So You’re Going to Get Audited – How to Prepare Now and for the Future

By Bruce McDowell, McDowell Consulting, LLC

ITAK V10 I4

It’s 10:30 on a Tuesday and you’ve just started in on your third cup of coffee when the mail arrives.  With a few minutes free before your next meeting, you scan the pile quickly and spot a letter from one of your major software vendors.  You weren’t expecting any correspondence and it doesn’t look like the usual marketing piece, so you open it up and start reading…

Thank you for choosing our software … (blah, blah, yeah, thanks for sucking all our money away) … We understand that Software Asset Management can be challenging … (Oh really?  You want my job?) … Your company has been selected to undergo a license review which will help us evaluate your license compliance with the terms and conditions of our license agreement, in accordance with the audit rights contained therein. (WHAT THE…?!?!)

Happy Tuesday – you’re getting audited!

To begin with, take a deep breath – this could have been a lot worse.  Your letter could    have read more along these lines:

We have evidence that your organization engaged in the unlawful copying and use of our software in violation of the Copyright Act … immediately conducts a computerized audit of the software on all of its computers and servers using Audit Software we supply … agrees to pay a negotiated amount based on the number of unlicensed copies of software found by the audit.

At least with the “audit without cause,” you’ll be able to conduct relatively normal business while you work with your vendor to make them happy.  For the “with cause” audit, the crosshairs have steadied themselves on your business and the clock is ticking – you’ve got work to do.

(For more on what you might see in an audit letter, I recommend “Dissecting the Microsoft Audit Letter” from the ITAM Review.  It presents an annotated guide to what the language in a Microsoft audit letter really means to you.)

Welcome to the Reality of SAM Audits

If you are working in the Software Asset Management realm, it’s not a matter of IF you will get audited, but WHEN the letter will arrive.  Martin Thompson of the ITAM Review conducted a straw poll several years ago asking about audit experiences.  Of the readers who responded, 78% had been audited in the last twelve months! Further, for those who had been audited, they had experienced on average 2.5 audits over that twelve month period.

Audits are all about one thing – revenue.  Either the customer will purchase the software they need when they need it, or the audit will recover the revenue that should have been received in the first place.  During the economic downturn of the last 7-10 years, some software manufacturers saw revenue decreasing – mainly because their customers were spending carefully, downsizing, or consolidating through acquisitions.  How did the vendors react to bolster their bottom line?  Some actually launched new business units whose sole charter was to generate revenue through audits.

To be fair, that sort of predatory auditing is more the exception than the rule.  Software vendors generally don’t want to audit you – audits are expensive to conduct, and tend to work against a good customer-vendor relationship.  But, if an audit has been ordered, then the vendor may believe that the revenue potential from the audit exceeds the value of the relationship.

Indeed, there are some vendors engaging in what I call “Vampire Audits.”  In an apparent complete disconnect between the sales organization and the auditing group, auditors descend on customers with completely draconian rules of engagement, bent on extracting every possible drop of short-term revenue, regardless of whether the customer might immediately leave for another vendor.  Sales is never given any warning or the opportunity to work amicably towards a true-up that would maintain the customer relationship and future revenue.

What to Do, What to Do

Once rational thinking regains control, what are your next steps?  To begin with, your audit letter has likely included a “shopping list” of requested information, including, but not limited to:

  • A complete inventory of hardware and software
  • Software usage and deployment records, including current user and device information
  • Description of standard images and with associations to the vendor’s products
  • Purchase records and history reports, especially as relates to vendor’s products
  • Reseller reports regarding purchases of vendor’s products
  • Copies of policies concerning software purchasing and acceptable use of software for users

You can see at this point that being prepared in advance would be really nice, and we’ll look at that in the next section.  For now, you’ve probably been presented with a tight – if not impossible – schedule, which may have been shortened if the audit notice sat on someone’s desk for a few days or was delayed in interdepartmental mail. One way or another, you’re going to be busy.

From a nuts-and-bolts perspective, you’re going to need an inventory.  If you’ve already invested in a tool and implementation, you’re ahead of the game – if the vendor will let you use your tool rather than something they provide.  In some cases, the vendor’s tool is a requirement, and you need to figure out how to get it through your change control process and implemented as quickly as possible.  You need that data to start figuring out if you have a problem and where you stand.  Look for the auditor to request this information fairly early in the process; since it’s the easiest for you to manipulate, the auditor will want you to lock it down.

If you are dealing with a forced, with-cause audit, you are warned that from the time of the notification, you may not install or uninstall software, purchase new licenses or make any other configuration changes.  Your inventory reports delivered to the auditor will reveal whether you have followed these instructions.  If you disregard them, you are effectively digging your hole deeper.  Between this and filling the shopping list, you’ve been presented with a serious disruption to business.

There are differing thoughts on how hard to fight the audit process.  On the one hand, a three-part series “What REALLY Happens During an Audit” from The ITAM Review suggests that upon evaluating the inventory and purchasing data gathered for the auditors and finding – in mid-audit – that there is indeed a shortfall of licenses, it may be an option to attempt to negotiate a settlement and shorten the audit disruption.  This presupposes that a negotiated settlement is even possible, and that evaluating the costs of going this route are better than sticking things out and completing the audit process.

