- Sep 24, 2020
- Steven Myette
Your Guide to Audit Defense in 2020: How to Protect Against Financial Risk
Remember all those tech conferences and trade shows that were cancelled earlier in the year? For software vendors, that amounted to lost deals worth an estimated billion dollars.
That’s just one example of how many companies lost revenue this year. In the early phases of the pandemic, it would have been unacceptable to audit companies as they grappled with lockdowns, lay-offs, and work disruptions. Now that we’re entering a “New Normal,” we can expect some normal practices to return, like software compliance audits.
Unlike contract renewals or true-ups, software compliance audits aren’t always on a schedule. Unless you have a written agreement stating otherwise, vendors can start an audit whenever they choose. This means there’s a chance that you could be defending several audits at the same time in the near future.
The effect on your organization’s bottom line and your IT budget is obvious. One audit can feel like a tornado, sucking in time and energy, leaving stressed SAM managers in its wake. Several overlapping software compliance audits will feel like more like a super-tornado in your Software Asset Management department, going round and round for months, sapping more and more work hours and resources as it grows, and spins, and crushes spirits in its path.
A SAM program is critical for a strong audit defense because it can be such an efficient time saver in the inevitable event of a software compliance audit. In the coming months, your audit defense will need that efficiency to be strong, flexible, and nimble enough to move from one audit to the other.
These are difficult times, but that doesn’t mean audits have to be difficult too. Here are some Software Asset Management principles you can apply that will help you if you face an audit onslaught.
Working remote is tough but responding to a software compliance audit while half your organization works remotely will be a grind. So, start responding to an audit before the audit happens.
Assemble your audit A-Team: If you haven’t done it yet, form an audit response team of people from IT, procurement, legal, and any other stakeholders that might be needed, like software-specific application managers.
Prepare the processes: Start assigning tasks within your audit team, like who responds to the audit letter, who is the single point-of-contact with the vendor, who freezes product purchases with from that vendor, who implements the security procedures, and so on.
Consider a SAM tool: For any given vendor there’s a slew of license metrics, product use rights, and entitlements to gather – and a spreadsheet won’t tell you what’s missing. Professional Software Asset Management tools will consolidate and process all that crucial audit data, point out data gaps, and give you a compliance report. SAM tools shave crucial days – even weeks, off your audit response time, with a lower risk of errors from manual spreadsheet entry. Who likes spreadsheets, anyway?
Boxers like to say, “Train hard, fight easy.” The same goes for software compliance audits. If you start now, before the tsunami of cash-strapped vendors come knocking, then you’ll respond quickly, correctly, and efficiently.
Request a deferral
This won’t work for every vendor, so you’ll have to read the room, or virtual room in these times. Some vendors can be accommodating in an audit situation, so if you ask for a deferral and cite these unprecedented, difficult times, then they might grant it. For example, IBM often tries to make the audit process work for its customers to retain them.
Just keep in mind this isn’t a free pass. If you get a deferral, use that time to work on your audit response – develop those people, processes, and tools to gather your compliance data and respond effectively when this grace period is over.
Run an internal audit
They say practice makes perfect, and audit defense is no different. Let’s use Oracle as an example.
Oracle has a reputation for being an aggressive auditor and they usually have a big, complicated footprint in a lot of IT estates. Confirming software license compliance is difficult, especially with Oracle’s patchwork of contracts, agreements, and non-binding policies.
If a vendor wants to find you non-compliant, there are plenty of ways to find non-compliance, and it might be in places they haven’t widely audited in the past. Going back to the Oracle example, that might be Java SE.
A well-executed internal audit can find those weak points in your compliance position – like costly, unneeded Java SE activations – so you can strengthen those chinks in your compliance armor before an auditing vendor points them out to you. It also has the added benefit of identifying areas in which your organization may be over-licensed, and gives your audit response team valuable, cost-saving data for responding to its next audit.
Build your own strong, flexible, nimble audit response with the Complete Guide to Software Audit Defense.
SAP, Oracle, Microsoft, and any other software vendor with a big on-premises footprint in your IT estate will really want you to buy their cloud solutions. So, during audit negotiations, if you need to buy additional licenses or face non-compliance fees, you can expect them to broach the subject of purchasing some of their cloud subscriptions, maybe even at a discount.
Far too many organizations jump into the cloud this way, getting locked into subscriptions they don’t need or will not fully use, adding a strain a to likely tightening IT budget.
So, go ahead and buy some cloud solutions, but use that audit response team I mentioned above. It should include someone from procurement or even someone from your CIO’s or CTO’s office. Ask them about your organization’s strategic plan for transition to the cloud. When a vendor offers some nifty cloud solutions in lieu of non-compliance fees, you can make a counteroffer based on the cloud solutions your organization needs.
This turns what could be a painful, frustrating part of the audit into an actual, no BS win-win for everyone because you’re buying the licenses you need, and the vendor is making a much-needed sale.
Final thought: Do your homework
Think of software compliance audits as a sales tool, rather than a shakedown. This makes it a negotiation, and like any negotiation, it’s important to do your homework.
Developing a SAM program with the people, processes, and perhaps a professional software asset management tool as well, is not only part of the homework, but it makes the rest of the audit defense homework less arduous. Remember: “Train hard, fight easy.”
This is a tough time for everyone – for vendors and their customers. The pressure is on for everyone to find efficiencies, protect their budgets, and recover lost revenue.
If you go into a software license audit with an accurate compliance position, respond promptly, and communicate your future needs, then the audit won’t be so tough, because you’ve already laid the groundwork for more equitable, post-audit deal.
Check out the Complete Guide to Software Audit Defense for more helpful audit advice from our in-house experts.
Topics: Audit Defense