Software compliance reviews are “a fact of life.” According to a Gartner study undertaken over a six-year period, on average, 68 percent of organisations receive at least one audit letter each year (Source Garner G00278199, Sept 2015). Organisations have therefore become accustomed to receiving these audit letters, or so-called “Love Letters,” from their software publishers. While some cry that romance is dead, clearly the good old-fashioned love letter is alive and kicking when it comes to the ever-tested relationship between software publishers and their customers.
Love Letters from your software publisher are not always as straightforward as they seem. While they may be positioned as audits to verify your compliance with the publisher’s licensing terms (i.e. confirming both parties are being treated fairly in the relationship), in many instances publishers use them to drive additional revenue from their customers.
Software compliance reviews, or audits, have developed over recent years as major income contributors for the software publishers. According to our own research, many software publishers are running this income stream in a very professional way, with either in-house or third-party resources. In-house publisher audit personnel now have clear revenue objectives and targets for the number of audits they must perform. While, years ago, this domain was dominated by the top 10 publishers, recently it seems that any publisher is using this method to verify compliance and generate additional income. Lately we have also seen an increasing number of mid-size companies becoming a target for software audits, since they often don’t have the resources for in depth Software Asset Management in place. Software audits are no longer only something that large companies have to worry about.
At the same time, some software publishers are guilty of going far beyond what was signed and agreed in the audit clause to exploit their customers and extract as much revenue as possible from an audit.
To the battlements!
Staying compliant is a huge challenge for any organisation. Software rules and metrics are constantly changing, combined with more powerful hardware, Virtualization and Cloud Options (IaaS, PaaS, SaaS), this creates a license and usage mix difficult to control and almost impossible to manage.
How should companies react to this threat? How should you react?
If profit is the driver of software audits, then the best way to protect yourself from this exploitation is to make software audits as unprofitable as possible for the software publishers. The only defence is to establish a professional Software Asset Management Function including solid Audit Prevention and Defence capabilities. You must build and fortify your Audit Castle!
Most publishers by now are using detailed audit methodologies to extract the information they deem necessary to verify your compliance. If you look closely enough, often the methods proposed by the software publisher conflict with your company’s IT standards and needs for data privacy/information security. Armed with this knowledge, Audit Prevention and Defence capabilities can be the foundation blocks of your Audit Castle.
Building your castle
Preventing audits or limiting the impact an audit has on your organisation is the ultimate goal. We need to understand and analyse the phases of an audit and see what levers we can apply to get the best possible outcome for us.
The Audit Castle idea came up some time ago at one of our conferences. One of the presenters talked about the number of audits they have, and the time and effort it takes to respond to the demands of the auditing companies. Suddenly the idea of the audit castle was born. Prevention of the audits is key. If you can build an Audit Castle which is hard to enter, they cannot get in to audit you. If your walls are solid and your drawbridge is up, they will give up the fight and seek somewhere else that is less well defended.
An Audit Castle consists of four layers of defence to protect against each stage of the publisher’s attack:
1. Pre-Audit Phase
The publishers have sent in their messenger, informing you of their intention to test your defences. It is time to fortify your defences. Review the letter and determine exactly what they are asking from you. Which specific software are they auditing, where, and under what terms in your contract is the audit justified? If you are already in negotiations with the publisher to purchase more software, cancel these activities immediately. They need to know you are focused on your defence.
2. Audit Preparation Phase You need to prepare externally and internally. Externally you need to agree the scope of the audit with the publisher – what is the methodology, audit type etc. Set up an NDA, ideally a three-way NDA between yourself, the publisher and the third-party auditor. Have the publisher provide you with your licence entitlements and set up your audit executive agreement. Internally you need to inform all stakeholders about the audit, collect your licence contracts and compile your first compliance report.
3. Audit Phase
This is where the attack begins. But don’t let your guard down. Validate the usage data that has been collected and investigate the audit findings. Now is the time to find and dispute every discrepancy in the audit.
4. Post Audit Phase
If your defences were strong during the attack, the publisher’s forced will be battered and bruised by this point. They will want to call a truce as soon as possible. They have tried to penetrate your walls, but they have failed to make any significant headway. You can now enter settlement negotiations from a position of strength. You will close the audit and mutually agree a contractual settlement. The publisher will have depleted its forces with very little to show for it. It won’t come banging on your door again anytime soon.
No matter how big and complex your organisation is, with the right knowledge and skill, you can up your audit defence game and build your Audit Castle. Once you have a reputation in the market as an Audit Castle which is not easy to enter, all publishers will think twice before they take you on.
This topic will be explored further by Jochen Hagenlocher, ITAM Professional of the Year 2016 during his session at the ITAM Review annual conference in London, taking place 5-6th June 2018. Visit www.itassetmanagement.net for more information.
Martin Thompson, Owner and Founder of The ITAM Review
Image Credit: SFIO CRACHO / Shutterstock