Another way to look at that option is whether taking that more “submissive response” as the CSAM course calls it may open you up to even worse problems.  If you quickly cave, that may be interpreted as not taking software asset management seriously.  That can open up your organization to follow-on audits in the less than distant future – just to make sure you’ve mended your ways since the first audit.

Through everything, remember that auditors are trained to sense fear.  If you are confident in your data, policies and processes and present that confidence to the auditor, their likelihood of digging harder and deeper will tend to decline; if there isn’t much revenue to be generated from this project, then the next one may bear riper fruit.  If, on the other hand, you dribble incomplete data into the process and are slow to respond to requests, the auditor will sense there’s more to be found and will dig longer and harder.  Part of their compensation may be tied to how much illegal software they can find, so don’t incentivize them!

Further, don’t let the auditor push you around.  While the software vendor has every right to audit you, you have every right to require that the audit is performed properly and fairly, that you be provided enough time to do your job well, and that your organization has an opportunity to review the audit results before accepting them.

Planning for the Future

As IAITAM Certified Software Asset Managers, we’re trained to plan proactively for the inevitability of an audit.  There are a variety of things you can and should be doing today to make the next audit experience as much of a non-event as possible:

Deploy a discovery tool – and use it!  I cheerfully admit a biased interest towards inventory, but in this case, it represents one half of the data necessary to prove your compliance position.  Start today to make sure that your chosen tool is:

  • Deployed to as close to 100% of devices – servers and workstations – as possible
  • Updated on a regular basis
  • Finding all of the purchase software in your enterprise
  • Providing useful and accurate reports

Getting the discovery tool distributed and properly configured will take some time but will pay plenty of dividends – including supporting you in times of audits.

Find your purchasing data.  The other half of the reconciliation equation comes from your corporate history of software purchases.  Rarely does the start of a SAM program see all of the purchasing data consolidated in one place and organized efficiently.  Remember that you have to prove what you have purchased – don’t trust the vendor’s records; there are plenty of stories of vendors presenting incorrect entitlement data, so you need to be prepared to support your position.

Purchasing data almost universally needs to be retained for some period of time for tax purposes.  But when you start trying to calculate upgrade entitlements – which sometimes can include special promotions or what I call “side-grades” (a license for an old Adobe Illustrator plus $99 becomes a Creative Suite license) – then you may need records that go back even further.

Implement and enforce software policies.  As the software asset manager, there are only so many factors over which you can exert direct control.  For everything else, you’re dependent on others to act properly.  The best way to make this happen is to promote and enforce policies for software purchasing, installation, piracy and other areas.

Negotiate your terms and conditions.  The terms and conditions in software licenses are deliberately complex and definitely skewed to favor the software vendor.  You can negotiate some of these to your advantage; from the perspective of audits, try to remove the “third party” reference so that you’re always dealing directly with the vendor.  You can also try to negotiate audits away entirely in favor of scheduled true-ups.

Educate your users.  The end users are your customers.  They need the software to do their work.  They need to understand why there are procedures for purchasing software that they must follow, and that policy dictates that they can’t go out and buy and install their own software.  Education and communication early and often will go a long way towards keeping users as happy as possible.

Also, make sure when the audit letter arrives, it’s recognized for what it is and, if necessary, routed to the correct person – just because “you never saw the notice” doesn’t mean you aren’t responsible!

Educate your management.  Management may be inclined to take the position “we’ll just send our lawyers after their lawyers.”  Well, good luck with that.  In the meantime, while the lawyers fight it out over liability, your PR team will be fighting to salvage your corporate integrity and reputation, and your shareholder relations team will be fighting to save your market valuation.  Once you’ve explained all of that in advance of an audit, perhaps management will see things your way.

Build an audit response team.  Once you’ve survived your first audit, you’ll no doubt have discovered which processes went well and others that could have gone better.  Pull together a team representing the necessary groups to leverage the knowledge gained to be ready for the next time.  Because there WILL be a next time!

Get certified!  This article is a starting point for dealing with a software audit.  But, there’s so much more preparation that needs to be done.  Perhaps the best way to get started is with the IAITAM Certified Software Asset Managers course.  It will introduce you to all of the areas where you need to be planning.

This article has discussed ways to prepare for the audit process, including what you are allowed to do and the things that you are definitely not allowed to do during an audit.  Proactive steps that you can take every day have been suggested so that the inevitable audit becomes less painful.

About Bruce McDowell

In 1990, Bruce was a founder of Tally Systems, helping to bring the first hardware / software inventory tool to market and later working with the professional services group, managing on-site inventories for Fortune 1000 companies and product implementations. After Novell acquired Tally Systems in 2005, Bruce worked in a number of roles including Product Management for the inventory, recognition and asset management components of ZENworks. Since 2009, Bruce has been an independent consultant working on configuration and asset management projects mainly based around Novell’s ZENworks product line. He has also developed and presents several courses for Novell Training.