Palisade has identified nine ways technology companies audit their clients. In our last article we wrote about the three “Contract Audits.” These are all based on language in your tech agreements. They include The Official Audit (where a vendor sends you an audit notice referencing a clause in your contract, The Reporting Audit (where you have a contractual obligation to send a report to the vendor at certain times, and The Renewal Audit (where a vendor will not renew your agreement unless you provide them with audit-like information). Today we write about the next group of audits….The Unofficial Audits.

Unofficial Audits can be more dangerous than official audits because they bypass your normal audit defenses. They can even be disguised by an offer of help. Under the guise of assistance, tech vendors extract data and information that they can and will use against you later. You think you have “a good relationship” with your vendor? Think again. Companies don’t have relationships. People do. And different people at your vendor will do different things with your data. Sharer beware!

Unofficial audits are all vendor-lead. In fact, your vendor can go through all three unofficial audits. If all three unofficial audits fail, and you fail to manage them, you could find yourself down the barrel of a real, or Official Audit.

The Offer Of Help Audit is, as the name states, when a vendor approaches you with an offer of help. It can sound like this, “Hi, we are looking at your account and we think we can help you optimize your licensing, just fill out this spreadsheet so we know more about your environment.” Or “Our team of experts will help you move to the latest products, just run these scripts so we know what you’re using.” It’s easy to see how these offers can bypass your SAM and compliance teams. In fact, your SAM team will never know about them until the vendor turns around and says “you’re using more than you bought, give me millions of dollars!” Your “good relationship won’t save you now.

The I’m Worried Audit is the next phase of the vendor psychosis. I vendor can start with a concern, or can move from an offer of help to a concern audit. These audits often sound like this, “We noticed some download activity from your IP addresses, and we are worried that you are using products you’re not licensed for.” OR “We see you did an acquisition and we are anxious they are using our products.” In both cases there is no proof of non compliance, just a random event the vendor wants to use against you. The goal is to get you on the phone and to make written or verbal statements that they can use to “get more worried.” Once you say something, you can’t unsay it.

The final leg of the vendor unofficial audit journey is the “You do what I say or you will be audited” threat. These audit threats are ubiquitous, and effective. No one wants to be audited by a vendor, especially if you don’t know your compliance position. Companies will often capitulate to the Audit Threat because it’s easier to write the check than to deal with the vendor. Give them money and they go away. Couple this with the unknown compliance position and you have the perfect storm for a tech vendor to get everything they want without having to do any work for it. Just threaten, get you worried, escalate, and settle. Almost every tech vendor does this.

There is good news and bad news with unofficial audits. The bad news is that we can’t 100% control what vendors. The good news is that we can eliminate all the risks of unofficial audits. First and easiest thing you can do is be in compliance AND know you are in compliance. If you know your position, and it is a good one, then who cares what the vendor does. Second, put yourself in a position where you don’t need the vendor’s help. If they bring up a concern, and it’s legit, like an acquisition, make sure your team can figure it out. Don’t rely on a vendor to tell you how to spend more or less with them. That’s your job. Third, get independent help. Engage experts how know technology and have deep experience supporting their customers. Fourth, and this one is a little blunt, in the words of Dave Chappelle, “you could shut the **** up.” The biggest risk in the unofficial audit is thinking you can take care of it with a vendor call. That’s exactly what vendors want you to do. It’s okay to listen to vendors and their concerns. It’s not okay to feed them information they can twist and turn into a narrative of noncompliance that is not based in reality.

Palisade Compliance is the leading independent license advisor. We’ve seen all the vendor tricks. Take control and don’t fall for the Unofficial Vendor Audits!!