You've recieved your letter from the vendor. The audit is coming and you've got to balance what licences you have on your systems against what you're licensing contracts allow. The difference could cost your organisation big money so you've got to get it right but systems are so displaced or complex or evolving so fast that it seems like a full time job.
Software compliance audits are always a headache, especially when it comes to time, resources and money. The best way to prepare for an audit, experts agree is to avoid it all together by implementing a software compliance plan.
Software compliance is a complex and interpretative process that if not done correctly and with forethought can cost organisations millions. How much money are we talking about? In a 2013 study performed by professional services company KPMG, 52% of companies felt that their losses through unlicensed use of software amounted to more than 10% of their revenue. Software compliance audits can also take a long time. According to Christof Beaupoil, co-founder and president of Aspera Technologies Inc, a provider of software licence management solutions, they can take up to 18 months.
In a report from Gartner on software audits, organisations surveyed said that they were audited by at least one vendor in the previous 12 months. This was up over 60% from the previous year. Now more than ever software vendors are auditing their clients, so much says the KPMG survey, it has become part of the sales process. And the larger your organisation the more at risk you are. "Why you ask?" Because there is more money on the table for the software vendors. Non-compliance is making them money so you've got to do what you can to limit your risk and that starts with implementing a software compliance programme.
What is Software Compliance?
"In its simplest form," says Beaupoi, "compliance is the comparison of a company's software usage to the licenses it owns. If the company uses more software than its licences cover, it is under-licensed and out of compliance with the licensing contract. If the company owns more licences than needed to cover its usage, then it is over-licensed and can save millions of dollars, as is the case with global and very large organisations."
Common mistakes and non-compliance issues
- Many times in the rush to move forward an organisation's business objectives, the licensed software and technologies gets used in ways not covered under the current licensing structure, resulting in a non-compliance issue. This means that as your systems and the way your technology is being used evolves, so must your licensing structure.
- Depending on your licensing structure you could also have to deal with differentiating between installed software versus purchased software. This is what's known as a bucket level assessment; installed versus entitled.
- "Many times the root cause of non-compliance is administrator rights on local machines. This is something that companies need to take a long hard look at this topic," says Houghton.
- BYOD is another area that can cause companies to be non-compliant. According to Krysten M. McCabe, CISA, Director of ISACA, member of ISACA's Audit Committee and Finance Committee, and senior manager in the Assurance and Advisory Management Program at The Home Depot, BYOD broadens the scope of those who could cause the company to be non-compliant. "Communication with this broader audience is necessary to ensure they are well educated about the need for compliance and the requirements of compliance," says McCabe.
- Not being prepared, "says Beaupoil is one of the most common mistakes. "Software audits are part of buying business software now. It's a huge mistake to not start a license management programme. Without it, companies don't have a license management tool and/or don't have the skilled resources to produce their own compliance balance. In other words, they cannot verify the auditor's data and compliance results. They are basically at the mercy of the auditor and have to accept what he delivers in the end - discrepancies and all.
- "Assuming the audit will go by quickly," is another mistake says Aspera's Beaupoil. Audits for Aspera generally take a minimum of 6 months and their average is 12-18 months. In some extreme circumstances companies have reports it taking three years. This could result in an organisation having to shelve equipment until the legal battle is over.
Product/vendor naming discrepancies components of asset management
You can't get the data necessary to know if you are compliant or not if you don't have a plan in place to manage your software licences and hardware. Software compliance begins with a good asset management (ITAM) system that consists of two parts, according to Mike Houghton, an IT veteran who has worked in compliance and asset management for the last seven years. A system of discovery is one key piece. This is software that has an agent on each machine that provides visibility on all software installed on your network. The second component is a system of record, a virtual warehouse that contains all of your IT hardware and software assets. "Ideally they (the components) are part of the same system and they talk to each other but it's not necessary," says Houghton.
"The most basic function of license management and LM tools is to centrally gather all licences owned within an organisation, calculate the metrics to get the software usage and compare them. This fundamental practice requires the collection and processing of many different types of data. The result is a compliance balance that clearly shows the company's licensing status - if it is over or under-licensed, the "cost-of-compliance" (buying additional licences to eliminate under-licensing) and a few other key insights, "says Beaupoil.
Next page, the audit process and tips for avoiding software audits
The audit process
Typically software vendor's send written notice letting the organisation know that they want to perform a software audit to ensure compliancy. Within the correspondence the contracted auditor is named, the start and end dates, as well as the scope of the audit. Be sure to respond to the vendor in a timely manner.
Upon receiving a written notification of an impending vendor software audit, companies would be wise to have their legal team check the licensing details. The company should first challenge whether the contracted accounting firm is suitable to conduct the audit. It's not uncommon according to Aspera, for there to be no legal basis for an audit because sometimes there is no corresponding audit clause in the relevant contracts.
Once you have the scope of the audit then an internal audit should be done to not only check the accuracy but to find out why you are non-compliant. Was it intentional, a process failure, an evolving business process, etc? Getting to the root cause can prevent further instances of non-compliance. Then vendors will work with the organisation to execute the audit. Each vendor will have different methods in place to locate their software on your systems. "Rest assured, "says Houghton, "that the vendor will have a tool that will discover their software on your network."
If the audit is done and your organisation is found to be non-compliant you will need to work with the vendor to balance the books or true-up at the lowest possible cost. Don't be afraid to negotiate.
Tips for avoiding software audits
We asked the experts interviewed for their best tips on how to stay ahead of the curve when it comes to software compliance and here is what they had to say:
- Conduct regular internal audits. "Some organisations do not perform audits frequently and/or thoroughly enough (i.e., with the correct scope) and thus are not aware of their non-compliance proactively," says McCabe. Experts warn that if licensing discrepancies are found the best policy is to be open about it and work with the vendor to resolve the issue. Being proactive puts you in a better position to negotiate with various software vendors.
- Put together an education and awareness program that consists of onboarding and annual sign-off on software compliance policies. "Some businesses do not communicate the importance of compliance," says Houghton.
- Make sure that your sourcing channels are limited to a select section or team. Rogue purchasing is high on the list of compliance issues.
- Create a solution like SpendMap or create your own hardware software portal for approved purchases. In some of the biggest corporations only one or two people may hold the key to signing off on software and hardware purchases.
- Improve existing or set up new procurement processes to ensure the licence metrics and pertinent terms (i.e. Product Use Rights) in the licenses and contracts are recorded.
- "AgentHealth or AgentPenetration is an important metric to monitor. It gauges your discovery system penetration throughout your network. Make sure the right people are monitoring this metric.
- Creating a workflow process in which new tools and software can be requested and then vetted for use is necessary so that business objectives can move forward. Telling people they can't have necessary tools isn't an option. That said you must ensure that all software purchases are properly reported, gathered across the organisation, and tracked over time as licences change hands between business units within the corporation.
- Have established processes for lifecycle management of software and hardware systems. "Organisations do not always track and communicate the status of action items that need to be completed to be in compliance and ensure these are being completed, "says McCabe.
- "Anyone who is granted administrator rights should be well vetted and required to accept a higher level of responsibility. They should have explicit training on software licensing and compliance," says Houghton.
- Make sure the data collected is uniform so that disparate systems will have an easier time interacting and your data will be more accurate. For example, if one system records Microsoft Word 2010 and another has MS Word balancing your licences will be more challenging.