Vendor audits are a fact of life and if anything, the expectation for this year is that they will be increasing in frequency. As soon someone in an organisation signs the ‘EULA’ (Enterprise Unlimited License Agreement) contract, opens the wrapping on a software box, breaks the seal on a disc, ticks the box confirming that T&Cs have been read or in some cases, even just starts using the software, an implicit agreement to be audited at some point in the future has been made. Every software contract and/or terms and conditions page contains an audit clause.
According to a 2013 report published by KPMG, 90% of software vendors admitted that their compliance program is a source of revenue, with 10% using audits as a strategy to secure 10% of overall revenues. Over half of all vendors have confirmed audits help to secure 4% of their revenues and in about 59% of cases, vendor audit specialists are incentivised using sales commissions.
Since an audit typically cannot be avoided entirely, the question to consider is whether or not this is a bad thing? Users are nearly always alarmed at the prospect of being audited but in reality, vendor audits are not necessarily a negative occurrence. They can they be used constructively, as an opportunity to potentially save money by getting a better understanding of actual usage and potential software over spend from excess licensing.
Acquisitive Organisations Are A Prime Target
Imagine the scenario of a company that has seen rapid expansion over the last two years as a result of organic growth and M&A activities. In normal circumstances, keeping control over one organisation’s license entitlement records, software purchases, software deployments and generally ensuring people adhere to official SAM processes, is a fulltime, complex task.
Now add in the complexity of having to integrate the newly acquired part of the business. Collecting license entitlements and transferring these across to the new entity, potentially without the support of a software asset management (SAM) tool to assist with software discovery and building a license repository, can make obtaining an accurate picture of whether or not the organisation is compliant can be very difficult to achieve.
This is typically where the ‘troubles’ start and why using automated inventory technology able to create a baseline of installed applications and then recording license entitlements within a single repository is essential.
The mere fact that an organisation has been acquired or been acquisitive will have placed it on a vendor’s target list for an audit. Vendors know how to take advantage of ‘low hanging fruit’ and this is always a lucrative one.
So rather than fret about the possibility of an audit, accept it is inevitable and use it as an opportunity to obtain an agreed entitlement baseline with a vendor. Ideally this should be done proactively, as part of an internal audit focusing on reconciling software usage against entitlement prior to the vendor’s own assessment taking place.
A Chance To Test Processes & Make Cost Savings
Returning to the more positive aspects of vendor audits, they represent a way to test whether tools and processes are working efficiently. An organisation is rarely knowingly non-compliant, as that is illegal. However, the complexity of managing software licensing, procurement processes and license metrics contracts, whilst ensuring that day to day company operations are not affected, means that mistakes can and will happen.
The main benefit of approaching software auditing in a proactive and methodical way is the potential to make significant cost savings through having a more detailed understanding of precise utilisation requirements. Just as an internal audit can highlight an under licensing issue, it frequently highlights where an organisation is over licensed or not taking advantage of the most cost-effective licensing schemes available to it.
This is a surprisingly common scenario as risk averse companies have traditionally opted for unlimited licensing agreements in the belief that it is better to ‘play safe’ because potential audit penalties will be greater. It’s a bit like avoiding a customer satisfaction survey because the results won’t be complementary. Forewarned is forearmed, as they say.
3 Top Tips For Coping With A Vendor Audit
When they occur, vendor audits can be very disruptive for an organisation. The letter of audit intent will almost always arrive at an inconvenient time but there are a few precautions you can put into place to ensure that the disruption is kept to a minimum.
- Create a vendor audit process
This is a process that stipulates the internal steps that the organisation has to follow for each stage of the audit. Ensure all relevant parties within the organisation are aware that an audit is about to commence. This notification needs to reach beyond the IT department to include procurement, the legal department and security.
- Get closer to the relevant software vendors
It might seem counterintuitive, but when faced with an audit, it is wise to invest in building a good relationship with the vendor (s) concerned. This can also involve discussions about future business development plans as giving a vendor a greater understanding of your organisational strategy will enable them to provide practical advice about future license requirements. Will a closer relationship prevent an audit? That is unlikely, but an open dialogue will set the scene for a less aggressive, more constructive basis to the audit and could help influence timings should a delay be preferable.
- Think proactively about internal software audits
Using specialised SAM tools it is possible to record exactly what is being used and how this correlates to the organisation’s official entitlement. Ideally this would be completed on a regular basis for all relevant vendors of importance, in the same way as an organisation would approach developing a disaster recovery plan. An internal audit will verify that tools, people and processes are working properly, that the organisation is compliant with its license entitlements and will of course highlight any problem areas, so that the issue can be fixed before a vendor comes calling.