May 17, 2018

12 Software Audit Defense Tips that Everyone in ITAM Should Know

Despite growing available information and training materials about the critical value of Software Asset Management, many companies still find themselves unprepared when it comes to software compliance audit situations.

This may be because software license audits don’t always start off clearly as an “audit”. Audits often evolve from a “friendly talk” between an IT administrator responsible for a specific technology and a software vendor representative (often a well-trained license expert or a 3rd party auditor). The customer is invited to take part in some “voluntary” compliance exercise that also identifies license gaps and areas of misusage.

12 Software Audit Defense Tips

In case your company gets an invite to participate in a software vendor license audit, here is a quick, universal checklist to help you stay protected:

1. Don't ignore the audit letter. Never ignore the audit letter. It won’t go away, and sooner or later they will follow up with you. Acknowledge the receipt and start preparing.

2. Inform your senior management and legal. Immediately inform your senior management and legal counsel once you receive an audit/engagement notification letter. In addition, it’s important to instruct IT staff that any information needs to be checked before sending it back to the software vendor. You should also inform any of your affiliated companies before you engage in an audit. In some cases, you might be pleasantly surprised to find out you are covered under other contracts, or might have a valid reason why you should not be participating in such activity. Remember that audit engagement letters don’t always reach the right people. It might start somewhere down in the IT support chain, and only reach senior management or the SAM Manager after the audit process is well underway. Discuss such cases with your IT teams so that they know how to respond.

3. Treat the audit as a project. Allocate the appropriate time, resources, and an internal project manager. Some vendors might require a very detailed level installation/setup information, requiring lengthy questionnaires, data gathering instructions with scripts, and countless follow-up emails asking for further clarifications.

4. Check your own compliance first. Be one step ahead of the auditors by performing your own in-house compliance check. Make sure you check and verify all the data and responses before sending it out to the auditors.

5. Freeze all license purchases. Stop buying any new licenses because it might be seen as a “panic purchasing”, and won’t be added into your final compliance position report. Audit outcome calculation approaches vary across the vendors and regions. Some vendors will ignore any new purchases made after the audit letter receipt date. Because of this, you might end up paying twice for the “last minute” licenses.

6. Carefully read your software contracts and supporting documentation. Locate all contracts to ensure you understand the contract scope (any regional or company affiliate restriction included), permitted software usage, and applicable licensing metrics. Some software vendors continue to introduce new changes that can be hidden in the small print or internet links of your purchase documents.

7. Manage communication. Manage communication properly between your internal staff and the external auditors. Don't let your staff to be too helpful. Only provide what is requested.

8. Security policies. Ensure the information provided to outside parties is not breaching your organizations security protocols. Your Chief Information Security Officer might not be comfortable releasing IP addresses to the 3rd party. Consider an NDA agreement.

9. Confirm auditor findings. Always double check the reports and analysis that you receive from the auditors. Some reports might look and sound very complex. Do not feel shy to ask for more details about the calculation methodology or to challenge the findings. Auditors are known to sometimes make mistakes, or make assumptions when complete information is not available.

You are the expert on your own environment! It’s your right to dispute calculation discrepancies or facts that you find are being misrepresented.

10. Mind your differing agendas. Remember it is not in auditor’s interest to optimize your license position, or to find your missing entitlement.

11. Use the audit to your best advantage. Use upcoming renewals, big purchases, or quarter or fiscal year-end to build a stronger negotiation position during a software compliance audit.

12. Once the audit is over, don’t lose momentum. Think about what you’ve learned during this audit experience. Use this as an opportunity to be even better prepared for the inevitable next time:

  • Update your IT policies and Software Asset Management strategy
  • Apply same knowledge for other vendor license management
  • Maintain documentation of all the data provided and audit outcomes


Topics: Audit Defense




Comments (1):

wrote on

Speaking from own experiences, a number of things need to happen upon receipt of audit letter:
- If letter has not already been addressed to Executive Management (i.e. C-Level), they must be informed immediately
- C-Level needs to initiate / set up (if it doesn’t exists) internal audit team / procedure
- In conjunction with legal, a response needs to be agreed and sent out by C-Level
- Any communication to be channeled through a SPOC (single point of contact) only, i
- It is important to agree items like e.g. start and duration, exact scope, and approach of audit as well as reporting information to be delivered, prior to “sharing” any data with vendor and / or 3rd party audit representative
It is also important to note that an organization to be audited doesn’t just have obligations, but also has rights and some leeway to influence how the audit is being carried out, i.e. an audit is not all one way.