The Prescription for a Painless Audit – Preparing and Preventing Software Audits

By Frank Venezia & Steffani Lomax

For the past several years, software audits have been on the rise and continue to increase. Historically, software publishers were more inclined to audit their customers during economic downturns, such as after the .com bubble burst of 2000 or the stock market crash of 2008. However, statistics show that the leading publishers are increasing their audit activity despite the current stronger economy.

According to an annual survey of participants of the Gartner IT Financial, Procurement and Asset Management Summit, 67% of companies were audited by one or more software suppliers in 2013. Currently, the most frequent auditors are Microsoft, Adobe, Oracle, HP, SAP and IBM, while many of the mid-sized software publishers are also jumping into the fray.

At the 2013 SAM Summit, a panel of Fortune 500 Software Asset Management (SAM) executives stated that their teams spend 50% to 75% of their time on software audits annually. This staggering statistic confirms that audits can be extremely labor-intensive. What are the factors that contribute to this? The maturity and manual processes of the SAM program, experience of resources, methodology used to collect, analyze and reconcile data, and an organization’s audit preparation all contribute to how long it takes to prepare for and undergo an audit. Audits, from start to finish, can take 4 to 6 months or longer and can make a huge impact on a business.

In addition to the long duration, audits can be very costly. If a SAM program is immature and manual, the organization will need to dedicate numerous resources to the preparation process. If a company is found to be non-compliant with the supplier’s software contract, then resolving this compliance issue may be expensive as well as unbudgeted, with the possibility of incurring financial penalties. A company may also receive negative publicity if the BSA (formerly the Business Software Alliance) learns of any piracy issues or severe non-compliance breaches.

Audits can be painful. Audits can be stressful. Audits can be costly and time-consuming. What can your organization do to avoid the pain, stress and labor-intensive nature of audits? In other words, what is the prescription for a painless audit?

Let’s first examine audit triggers and then pursue the prescription for a painless audit.

Audit Triggers

Software publishers do not necessarily choose to audit their customers at random; there are a number of triggers to induce an audit. Economic downturns create spikes in audit activity as publishers strive to achieve their revenue targets. Revolutions in technology, such as virtualization and cloud, cause publishers to change their licensing models and metrics, thus introducing increased complexity and probability of their customers spiraling out of compliance. A software audit provides an ideal revenue generating opportunity for the publisher, an attempt to uncover “low-hanging fruit” with minimal cost and risk. End-users are required to pay for software they are licensing, so sometimes an audit is simply a means of truing-up for software deployed and used.

How is a company selected for an audit? Each of the factors previously discussed contribute to the selection process; however there are end-user, environment-specific triggers as well. For most mid-market and large companies, software publishers assign an account team to focus on the business and technology needs of their customer, with the ultimate goal of driving revenue. In addition to selling new software, the team’s responsibilities also include intelligence gathering. The team’s sales representatives engage with their customer to learn about any upcoming major initiatives or strategic business changes that could lead to the purchase of additional products and services. Examples include a virtualization initiative, server consolidation, a storage or disaster recovery project, data center relocation, merger or acquisition, or any organizational change that would require additional technology.

The account team will also consider other conditions and factors. They weigh the ratio of software licenses to number of employees, hardware purchases and server upgrades, and long stretches of zero net new license purchases. A company with an upcoming contract renewal will draw keen interest. Finally, publishers will often audit the customers with the fewest controls in place for tracking and managing hardware and software assets. If an organization demonstrates uncertainty about the number of licenses deployed for a particular product, the supplier will become more curious.

Regardless of the specific reasons for the audit, it is critical for an organization to be ready and have processes in place to make the audit as painless as possible.

Preparing for a Software Audit

How are audits initiated and how should companies prepare?

Companies are typically notified about a pending software audit by letter. Most of the leading software publishers put a buffer between themselves and their customer to preserve the relationship, often by hiring one of the Big Four accounting/audit firms – PricewaterhouseCoopers, Deloitte Touche Tohmatsu, Ernst & Young or KPMG – and having them send the notification letter. The Big Four have certifications in audit methodology, so employing one of these firms establishes a formal process and adds credibility to the findings.

There is a loose consensus among licensing experts that every dollar spent with an auditor yields a $40 – $70 return. One of the Big Four expects most audits to result in a settlement equal to 10% of the existing install base. In other words, if a company owns 20,000 licenses of a specific publisher, the expected settlement to regain compliance will equal the value of an additional 2,000 licenses.

Once the notification letter is received, a company needs to organize internally prior to responding. Organizations should immediately identify and assign an executive sponsor as well as Project Manager, who will be the single point of contact for all matters related to the audit for both the auditor as well as the internal project team.

The Project Manager should begin by aligning all the relevant departments that will participate and contribute to the audit response – typically Procurement, Contracts, IT and Finance. The Project Manager must then assign a project team to prepare and organize a self-audit to gain an understanding of the current level of compliance. One of the initial activities should be to review and understand the contract language, terms, conditions and software license entitlements.

Next, the Project Manager should engage with the external auditor to understand the audit plan: the scope, process, whom should be involved and any assistance that the auditor requires. They should agree on all points at the earliest possible date so that the Project Manager can allow enough time to prepare. It is important to establish confidentiality documents as well as a policy that no data can be provided to the publisher until the audit has been completed.

