With the increased incidence of software vendor audits during the last year you are lucky if you have so far avoided this fate. But, when you are suddenly and unexpectedly hit with one, what should you do?
Well, the first thing is, in the words of Dad’s Army stalwart Corporal Jones and Hitchhikers guide to the galaxy book cover, “Don’t Panic!” You will usually have time to plan your response, but if this the first audit you have received what is the right response? Based on our experience of helping clients defend a software audit we would recommend a 5 stage approach:
- Governance and control – establish your team very early on in the engagement and identify and assign key roles and responsibilities. If you are using the services of a 3rd party to help, a critical step is the appointment of a single point of contact for this 3rd party. The key tasks that need to be executed and timescales need to be agreed together with the frequency and methods of reviewing progress.
- Communication – understand how, when and who will be communicating with the vendor. An additional consideration, at an early stage, is how a message is to be distributed throughout your organization that a state of “communication lock-down” exists between you and vendor until further notice and that any and all communication must come through the engagement team.
- Asset discovery and inventory – to produce an inventory that is accepted by the vendor you need an automated tool like AssetStudio. As, and if, there are any inventory gaps identified, these will be addressed using a mix of supplementary scripts and/or manual declarations.
- Entitlement discovery – can begin at any stage and is the process of collecting all proof of license entitlement for the vendor’s products. The demands of this job should not be underestimated, especially if your organization is one that may have poor records of its entitlement. Once obtained, there is a contract interpretation phase to review all contractual terms and conditions to create a baseline entitlement relevant to the organization.
- ELP generation – is where the deployment and usage data is reconciled against the entitlement data to produce an Effective License Position (ELP). This will typically be a spreadsheet and a report and provide the basis for vendor negotiation.
If you have any questions about defending against a software audit, please get in touch.