Licence compliance audits by the major software vendors are still a frequent occurrence for many businesses. FisherITS recently joined The ITAM Review to profile some of the most prolific auditing vendors on a webinar which can be viewed in full here.
During the webinar, we received several questions from the audience which we have answered in full in this article.
- Which phases of the overarching audit process can be influenced by the customer or service provider?
- It is possible to influence all phases of the audit process. This is less straight forward for the first phase, ‘target selection’, where vendors determine which of their customers will receive an audit. Though by carefully managing the software estate and relations with vendors, it can be influenced. Once the audit is underway, careful communication and data management during all stages is crucial to ensure that the impact on your organisation is minimised.
- Can vendors act on information they discover if this is outside the agreed scope/audit clause?
- Whether they ‘can’ will depend on the specific situation and what’s been agreed contractually or during the initial phases of the audit (kick-off and scoping). However, often there are no clearly defined boundaries and vendors will include additional products and environments where possible to maximise their potential compliance revenue. The key to avoid this, is to clarify the audit clause and clearly define the scope of the audit at the start of the process. Once the audit starts, communication and data sharing should be restricted to fit in this scope.
- Can a vendor challenge your SAM tools? For example, ask to have an architectural overview of the tools involved in your SAM practice?
- Vendors need to follow the restrictions as set in the audit clause. Often this will include what kind of data they can request and that data requests need to be ‘reasonable’. If your in-house SAM tools can provide the data as specified in the clause, we recommend that this is used in the audit to control the data flow and minimise the impact on the environment. Auditors can of course question the accuracy or completeness of this data and can ask for data to increase their confidence so may ask for additional supporting information. It is key though that the additional information is then reasonable and clearly has a purpose in the review, if the purpose is not clear or the auditor does not provide valid reasoning you can refuse the request.
- When a customer is notified of an audit, how much time will the customer have to accept?
- The timeframe to acknowledge an audit is normally set within the audit clause. This usually ranges from a few days up to a few weeks. This only sets the start point of the audit though and doesn’t define how long the audit can take. If for example there are confidentiality or security concerns they should be handled first. The audit should also not unreasonably impact your regular business operations so it is recommended to push back the vendor timelines if this would be at risk. Also keep in mind that a notification does not always need to be accepted. If the vendor does not follow the audit clause or does not have the right to audit, you can refuse the audit altogether.
- Can you predict or explain how software vendors will initiate audits when travel and office access is restricted due to Covid for the next months or year?
- We expect that most vendors will use a remote approach instead of onsite and have modified their processes accordingly. There will be a push towards screensharing sessions to verify any outputs provided. Keep in mind that you do not necessarily have to agree to screensharing sessions if you have security or privacy concerns. We recommend that the approach is clearly defined at the start of the audit to ensure boundaries are in place where necessary and that the auditor follows the audit clause and guidelines. If vendors do insist on an onsite visit, your employees’ safety should of course come first so you have every right to refuse this approach.
- What is the best way to approach an audit where we don’t have entitlement and contract details? In an audit we thought we had licences but we did not have proof and the supplier was not ready to provide any information until the last moment.
- Vendors are only obligated to share the contract details that prove their right to audit (this should always be provided at the start of the audit). You can request entitlement details beyond that, though they are not obligated to provide these details and will usually refuse to share this until the end. We believe that this is counterproductive as it prevents customers from timely comparing this to their internal records and flagging issues early, however, this is up to the vendors to decide. If the vendor refuses to share entitlement details, we recommend that the process around entitlement sharing is clearly defined up front, including your time and options to review or counter this data. Beyond this, we recommend that due diligence is taken to prepare for the various potential outcomes.
- Do you see any changes to the aggressiveness of audits after Covid-19?
- Based on our information, there was a small decrease in audits from some vendors during the initial phases of the Covid-19 crisis, though it seems like they have re-engaged in full force. It’s not clear just yet if they will be increasingly aggressive though based on previous economically challenging times, we wouldn’t be surprised if there will be increased aggressiveness. Software vendors often try to prop up dwindling sales numbers by recovering the revenue with license audits.
FisherITS are one of the few specialist consulting teams globally that can delivera full-lifecycle licence audit defense service against all major software vendors. We help our clients to defend vendor audits by advising them through the vendor audit cycle and negotiating the final settlement with the vendor. Our aim is to make the process as stress-free and cost-effective as possible.
We offer our clients the opportunity to have an internal audit before a vendor audit is initiated. This gives the chance to remedy risk areas and minimize financial exposure on any areas of non-compliance. Find out more here.