SoftwareOne logo

Mastering audit defence: Strategies for success

michael-paling-contact
Michael Paling APAC Regional Growth Lead – IT Portfolio Management
Colorful mesh

Through my time in the world of SAM, I have seen a wide range of responses to the news of an audit letter landing, from pure panic to misplaced nonchalance. The obvious risk to everyone is being found incompliant, having difficult negotiations against a publisher holding all the cards, and ultimately a large unbudgeted spend that leads to some tough conversations with the finance department.

mastering-audit-defence-image1

The often-overlooked side is the resource costs for pulling data, scrambling to make changes, and negotiating the outcomes.

The CIO of a large London law firm once told me he'd calculated the resource costs at over £100k for an IBM audit, which I'd assume he would have much preferred to spend on exciting innovation projects instead. Safe to say, apart from for those with masochistic tendencies, audits are never fun for those on the receiving end.

However, the reality is that the negative impacts of an audit can be minimised with some fairly straight forward steps, and so you too can learn to no longer fear the audit engagement. Here's some thoughts from my many audit experiences, and considerations to take both ahead of time, and when the notification hits:

Have a plan:

  • Have one main contact for all audits (Single Point of Contact - SPoC)- this will help increase control on the whole activity and the person involved will gain experience of the process and how to project manage better in the future.
  • Communicate this to all stakeholders - auditors love to take a 'divide and conquer' approach to get intelligence, and we want to put up a united front.
  • Have an up to date list vendor champions or business owners and sub owners (responsibility matrix) - no need to waste time finding internal stakeholders for an audit when we have them already to hand.
  • Write a defined Audit Response Strategy/Process - having a known structure ensures we don't miss anything important, and others can step in efficiently if the SPoC is unavailable (e.g. Annual Leave etc)

Engage positively

  • Own the process

    If you are passive, the auditor will dictate timelines and terms which are unlikely to be beneficial to you or the desired outcome. Take control in a firm but positive manner.

  • Agree NDA and Audit Contract via legal teams

    As this is ultimately a legal process, even if the lawyers aren't involved, it's key to ensure the correct documentation is in place. This also takes some time, which enables some of the below steps.

  • Establish scope of engagement (region & software)

    The burden is on the publisher and/or auditor to let you know what they're trying to review and a simple 'everything' is not an acceptable answer. Covering this off at the start allows us to make an accurate project plan and avoids dragging the timeline out later in the process.

  • Work with auditor to set realistic timelines that suit your teams

    While most EULAs/contracts include an audit clause, your obligations are to provide data in a way that doesn't impact your business. Reasonable delays are normally acceptable to the auditor, as long as we have a plan, we can all agree on. This also allows us to achieve our goals on the below steps…

Move quickly

  • Establish your internal project plan and team, delegate responsibilities - as with all IT projects, following a project management methodology ensures we're quick, efficient, and don't miss anything.
  • Ensure you have subject matter licensing experts in place for each vendor and/or sub vendor (e.g. Oracle, IBM, SAP) - Specialist knowledge will be vital in having confidence in our position and defending against the auditor's findings. Having an expert in every field is very difficult for businesses, so it's often wise to have a partner on hand to help out.
  • Gather all the necessary data before auditor is requesting
    • Ensure that we know the correct licensing metrics - the larger publishers often have highly customised contracts so we can't rely on a standard approach.
    • Gather all contracts and procurement/entitlement data - if you're an older company, this can go back to paper contracts from decades ago acting as the base contract. Having this all digitised and centrally stored can save a lot of time and stress.
    • SAM tools can help but aren't essential - if we don’t have deployment data to hand in a nice SAM tool dashboard, we might be able to gather it via scripts, manual extracts, etc.

Self-audit

  • Follow known auditor procedures to carry out a self-audit ahead of sharing data - this allows us to know where we stand and be ahead of the game. Following their processes means we know exactly what they should find.
  • Remediate any anomalies discovered - all publishers say that they just want customers to pay for what they're using, and while we'd like to think any unused software is cleaned up ahead of time, there's almost always something that's been missed. Use this time to remove zombie databases, middleware etc, and make sure we only have the option packs installed that we are using.
  • Prepare evidence for any contentious scenarios - if we know that something we're doing lies in the grey zones of licensing rules, we need to make sure we have data to hand to back up our stance. For example: if we're using Oracle on VMware, we'd want to make sure we can prove the VM is restricted to limited servers/clusters.

