When people think of software and SaaS audits they usually think of the familiar pattern where a vendor references a contractual right to audit provision, sends you a notification, begins the audit, you send them information, they produce a report, usually finding you out of compliance and requiring you to pay money, and then you negotiate a final unbudgeted payment. While this is the Traditional Audit it’s not the only audit that big tech vendors use against you. In fact, when we think about audit activities this Traditional Audit represents less than 20% of all such audit activity. I would argue that these audits, while an attack on your budget, are the easiest to defend because you can see them coming. The vendor actually tells you they are auditing you and you have a chance to prepare and defend before the audit begins. What about the other audits that you might not be able to see, or don’t or where you don’t build a strategy before sending information to the vendor?

To defend yourself from the other 80% of audit activity we must identify these audits and how to spot them, or, more significantly, how to avoid them completely. There are things you can do to avoid audits. At Palisade Compliance we’ve actually identified 9 distinct audit activities that vendors will use to attack your budget. The first three of these audits are grouped into what we call the Contractual Audit group. In this article we focus on the Contractual Audits, how to spot them, avoid them, and win them.

While your audit preparedness plans may have a program to protect you from the Traditional Audits, you probably don’t have the same diligence in place to protect your organization from the Validation Audit and the End of Contract Audit 2. These 3 Contractual Audit types are written into your agreements in a way that requires your participation in activities where you can inadvertently give a vendor information that would lead them to charge you more money than you were expecting.

The Contractual Audit Group Includes
1. The Traditional Audit is when a tech company notifies you of an audit and references a contractual right to audit. Almost all companies have this in their agreements. Microsoft, SAP, Oracle, Anaconda, RedHat are just examples.
2. The Validation Audit is a provision that requires you to provide usage information to a vendor at certain times. This could be annually or on demand. Many IBM agreements require you to run their tool and provide information to that vendor on an annual basis.
3. The End of Contract Audit. This occurs when your agreement is expiring, and the vendor has included a provision in your agreement requiring you to provide information before they will allow you to renew your license or extend your support agreement. Broadcom is using this tactic with their VMWare licensing. You want support? Give us more information or move to the new subscription model! Oracle does the same with Java.

The good news with all the Contractual Audits is that you can prepare for them. You know the vendor can come knocking, and you may even know when. A savvy SAM organization will create a program to review all their technology contracts and look for these contractual provisions. You can bring in the IT organization, business owners, procurement, and even legal. You can actually create schedules and plans to anticipate these events. An even more advanced procurement and legal organization can take it a step further and eliminate Contractual Audit provisions from agreements, or simply water them down to an extent they have little if any bite to them.

Unfortunately, most organizations don’t prepare for the Validation Audit or the End of Contract Audit. These audits are not viewed with the same urgency as the Traditional Audit. This leads to tech vendors taking advantage of their clients in a way that just feels wrong. While you thought the End of Contract Audit was a simple renewal exercise, your vendor was looking at it as fishing expedition into your IT budget. They are simply looking for the next big deal.

One thing you can do right now is identify your top 10 tech vendors and look for Documented Audit risks. Highlight those risks, and opportunities, to your larger team and colleagues in other organizations. Bringing the unknown into the known is the first step to tipping the scales in your favor and keeping control of your vendors, your IT budget, and your technological freedoms.

In the next article we will review the second group of audits. We call these the Unofficial Audits or the Non-Audit Audits.

Palisade Compliance is The Audit Defense Firm. Any type of software or SaaS audit, from any vendor, at any time. Contact us for more information.