Self-Inflicted Audits: The Ones You Never See Coming

Self-inflicted audits can happen when you ask for help from your software vendor – but they can be avoided.

When I began talking about the nine types of audits I was told not to use the term “self-inflicted audits.” Why? Because as consultants we don’t want to talk about our clients, and potential clients, doing anything wrong. It’s always the vendor’s fault and the client is always the hero of the story. While that may be true on some level, heroes are not perfect. In fact, our greatest heroes always make some significant mistakes. For those of you responsible for managing license and cloud compliance, the self-inflicted audits are your “big mistake” that you can either recover from, avoid, or fall victim. The choice is yours. In this article we talk about the three self-inflicted audit types and what you can do to spot them and avoid them.

There are three different types of self-inflicted audits. Each of them starts with a consumer of technology seeking help. Unfortunately, in these cases, help is sought from someone who has a conflict of interest in the answer they provide to you. While you may think your question is going to someone who will give you the best answer for you, you are actually going to receive the best answer for them!

Asking the vendor directly for license or cloud compliance advice is the first self-inflicted audit. It is also one of the most common. Going to Oracle, Broadcom, Adobe, Anaconda, etc. with questions like: “I can’t find my contracts, can you help me?”, “Please give me a list of what I am licensed for?”, “Can you help me understand what I’m using?”, and my favorite, “We started to use your software to do this new task, is that okay?” Asking the vendor questions like this is setting yourself up for a world of hurt. Audits, threats of audits, and non-stop sales pressure is what you’re about to receive.

These vendors (and others not listed) want you to come to them for help so much they’ve even set up entire organizations to encourage you to come to them. Look at Oracle. They have GLAS, SIA, and LMS. Three orgs all begging you to work with them. Why do you think that is? You already know the answer.

The second self-inflicted audit is when you go to a vendor’s partner looking for help. You know you shouldn’t go to the vendor, so you go to their partner. You think this gives you a level of protection from the vendor but that is not the case. There are two big problems here. First, these partners make a lot of money from the vendors. No matter what the partners say, they will never go against the vendor and stick up for you. Second, the partners don’t know anything other than what the vendor tells them. These partners are not licensing experts – they do what the vendor says. And if they don’t know, they will either go to the vendor or make something up. That’s it. I’ve actually seen vendor partners go back to the vendor and tell them the client should be audited. Not good.

The final self-inflicted audit is a little different. This is when you go to a vendor’s competitor and ask them for advice. Think about this scenario. It’s and oldie but a goodie. You run Oracle database, and you want to run it on VMware. You go to VMware and ask them if there are any licensing concerns. VMware tells you to go ahead and not worry about the Oracle licensing. You listen to them and then get hit with an Oracle audit. Now Oracle wants millions of dollars. VMware is happy because you bought their products. Oracle is happy because you just paid them millions of dollars. You, on the other hand, are in a very bad place.

There are three things you can do to avoid this entire group of self-inflicted audits. First, don’t ask! Never ask someone with a conflict of interest to help you with a license or cloud compliance challenge. If you ask them, they will certainly give you the answer that helps them. There is an exception to this rule. You can ask them if you already know the answer, AND, the answer is helpful to you. If you either of those are not true, then we go back to the rule of DON’T ASK!

The second thing you can do is “just say no.” When a conflicted vendor comes to you and says “we want to help you understand your license compliance position” …you just say no. When they tell you can spend less if you go through a validation…you just say no. When they say “I’m from Oracle/Broadcom/Adobe/Insert Tech Name and I’m here to help with your contract and licensing” …you just say no. Tech firms don’t give bonuses to employees who help you spend less with them.

The final thing you can do is have the knowledge in house or have a trusted expert advisor with no conflicts of interest. Having all this knowledge in house is possible. However, it’s very expensive and needs careful monitoring. You may have an experienced team, but if they are not in constant and active engagements with your vendors then the knowledge gets stale.

You want to have people on your team (direct or extended) that are constantly challenging vendor statements and assertions. People who not only know what the vendor is going to say, but people who know what the vendor is not saying, as well as who know what you can and can’t do in various situations. The best way to get this experience and stay current is actually to be in constant conflict with vendors. To be in the middle of the audit fight. Those people representing companies against vendor audits have a unique perspective. They see all sides of the conflict and they know the art of the possible. Those are the people you want on your side to help you before a conflict arises. They can spot the roadblocks and challenges before you can. They can provide the insight you need to make the best decision for your organization.

Palisade Compliance protects companies of all sizes from all types of vendor audits. From the official to the self-inflicted. No conflicts of interest, ever.