Control disclosure

  • This does not mean withhold data or disrupt the auditor - we want to respond to the audit in good faith and also would run the risk of escalating the issue if we took negative steps.
  • Utilise those with experience of vendor specific audit scenarios - each publisher and/or their audit partners have different ways of working. Knowing their tactics allows us to stay in control and on the front foot.
  • What is being asked, and why? - we aren't obliged to provide all data of the whole estate, just what is pertinent to this specific audit and the pre-agreed scope. If they're asking for something unusual, it's likely because they think that will help them to find an exposure.
  • Understand the vernacular of the publisher and how some words can be troublesome in certain scenarios - each publisher has unique rules, and they know how to exploit them. Having expertise on our team helps us start on an equal footing.
  • Disclose only the information required and nothing extra - this is good security practice if nothing else.
  • Review all data and be careful not to self-disclose yourself into non-compliance - if we have removed an unused database, we don't want data showing it once existing and receive an invoice for 6 years back maintenance.

Review auditors work

  • chart icon

    Never simply accept the results delivered

    Auditors are targeted on speed of delivery and will have resource limits (i.e. timesheets) to ensure the project is profitable to them. This doesn't always lead to thorough work, and if they're taking shortcuts, you can bet it's to the advantage of the publisher not the customer.

  • file article icon

    Cross check their work vs internal audit results

    As software licensing rules often have a swath of grey areas, and auditors are rewarded for finding shortfalls, we can be confident they will apply the terms to deliver the publishers best outcome. We need to use our expertise to ensure those terms most beneficial to us are applied. It's also worth noting that auditors often use junior resources to put the data together, so honest mistakes are often found.

  • news icon

    Agree the most optimal licence position

    The auditor will press to have the results agreed as soon as possible so they can close the project and collect their fee. However, this result is the starting point for the settlement negotiation, so we only want to agree to the accurate numbers (50% discount off something you didn't need is still 50% wasted spend).

 Negotiate

  • The amount paid rarely reflects agreed final position - some publishers are known to discount settlements up to 90% to get a quick settlement on products they're rewarded on. Take the same steps in an audit negotiation as you would with a contract renewal: know what you want to achieve and have a plan to get there.
  • Utilise negotiation levers - as with all purchase negotiations, publishers can be swayed by the usual levers: other agreements in place, investments into their targeted software, existing relationships, etc.
  • Vendor specific negotiation experience can be key - IBM are known to allow shortfalls to be spent on new software rather than covering shortfalls, other publishers are much stricter. Knowing the quirks of each counterpoint allows you to craft a negotiation strategy with the highest chance of success.

Learn

To steal George W. Bush's favourite saying "fool me once, shame on you, fool me twice, shame on me". The very last thing we want to do post audit settlement is to be caught in the same scenario 12 months or 3 years later. We have to take the learnings from each scenario, ensure proper licensing management processes are in place and/or understand how our existing process failed this time and fix them.

Neon lights against a black background

While you digest this information, our experts at SoftwareOne are here to help. Reach out for personalised advice and expert solutions.

While you digest this information, our experts at SoftwareOne are here to help. Reach out for personalised advice and expert solutions.

Author

michael-paling-contact

Michael Paling
APAC Regional Growth Lead – IT Portfolio Management

Through my 13 years with SoftwareOne I've grown alongside the business from the early days of Microsoft baselines and basic maturity assessments through to today where we're making positive strategic impact on the way IT departments are run. I get really excited by working out how to achieve the unique goals of each company we partner with and enact lasting transformation.

Recent fun projects include rebuilding an end to end software request to delivery process; implementing a risk management capability to comply with international financial compliance regulations; and developing a comprehensive renewals management practice to optimise spend.

Outside of work I'm a keen rugby union fan and player having played in many countries including UK, Italy, Hong Kong, and now Australia. Travelling the world and soaking in the various cultures is something I relish and look forward to continuing the adventure.