A software audit sounds about as enjoyable as a tax audit. Both can be expensive if not handled correctly. If your organization licenses software, it’s not a matter of if but when you will receive an audit request. The most frequent requests come from the big players: Microsoft. Oracle, Adobe, IBM and SAP. According to a survey by Flexera, 44% of large companies have had to pay “true up” costs over $100,000 or more. Nearly 20% have paid over $1 million to settle disputes.
This week I’d like to discuss a number of tips for avoiding a software audit. You will still receive requests for audits. But the following tips will help you navigate the complex auditing playing field. At the very least, you should be in a better position to withstand an audit. If you avoid one, that’s even better.
Complexity breeds licensing confusion, and that plays right into the hands of the auditor. You may honestly believe your company is within the bounds of compliance. But the auditors knows where to look. They know where to find complexity in language and contracts you can easily overlook. Software contracts are incredibly complex, and they are written by the software companies themselves. So even if you’re diligent in reviewing every contract you sign, there can be confusion in how you deploy those licenses around your company.
I recently worked with a company in the process of moving some of their services to the cloud. One reason for doing this was to reduce the amount of complexity in their licensing agreements. But what they found was even more complexity because they were operating in a hybrid cloud and on-premise environment. The cloud makes spinning up services so easy that many employees don’t consider the licensing implications until it’s too late. The same dynamic nature of the cloud that makes it appealing can also cause tracking difficulties due to how quickly anyone can bring a machine online.
Moving services to the cloud can reduce complexity. But it’s still early where mixed environments are the norm. Don’t assume your cloud providers understands the details of your licensing deals. Understand that if you attempt to move on-premise software to a cloud environment you’re likely to have licensing issues. It’s best to work through those sooner than later with your vendor.
Perform Regular Internal Audits
Many companies will wait until they’ve received a software audit request to perform their own internal audit. Don’t fall into this habit. Making internal audits a priority will help you spot licensing inconsistencies before they become expensive problems. I’ve noticed some of the biggest licensing challenges happen when a company is growing at a fast pace and expanding its presence. It’s too easy to assume you’ll eventually get around to making sure all the new hires are using software that’s in compliance. Auditors know this soft spot. And when they find it, you can expect them to bill you retroactively for past non-compliance.
You should perform an internal audit at least once a year. One thing you should avoid is the offer from vendors to help you figure out your compliance issues. Some may have honest intentions, but others may look at it as an opportunity to perform a stealth audit. It’s best to perform the audit in-house utilizing your own staff.
Most of the major software players offer software tools to help you audit yourself. Most are forthcoming with exactly how their tools work and how often they call home. Before you deploy any monitoring tools, have the vendor answer any questions about how they access and share data. The key here is to get ahead of any issues before vendors are notified something is wrong. If you find something is wrong, work with the vendor to correct it.
Educate Your Employees
Too many compliance issues stem from the fact that employees use software in ways that are outside the licensing contract. I’ve seen this happen inside companies that rely heavily on virtualization. Some employees don’t understand the complexities around virtualization and assume a temporary host/server can be deployed without breaking the contract. Virtualization is so mainstream today that you can solve the problem by educating your employees on basic software compliance models.
Make education part of the on-boarding process for new employees so they understand the seriousness from the start. But don’t stop with new employees. Ongoing awareness campaigns can help you get the word out and bubble up any concerns employees have about their own tools and devices. You must be vigilant when it comes to communicating the importance of software compliance to the entire company.
You should also have a process in place whereby employees can request software tools they need to do their jobs. Ignoring their requests will not make the problem disappear. You’re far better off having a vetting process in place to ensure new software requests match business objectives. That allows you to work with the employee to determine the best option while remaining in compliance.
Plan Accordingly for a Software Audit
You may have all your licensing ducks in a row, but if you purchase enough software, eventually you’re going to be faced with an audit. It’s better to assume an audit is on the horizon and plan accordingly, then hope your number will never be called. Most companies understand they will be audited sooner or later. Your company should clearly define who is charge for managing audits as they happen. Having a single point of contact is key, especially at large companies with multiple employees with software purchasing authority. Most large companies will form an audit team, and then designate one person as the lead.
The audit team should be prepared to handle audit requests. Most requests allow for a 60-day grace period, but that’s negotiable. Some vendors may agree to no audits during the first couple of years of implementation. The audit team should be familiar with the contracts and be in a position to advise internally and challenge externally. Putting together a team that includes members from IT, asset management, and legal is a good start. The team doesn’t need to be large, but it needs to be informed and ready to take decisive action.
You’d probably rather have a root canal than go through another software audit. Audits can be time consuming, painful and expensive. But they don’t have to be if you’re prepared and follow some basic guidelines to make sure your company is compliant. The major issue I see is that companies wait until they’ve been served with an audit notice to take any action. Maybe you can talk your way out of the audit or postpone it for a few months. But eventually your lack of planning will catch up to you. With so much software migrating to the cloud, audits are becoming a more frequent avenue to increase revenue for software companies. Some auditors see themselves as an extension to the sales force. That’s the environment we operate in today.