A software audit sounds about as pleasant as a tax audit. Both can be expensive if not handled correctly. If your organisation licenses software, it is not a matter of if but when you will receive an audit request. The most frequent requests come from the big players: Microsoft. Oracle, Adobe, IBM and SAP. According to a survey by Flexera, 44% of large companies have had to pay “true up” costs over $100,000 or more. Nearly 20% have paid over $1 million to settle disputes.
This week I would like to discuss some tips for avoiding a software audit. You will still receive requests for audits. However, the following tips will help you navigate the complex auditing playing field. At the very least, you should be in a better position to withstand an audit. If you avoid one, that is even better.
Complexity breeds licensing confusion, and that plays right into the hands of the auditor. You may honestly believe your company is within the bounds of compliance. However, the auditors know where to look. They know where to find complexity in language and contracts you can easily overlook. Software contracts are incredibly complex, and they are written by the software companies themselves. So even if you are diligent in reviewing every contract you sign, there can be confusion in how you deploy those licenses around your company.
I recently worked with a company in the process of moving some of their services to the cloud. One reason for doing this was to reduce the amount of complexity in their licensing agreements. However, what they found was even more complex because they were operating in a hybrid cloud and on-premise environment. The cloud makes spinning up services so easy that many employees do not consider the licensing implications until it is too late. The same dynamic nature of the cloud that makes it appealing can also cause tracking difficulties due to how quickly anyone can bring a machine online.
Moving services to the cloud can reduce complexity. However, it is still early where mixed environments are the norm. Don’t assume your cloud providers understand the details of your licensing deals. Understand that if you attempt to move on-premise software to a cloud environment, you’re likely to have licensing issues. It is best to work through those sooner than later with your vendor.
Perform Regular Internal Audits
Many companies will wait until they have received a software audit request to perform their internal audit. Don’t fall into this habit. Making internal audits a priority will help you spot licensing inconsistencies before they become expensive problems. I have noticed some of the most prominent licensing challenges happen when a company is growing at a fast pace and expanding its presence. It is too easy to assume you will eventually get around to making sure all the new hires are using software that complies. Auditors know this soft spot. Moreover, when they find it, you can expect them to bill you retroactively for past non-compliance.
You should perform an internal audit at least once a year. One thing you should avoid is the offer from vendors to help you figure out your compliance issues. Some may have honest intentions, but others may look at it as an opportunity to perform a stealth audit. It is best to perform the audit in-house utilising your own staff.
Most of the major software players offer software tools to help you audit yourself. Most are forthcoming with exactly how their tools work and how often they call home. Before you deploy any monitoring tools, have the vendor answer any questions about how they access and share data. The key here is to get ahead of any issues before vendors are notified something is wrong. If you find something is wrong, work with the vendor to correct it.
Educate Your Employees
Too many compliance issues stem from the fact that employees use the software in ways that are outside the licensing contract. I have seen this happen inside companies that rely heavily on virtualisation. Some employees do not understand the complexities around virtualisation and assume a temporary host/server can be deployed without breaking the contract. Virtualization is so mainstream today that you can solve the problem by educating your employees on basic software compliance models.
Make education part of the onboarding process for new employees, so they understand the seriousness from the start. However, don’t stop with new employees. Ongoing awareness campaigns can help you get the word out and bubble up any concerns employees have about their own tools and devices. You must be vigilant when it comes to communicating the importance of software compliance to the entire company.
You should also have a process in place whereby employees can request software tools they need to do their jobs. Ignoring their requests will not make the problem disappear. You are far better off having a vetting process in place to ensure new software requests match business objectives. That allows you to work with the employee to determine the best option while remaining in compliance.
Plan Accordingly for a Software Audit
You may have all your licensing ducks in a row, but if you purchase enough software, eventually you are going to be faced with an audit. It is better to assume an audit is on the horizon and plan accordingly, then hope your number will never be called. Most companies understand they will be audited sooner or later. Your company should define who is a charge for managing audits as they happen. Having a single point of contact is key, especially at large companies with multiple employees with software purchasing authority. Most large companies will form an audit team, and then designate one person as the lead.
The audit team should be prepared to handle audit requests. Most requests allow for a 60-day grace period, but that is negotiable. Some vendors may agree to no audits during the first couple of years of implementation. The audit team should be familiar with the contracts and be in a position to advise internally and challenge externally. Putting together a team that includes members from IT, asset management, and legal is a good start. The team does not need to be large, but it needs to be informed and ready to take decisive action.
You’d probably rather have a root canal than go through another software audit. Audits can be time-consuming, painful and expensive. However, they do not have to be if you are prepared and follow some basic guidelines to make sure your company is compliant. The primary issue I see is that companies wait until they have been served with an audit notice to take any action. Maybe you can talk your way out of the auditor postpone it for a few months. However, eventually, your lack of planning will catch up to you. With so much software migrating to the cloud, audits are becoming a more frequent avenue to increase revenue for software companies. Some auditors see themselves as an extension of the sales force. That is the environment we operate in today.