Overview of Quest audits
Quest performs different types of audits, which vary depending on the type of the engagement and party responsible for carrying it out. These can be self-audits, audits led by Quest’s own license compliance department, third party audits typically led by one of the Big 4 (Deloitte, PWC, EY or KPMG) or a combination. The level of inquiry, effort and time spent is set by the audit model, self-audits being the least intrusive and easiest to execute.
Independent of the model, Quest audits typically include four major phases. All phases have an equal weight in determining the final outcome of the audit.
Phase 1: Kick-off & Audit Scope
The Kick-off & Audit Scope phase determines how invasive the audit will be. It generally is the first sit-down with the auditors and decides the tone of the entire process. It determines the reach of the audit, from headquarters to subsidiaries to servers and workstations potentially making use of the software.
It is critical to get a clear understanding of what is required and mandatory by rule of law. Any information shared outside of your contractual obligations may have negative repercussions on your organization.
The product scope typically encompasses all Quest software products. However, emphasis will be mostly on Toad and SQL Navigator installations.
Phase 2: Data Collection
The Data Collection phase is usually the most time consuming and resource intensive phase for your organization. If not already in place, SAM (Software Asset Management) responsibilities need to be assigned within the team. The terms and conditions set in the Kick-off & Audit Scope phase need to be clearly understood and reflected in the Data Collection process. All collected data should pass an internal quality control filter which should ensure that it includes all required information and that no information outside of the scope is shared with the auditor.
The coverage of your SAM tool should be at least 90% for workstations and 100% for servers. If it’s lower, Quest would work with you to address the gap in some way. Our research indicates that the preferred tools for data collection are Active Directory and SCCM (System Center Configuration Manager), for which Quest will provide their own SQL queries which would collect the required data. However, if the requested data can be supplied by other tools, the submission will be validated by Quest nevertheless. In addition, screenshots and license key scans via scripts provided by Quest will be requested as well.
Phase 3: Reporting & Reconciliation
Once all the relevant data has been collected and handed over to the auditor, the Reporting & Reconciliation phase will commence. The auditor will analyze the data provided in accordance with your license agreement, contracts and respective licensing rules and metrics for the products in scope. The deployment data will be reconciled against the entitlement data, resulting in a report which will serve as basis for the discussions in the Settlement phase.
Phase 4: Settlement
At this point in the process, the auditor already provided you with a report of the software used, the software entitled and the delta between the two. Before accepting any of the conclusions derived from this report, make sure you have a clear understanding of it. This is of fundamental importance when reviewing it and spotting any inconsistencies. Make sure to support any claims with clear evidence.