What Happens During the Software Audit?
By: Steffani Lomax
In my recent blog posts, I have been writing about software audit preparation. What happens during the audit itself?
After an organization is notified about the audit by either a third-party auditor or the software publisher itself, an initial meeting will need to be scheduled. This first meeting between the organization and auditor is typically a planning session to lay the foundation for what is to come. Meeting topics may include the audit process, procedures and timeline for each party to provide documentation on license entitlements, deployments and compliance position with the software contract.
In terms of the audit process and gathering deployment data, most software vendors furnish their own audit tools to determine inventory of their customer’s hardware and software assets. Some mandate the use of their tools. However, an external audit tool can be disruptive to a production environment and cause potential security or confidentiality breaches, so it is important for the organization to protect itself. Our NYC IT asset management team recommends that an organization require a confidentiality agreement and demand that the software vendor indemnify them for any potential negative impact, which can in turn lead the vendor to forego use of its own tool. An auditor may spend one to several days onsite collecting inventory data, either running their tool or manually counting physical assets. Throughout the audit process, the auditor will make requests that the project team will need to respond to. This process can continue for weeks or months.
Some software publishers will engage with their customers on the honor system, utilizing the deployment data that is provided by the end-user organization. This approach is non-intrusive to the end-user environment and typically results in a more affable process.
Once the auditor has collected deployment data and the inventory has been validated, the process of reconciling software license deployments to entitlements begins. At the conclusion of this exercise, if the organization is out of compliance, the software publisher will send an invoice. At this point, the organization may enter into negotiations to reduce the invoiced amount, or can launch an effort to refute the findings – an effort that typically ends without success, since companies usually lack insight into all the nuances associated with their software entitlements.
Many organizations have found that engaging a third-party expert is the most effective way to prepare for an audit or to refute a finding of non-compliance. In one positive example, a major national retailer was assessed a true-up bill of $13.5 million by one of its strategic software vendors, and engaged a third-party. After conducting due diligence and weeding out free OEM software, disaster recovery software licenses, bundles and suites, the amount assessed was reduced by $10 million, to $3.5 million.
In next week’s post, I will summarize tips on preparing for and potentially preventing a software audit.
If you have questions or would like any more information about how to prepare for a software audit, please feel free to contact one of our helpful Siwel IT asset management professionals at 212-691-9326.