on the whole activity and the person involved will gain experience of the process and how to project manage better in the future.
• Communicate this to all stakeholders - auditors love to take a 'divide and conquer' approach to get intelligence, and we want to put up a united front.
• Have an up to date list vendor champions or business owners and sub owners (responsibility matrix) - no need to waste time finding internal stakeholders for an audit when we have them already to hand.
• Write a defined Audit Response Strategy/Process - having a known structure ensures we don't miss anything important, and others can step in efficiently if the SPoC is unavailable (e.g. Annual Leave etc)

Move quickly

• Establish your internal project plan and team, delegate responsibilities - as with all IT projects, following a project management methodology ensures we're quick, efficient, and don't miss anything.
• Ensure you have subject matter licensing experts in place for each vendor and/or sub vendor (e.g. Oracle, IBM, SAP) - Specialist knowledge will be vital in having confidence in our position and defending against the auditor's findings. Having an expert in every field is very difficult for businesses, so it's often wise to have a partner on hand to help out.
• Gather all the necessary data before auditor is requesting
  • Ensure that we know the correct licensing metrics - the larger publishers often have highly customised contracts so we can't rely on a standard approach.
  • Gather all contracts and procurement/entitlement data - if you're an older company, this can go back to paper contracts from decades ago acting as the base contract. Having this all digitised and centrally stored can save a lot of time and stress.
  • SAM tools can help but aren't essential - if we don’t have deployment data to hand in a nice SAM tool dashboard, we might be able to gather it via scripts, manual extracts, etc.

Self-audit

• Follow known auditor procedures to carry out a self-audit ahead of sharing data - this allows us to know where we stand and be ahead of the game. Following their processes means we know exactly what they should find.
• Remediate any anomalies discovered - all publishers say that they just want customers to pay for what they're using, and while we'd like to think any unused software is cleaned up ahead of time, there's almost always something that's been missed. Use this time to remove zombie databases, middleware etc, and make sure we only have the option packs installed that we are using.
• Prepare evidence for any contentious scenarios - if we know that something we're doing lies in the grey zones of licensing rules, we need to make sure we have data to hand to back up our stance. For example: if we're using Oracle on VMware, we'd want to make sure we can prove the VM is restricted to limited servers/clusters.

Control disclosure

• This does not mean withhold data or disrupt the auditor - we want to respond to the audit in good faith and also would run the risk of escalating the issue if we took negative steps.
• Utilise those with experience of vendor specific audit scenarios - each publisher and/or their audit partners have different ways of working. Knowing their tactics allows us to stay in control and on the front foot.
• What is being asked, and why? - we aren't obliged to provide all data of the whole estate, just what is pertinent to this specific audit and the pre-agreed scope. If they're asking for something unusual, it's likely because they think that will help them to find an exposure.
• Understand the vernacular of the publisher and how some words can be troublesome in certain scenarios - each publisher has unique rules, and they know how to exploit them. Having expertise on our team helps us start on an equal footing.
• Disclose only the information required and nothing extra - this is good security practice if nothing else.
• Review all data and be careful not to self-disclose yourself into non-compliance - if we have removed an unused database, we don't want data showing it once existing and receive an invoice for 6 years back maintenance.

 Negotiate

• The amount paid rarely reflects agreed final position - some publishers are known to discount settlements up to 90% to get a quick settlement on products they're rewarded on. Take the same steps in an audit negotiation as you would with a contract renewal: know what you want to achieve and have a plan to get there.
• Utilise negotiation levers - as with all purchase negotiations, publishers can be swayed by the usual levers: other agreements in place, investments into their targeted software, existing relationships, etc.
• Vendor specific negotiation experience can be key - IBM are known to allow shortfalls to be spent on new software rather than covering shortfalls, other publishers are much stricter. Knowing the quirks of each counterpoint allows you to craft a negotiation strategy with the highest chance of success.