Software compliance reviews are “a fact of life.” According to a Gartner study undertaken over a six-year period, on average, 68 percent of organisations receive at least one audit letter each year (Source Garner G00278199, Sept 2015). Organisations have therefore become accustomed to receiving these audit letters, or so-called “Love Letters,” from their software publishers. While some cry that romance is dead, clearly the good old-fashioned love letter is alive and kicking when it comes to the ever-tested relationship between software publishers and their customers.
Love Letters from your software publisher are not always as straightforward as they seem. While they may be positioned as audits to verify your compliance with the publisher’s licensing terms (i.e. confirming both parties are being treated fairly in the relationship), in many instances publishers use them to drive additional revenue from their customers.
Software compliance reviews, or audits, have developed over recent years as major income contributors for the software publishers. According to our own research, many software publishers are running this income stream in a very professional way, with either in-house or third-party resources. In-house publisher audit personnel now have clear revenue objectives and targets for the number of audits they must perform. While, years ago, this domain was dominated by the top 10 publishers, recently it seems that any publisher is using this method to verify compliance and generate additional income. Lately we have also seen an increasing number of mid-size companies becoming a target for software audits, since they often don’t have the resources for in depth Software Asset Management in place. Software audits are no longer only something that large companies have to worry about.
At the same time, some software publishers are guilty of going far beyond what was signed and agreed in the audit clause to exploit their customers and extract as much revenue as possible from an audit.
Staying compliant is a huge challenge for any organisation. Software rules and metrics are constantly changing, combined with more powerful hardware, Virtualization and Cloud Options (IaaS, PaaS, SaaS), this creates a license and usage mix difficult to control and almost impossible to manage.
How should companies react to this threat? How should you react?
If profit is the driver of software audits, then the best way to protect yourself from this exploitation is to make software audits as unprofitable as possible for the software publishers. The only defence is to establish a professional Software Asset Management Function including solid Audit Prevention and Defence capabilities. You must build and fortify your Audit Castle!
Most publishers by now are using detailed audit methodologies to extract the information they deem necessary to verify your compliance. If you look closely enough, often the methods proposed by the software publisher conflict with your company’s IT standards and needs for data privacy/information security. Armed with this knowledge, Audit Prevention and Defence capabilities can be the foundation blocks of your Audit Castle.
Preventing audits or limiting the impact an audit has on your organisation is the ultimate goal. We need to understand and analyse the phases of an audit and see what levers we can apply to get the best possible outcome for us.
The Audit Castle idea came up some time ago at one of our conferences. One of the presenters talked about the number of audits they have, and the time and effort it takes to respond to the demands of the auditing companies. Suddenly the idea of the audit castle was born. Prevention of the audits is key. If you can build an Audit Castle which is hard to enter, they cannot get in to audit you. If your walls are solid and your drawbridge is up, they will give up the fight and seek somewhere else that is less well defended.
An Audit Castle consists of four layers of defence to protect against each stage of the publisher’s attack:
The publishers have sent in their messenger, informing you of their intention to test your defences. It is time to fortify your defences. Review the letter and determine exactly what they are asking from you. Which specific software are they auditing, where, and under what terms in your contract is the audit justified? If you are already in negotiations with the publisher to purchase more software, cancel these activities immediately. They need to know you are focused on your defence.
You need to prepare externally and internally. Externally you need to agree the scope of the audit with the publisher – what is the methodology, audit type etc. Set up an NDA, ideally a three-way NDA between yourself, the publisher and the third-party auditor. Have the publisher provide you with your licence entitlements and set up your audit executive agreement. Internally you need to inform all stakeholders about the audit, collect your licence contracts and compile your first compliance report.
This is where the attack begins. But don’t let your guard down. Validate the usage data that has been collected and investigate the audit findings. Now is the time to find and dispute every discrepancy in the audit.
If your defences were strong during the attack, the publisher’s forced will be battered and bruised by this point. They will want to call a truce as soon as possible. They have tried to penetrate your walls, but they have failed to make any significant headway. You can now enter settlement negotiations from a position of strength. You will close the audit and mutually agree a contractual settlement. The publisher will have depleted its forces with very little to show for it. It won’t come banging on your door again anytime soon.
No matter how big and complex your organisation is, with the right knowledge and skill, you can up your audit defence game and build your Audit Castle. Once you have a reputation in the market as an Audit Castle which is not easy to enter, all publishers will think twice before they take you on.
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!