The internal audit team should put a plan in place to prepare and perform a self-audit in advance of the actual audit. The self-audit involves gathering procurement records, license deployments and contract entitlements, then reconciling software licenses entitled to licenses deployed. To reconcile properly, it is critical to understand product use rights, such as the ability to upgrade or downgrade between different versions of the software license or use the same version of a software license on multiple machines. The components of bundles and suites are constantly changing, presenting another nuance of understanding entitlements. It is also important to know whether there are licenses deployed in the environment that are not being used or have been decommissioned. Organizations may be able to uninstall or reallocate licenses if permitted according to the contract licensing terms and conditions.

The Project Manager should estimate how long it will take to complete preparations for the external audit, including the self-audit. If the organization has an established Software Asset Management (SAM) program in place, this preparation will not be overly time-consuming. Conversely, if the company tends to manage their software licensing manually or on an ad hoc basis, the self-audit and other preparations can require significant resources and take many man-months to complete. Once the Project Manager estimates how long it will take to prepare for the external audit, he can respond to the audit request and proposed date, and try to postpone the audit if necessary. Companies are sometimes successful at getting the publisher’s proposed audit date postponed. In fact, some delays are expected: organizational restructuring, mergers and acquisitions, divestitures and critical technology initiatives all constitute valid reasons to delay an audit. Contracts with clauses that prohibit audits during specific time periods can provide documented, legal reasons for a delay.

Many organizations have found that engaging a third-party expert is the most effective way to prepare for an audit or to refute a finding of non-compliance. In one example, a pharmaceutical company engaged external experts to help them understand their compliance position with their publisher in advance of an audit. The external consultants determined that the company was facing a $25 million exposure as a result of the way they were licensing in their virtualized environment. After incorporating the appropriate agreements and making some architectural adjustments, the company was able to reduce their exposure to $500,000.

The Audit Process – Recommendations

When the external audit begins, there are some recommendations to abide by. Continue to use a single point of contact for all communications between the auditor and your organization. Go “silent” during the audit process so that your employees do not unknowingly provide any intelligence to your publisher account team that could cause confusion during the audit. Follow the detailed audit plan. Engage in weekly status meetings with the auditor to make sure that all tasks are on track. Establish escalation points for when an issue needs to be addressed expeditiously. When the auditor is on premise, make sure that they are always accompanied by representatives of your audit team. Finally, ensure that you can prove your data.

Controlling Your IT Assets

What is the methodology for controlling your IT assets? You need to track and manage IT assets through their entire lifecycle – from the time an asset is requested to the time it is retired or decommissioned. Design and implement the following critical ITAM processes: IT Asset Lifecycle, Asset Re-use, License Compliance, Audit, True-up, Contract and Vendor Management. Select and implement tools: Discovery, Metering, License Management, Procurement and the Asset Management Repository. Assign experienced resources to your ITAM team. Report real-time on the status of IT assets. Know your compliance position. Optimize your IT assets. If you follow this methodology, not only will you be in control of your IT assets, you will also give the appearance to your software publishers that you have a solid ITAM program in place and know what you are doing. This appearance may deter some audits.

Some IT Asset Managers are challenged to secure executive sponsorship and funding to improve their ITAM programs so that they can better control their assets. The cost of audit preparation and the process itself can often lead to securing funding towards people, process and tools to improve an ITAM program. Uncovering a significant cost avoidance opportunity during the self-audit will also help justify additional funding.

How to Manage the Risk of or Prevent a Software Audit

What are the conditions that make a software audit go badly and result in a large expense? Conversely, what conditions can maximize the chance that your company will avoid an audit, or lead to an audit that runs smoothly and results in virtually no negative impact? The company that is well-organized and in control of its software assets is most likely to avoid an audit or ensure the greatest opportunity for a successful, painless audit. An organization that has previously experienced a bad audit and learned from the experience typically does a better job managing a subsequent audit. It often takes a painful or even traumatic experience to force this transformation.

Organizations are becoming increasingly aware of the need to establish a robust IT Asset Management (ITAM) program to manage and track their software licenses as well as their other IT assets. While some organizations have adopted practices utilizing people, process and technology to build a solid internal ITAM program, others are still floundering, waiting for an issue to develop before implementing significant changes to better manage their assets. Companies that have taken the proactive approach to ITAM have placed themselves in a position to prevent future audits. Here is the recipe for success:

  1. Manage and control all software assets: Establish a formal, repeatable process for managing the life-cycle of a software asset, from requisition to retirement. Implement processes for real-time collection of transactional data, asset tracking and compliance.
  2. Negotiate audit provisions into contract terms and conditions: Protect your company by including audit terms and conditions that limit exposure by pre-defining audit methodology that reduces both the frequency and scope of potential audits.
  3. Establish an internal process for managing audits: Assign roles, responsibilities and a process for managing audits from the time the audit letter is received to eventual settlement.
  4. Incorporate licensing expertise: Knowledge of licensing complexities and nuances is a key factor, particularly for strategic software publishers where the organization is exposed to the most risk. Maintain a constant vigil to keep abreast of changes to licensing metrics mandated by vendors.
  5. Appear confident and in control: Giving the appearance of having complete control and confidence in managing software assets can also deter a publisher from pursuing an audit or an auditor from continuing its efforts. The auditor is tasked with finding revenue and will not waste time where it appears there is no significant opportunity.
  6. Be proactive. Engage a third party expert annually to optimize your software licenses: An ITAM expert can verify compliance by conducting or validating an internal audit, and can also ensure that your licenses are optimized.

In conclusion, what is the prescription for a painless audit?

Being in control of your IT assets through a proactive approach to ITAM and thorough, methodical preparation will ensure a painless audit!

About the Authors

Steffani Lomax is the Vice President of Alliances for Siwel Consulting, Inc.