Software Audits: The Payoff of Planning Ahead

By Chris Tittiger, CITAM, CSAM

AUDITS DON’T HAVE TO BE SCARY. In fact with some basic planning, they can be relatively painless. Here are two simple strategies you can implement in your company to help mitigate your company’s risk during a software audit:

  1. Negotiate the audit terms in your software contract.
  2. Control how your vendor will perform their audit.

The best defense to a successful audit is to negotiate the audit terms of your contract. Ideally you don’t want any audit terms in your agreements. No contractual terms mean your vendors have no right to audit your company. But in reality software audits make up a large percentage of a vendor’s revenue. So most likely vendors will put audit terms in your contract and it doesn’t hurt to push that contract back and ask for more equitable terms.

Most agreements are executed in a rush. The sales rep dangles a discount incentive in front of the executives and they want it bad because it’s going to save the company thousands of dollars. However that “discount” has an expiration date. If you don’t take the time to build in the ideal audit terms for your company up front, you could end up paying much, much more down the road. So make sure your executive team sees the value of taking that extra time to negotiate the best terms for your company prior to handing them the signed sales agreement.

Some key audit terms to consider adding to your next software agreement are:

1. How will your company be notified? How will your company be notified that they have invoked their audit rights? A formal written letter? An email to your legal department? Make sure you clearly identify the process up front.

2. Can you self-audit? Can you perform a self-audit and will they accept the results as official? You may also want to agree on the report format in advance and confirm that any compliance issues can be resolved without a full audit or fines.

3. What documents are required before beginning? The auditor should provide a complete entitlement report and a copy of all the agreements in scope.

4. How often will audits be conducted? Start by asking for five years before they can re-audit. If they reject, then work down from there.

5. Will a third-party auditor be required? If so, make sure you are allowed to choose the third-party audit company. Ensure it’s clear who pays for the third-party auditor and require both the 3rd party and vendor sign a Nondisclosure Agreement (NDA).

6. Will you allow an onsite visit from your auditors? Remote access? Consider adding specific notice requirements for onsite visits from your auditors and any necessary requirements for a company representative to be present when accessing sensitive or proprietary data.

7. What discovery tool will be used? If the vendor wishes for you to use their tool, make sure it is agreed that they will provide specs on what data their tool gathers and stores. Discuss what versions are allowed to run in your environment. Establish the process in advanced for internal teams to review and approve the use prior to the start of any audit.

8. How will the software will be counted and reported? Never give an auditor more information than is required. If the metric for the software is CORES, then make sure to write in your agreement how it will be counted and reported. If you are reporting processor counts, will you include the hostname or just the count of processors? For example, if your agreement has a user metric you may want to consider adding that you will report the total count of users instead of providing a list of all the users and the roles assigned to them. Also, include what environment will be counted in an audit (e.g. production only, VM Host, non-dev, non-trials).

9. What information should be included in your audit report? What is an acceptable range of variance to be “in compliance”? If you are out of compliance but under a 10% threshold can you “true up” with no additional audit required? What happens when your audit is complete and they don’t find anything or you are within the variance range?

  • Will they repay your cost? Consider the loss of productivity, billable hours, legal fees, third-party expenses, etc.
  • Should they pay a fine? You may want to require the vendor to pay the company X dollars if you fall under a certain threshold or they find nothing.

10. What is the price/price bracket that will be used to purchase any additional licenses required as a result of the audit? Also include that you have the right to procure the licensing from your retailer of choice.

11. Who will pay any legal fees if an audit goes to litigation? Don’t get stuck with the entire bill.

12. Include plans for any future affiliates. Don’t lose your audit rights during any company mergers or acquisitions.

So what if you didn’t get the best terms in your contract? When the vendor invokes their audit rights, you still have a second chance to mitigate risk. Consider the following steps to lessen the impact to your company:

1. Initiate your audit approach plan. Have a plan in place and a dedicated team that handles the audit from beginning to end.

2. Reduce information leaks. Talk to any individuals in your company that may have contact with the vendor (i.e. database admins who talk to your vendor sales reps) and let them know to direct all inquiries from the auditing vendor to your ITAM.

3. Know your rights. Review your agreement and understand what your contractual audit terms are before communicating to any auditor. Make sure you are very clear on rights for both sides.

4. Remain calm and establish ground rules. When a vendor invokes their audit rights, it’s easy to throw your hands up and run around screaming like the world is ending. You may feel pressure from the auditors to provide data quickly and adhere to tight deadlines. Instead take a deep breath and remain calm. Schedule a kick-off meeting with them shortly after you’ve been notified to ensure them that you are willing work with them. Use this time to review your contractual terms and/or guidelines.

5. Be Timely in your responses. Don’t be rude. Always conduct business in a professional manner and respond to your auditors even if you don’t have the information they are requiring.

6. Always LEAD conference calls. Use your own conference bridge OR ensure everyone is in the same room when talking to the auditors to help control your meetings. If Bob starts mentioning information that the auditors are not entitled to, drop him from the call or mute his line.

7. Have a legal representation available when necessary. If you meet with your vendor and they have legal representation at the table, make sure you do as well. If you don’t, kindly let them know that you will postpone the meeting until legal counsel can be present. DON’T let any legal threats push you into performing the audit recklessly. Keep in mind it takes a lot of money for a vendor to actually go into litigation.

8. Have the vendor sign a License Alignment Compliance Scope Agreement outlining the agreed upon terms. This will determine how the audit will be performed.

  • Determine what agreements and products are in scope and how do you separate licenses installed from other agreements.
  • Agree to a validation period for all reports provided to you (i.e. the length of time it will take you to validate and resolve any errors such as missing entitlements or agreements).
  • Agree on entitlements first. Most auditors want to get your data first and then compare it against what you own. Have them prove what you own first by providing a complete entitlement report.
  • Agree on a timeline for each event (i.e. reporting will be due in X days and require X days for validation). Don’t forget to account for company holidays, busy times, and time off for key personnel.
  • Agree on the hours of work that will be provided by your team. We all have day jobs, so don’t cut yourself short. Example: 2-4 hours a day for 4 weeks. You should also consider other required people within your company that you don’t manage (i.e. like Bob in the exchange group…his time is billable too).
  • Agree on when and how often you have update meetings. Come prepared to show progress (even if it’s a just a little). Auditors like to see progress.
  • Agree on how licenses will be counted. Will you count training/evaluations or development environments?
  • If using a third-party auditor, agree that all data given to a third-party must be signed off by your company prior to sending it to the vendor. Agree that all third-party auditors will need to sign an NDA.
  • Agree to the reporting format. For example, if you’ve agreed to report ‘user count’ will you give them a list of users or just the SUM count of users?
  • Agree on the tool that will be used for discovery. If the vendor wants to use their tool, agree on the time frame for your company to validate it.
  • Agree on pricing that will be used to buy licenses that are out of compliance. Also include your right to choose the VAR for buying licenses.

9. Don’t be afraid to push back. You may be obligated to do the audit, but you don’t have to proceed carelessly. Ask questions and don’t be afraid to speak up. Make sure the vendor/auditors know that you need to agree on ALL the audit steps before you proceed.

Don’t forget to track your audit cost and any reductions along the way. Costs associated with your audit, including staff’s billable hours and third-party costs, should all be applied. If you are able to reduce your risk, track the reduction. If the initial audit fee was $1.5m and you got it down to $500k, that reduction needs to be tracked and reported to your executive team. It will help build a better case for involving ITAM in future contract agreements. Even bad news may help your executive team realize that they need to invest further in your ITAM program to help mitigate future risk and IT costs.

About the Author