A Practical Guide to Audit-Readiness – Seven Tactical Actions that Deliver Results

By Sandy Fletcher

In the various versions of the story of Snow White, the beautiful Snow White is brought several gifts from an old peddler who is actually the Queen in disguise –

  • A lacy corset that causes her to faint,
  • A comb that poisons her, and finally
  • The red apple that puts Snow White into a deep sleep

The lesson? If gifts start arriving at your home or office, you should probably ask a few questions.

Software companies are not the nefarious wicked queen even though they offer gifts of free training, demos, discussions, and other creative offerings. These are offered to help us become better acquainted with their products, to help them get to know us better, and to help us learn how they can further meet our needs.

Unlike Snow White, it is often we who poison ourselves if these gifts aren’t managed well. Our relationship with software companies can be rewarding for both parties — a win/win situation.

Let’s face it. Software companies have invested time, a lot of money and effort creating software that adds value to business. They deserve to receive compensation for their products and services. We appreciate the value they provide.

Most organizations and companies indicate through mission statements, annual reports or other publications that integrity and/or positive ethics are the foundation for how they operate. We want to do business honestly and ethically, and believe that those we do business with should be compensated accordingly.

Audit/Review Survival

So why do the gifts of free training, demos, new licensing models, and meetings with new account representatives sometimes result in the words “software audit” or “license review”? How can we partner with our software companies, ensure we are paying for the licenses we use and confidently respond in a license review/audit situation without spiraling into a very expensive and stressful experience?

Here are some suggestions based on our experience:

  1. Recognize potential audit/license review triggers
  2. Define roles for the audit/review team
  3. Establish an audit process
  4. Manage your audit according to established criteria
  5. Provide the right data
  6. Conclude with confidence
  7. Keep learning!
1. Recognize Potential Triggers

Change is a constant in the way businesses operate — people change roles, service offerings are modified, and needs for services fluctuate. Each of these, although a normal part of doing business, often warrants a review of the current status of licensing.

Whether it is a new sales/account representative with the software company, a new approach to license agreements (like cloud or hosted offerings) or changes in the services and products an organization or company purchases, a software company will often “invite” you to participate in the license review. These license reviews may become sales tools to motivate a company to look at new software licensing models, packaging of services or a way to true-up licenses in use. If license reviews are managed well, they can result in better overall pricing for your organization. They can also reveal areas in your software purchasing process that may need more coordination and discipline.

2. Roles for the Audit/Review Team

Your team for the license review, as well as ongoing operational needs for asset/license management, is one made up of responsibilities specific to each role. Remember to also involve your value-added reseller (VAR) or distributor if you have one.

Consider the following roles for your team:

  • Asset Management
    • Team Manager
    • Product Manager
    • Data Integrity Analyst
    • Software Compliance Manager
  • Primary Vendor Contact
  • Purchasing
  • Procurement
  • Finance
  • Director of IT
  • Information Security
  • Legal Counsel

In large organizations, it is helpful to have a Primary Vendor Contact for large software companies with multiple licenses such as IBM, Microsoft, VMware, SAP, Red Hat, Cisco, etc. This may be a person from within the business who utilizes most of the licenses from a particular software company/vendor and may be responsible for coordinating and promoting the highest-quality technical use, service and reporting regarding all uses of the vendor’s licensed software and hardware products. This includes helping other users know what type of license is needed, understanding the vendor’s license catalog and services, coordinating with other groups within the company who use the licenses and helping asset management track and report usage.

When first introduced to the role, candidates for the Primary Vendor Contact may perceive it as an unwanted responsibility and feel that they were selected merely because their team uses the vendor’s products. Executive support may be required to impress the importance of this role to the business and to the company overall as the best approach to manage effective vendor relationships and proper use of licenses.

For each phase in the license review or audit process, identify which roles are considered accountable, responsible, supportive, consulted and informed. The phases of the process that may be included are provided in the following table.

3. Establish an Audit Process

Please note that once you have identified the various roles and responsibilities for the team, the next step is to construct the license review/audit process. It is wise to practice using the process through scenario planning and periodic internal license reviews. It is not a good idea for you to test your process during an actual license review or audit. Steps in the process may include ongoing operational tasks. These tasks should be followed once a license review or audit request has been received, during the review/audit, and after the audit has been completed.

Here is a sample of steps to consider:

Operational/ongoing tasks:

  • Track inventory and usage rights
  • Review contracts, especially terms and conditions
  • Periodically conduct internal true-ups of licenses to ensure compliance position

Tasks once the license review/audit request is received include:

  • Audit/License review request received
  • Notify team
  • Inform business stakeholders
  • Review contracts
  • Sign Non-Disclosure Agreements (NDAs) before kick-off meeting with vendor
  • Obtain data from vendor such as their stipulation to license position
  • Validate data
  • Obtain scope and methodology agreement

The tasks during the review/audit are:

  • Investigate discrepancies between vendor data and company data
  • Negotiate settlements
  • Document resolutions or agreements in writing
  • Make required purchases and contract amendments

The task upon completion is:

  • Share lessons learned with audit/review team and business users of the licenses
4. Manage Audit According to Criteria

Throughout the license review/audit, remember that you are in control. Your confidence throughout the review/audit is greatly enhanced by establishing processes, periodic scenario planning, true-up reporting, and internal product reviews.

Manage the rumor-mill. Once you notify the virtual team and stakeholders of the license review/audit request, it is important to provide each team member/stakeholder with language to use when discussing the review/audit with others. For example,

We have received a notice from _________________ requesting an assessment of our deployment and use of __________________ software.

Many departments within (your organization), including the ______________ and ___________________Departments, use specialized software from (vendor). (Name of vendor) is working with us to perform an audit of our use of these products.

You will be receiving lists of computers and licenses in use within your area, and we will work with you to address any issues that require attention. Please note that installation data has already been captured and removing (vendor) software should not be performed until the audit is complete. Please coordinate all work with and direct any questions on this issue to _________________. We appreciate your assistance with this effort.

Manage communications with the vendor. Often, license review/audit notifications from software companies indicate that they want to review everything. Your contract, NDA and scope/methodology agreements will define exactly what “everything” means. Ensure these are in place. If your organization comprises a number of corporations or business units, get a clear statement of scope to avoid opening everything to additional scrutiny.

5. Provide the Right Data

Make sure to check and double-check your inventory and usage data with your audit/review team prior to sending anything to the vendor. Ensure that data aligns with the NDA and the agreed-upon scope and methodology. Have a single point of contact from your enterprise to coordinate all communication with the vendor.

6. Conclude with Confidence

It is very important to get your settlement agreement in writing. Request that the letter indicate that licenses prior to XX date (date of audit/review) have been settled satisfactorily. Have the vendor state in the letter the timeframe for the earliest date that they can come back for another license review/audit. This will set a baseline for any subsequent audits/reviews.

Even if there are no additional purchases needed in your settlement, audits/reviews cost money in time and labor. It is wise to get a written agreement on how long it will be until the software company can come back for another review.

7. Keep Learning!

One result of a license review may be that you will recognize areas that need to be strengthened in your software purchasing, deployment and usage processes. Gather the “lessons learned” from the review/audit and distribute them to your audit/review team. Hold discussions to determine additional improvements. Continue to manage your inventory and usage data through periodic internal true-up reviews and reporting to continually increase your confidence in your asset management practices.

About the Author

Sandy Fletcher is the IT Asset Manager for The LDS Church.