What do you know when hit with a software audit?
With the increased incidence of software audits from vendors during the last year, you are lucky if you have so far avoided this fate. But, when you are suddenly and unexpectedly hit with one, what should you do?
Tackling a Software Audit
Well, the first thing is, in the words of Dad’s Army stalwart Corporal Jones and Hitchhikers guide to the galaxy book cover, “Don’t Panic!” You will usually have time to plan your response, but if this the first audit you have received what is the right response? Based on our experience of helping clients defend a software audit we would recommend a 5 stage approach:
- Governance and control – establish your team very early on in the engagement and identify and assign key roles and responsibilities. If you are using the services of a 3rd party to help (such as an Audit Defense Service), a critical step is the appointment of a single point of contact for this 3rd party. The key tasks that need to be executed and timescales need to be agreed together with the frequency and methods of reviewing progress.
- Communication – understand how, when and who will be communicating with the vendor. An additional consideration, at an early stage, is how a message is to be distributed throughout your organization that a state of “communication lock-down” exists between you and vendor until further notice and that any and all communication must come through the engagement team.
- Asset discovery and inventory – to produce an inventory that is accepted by the vendor you need an automated tool like a solution from the AssetStudio SAM Suite. As, and if, there are any inventory gaps identified, these will be addressed using a mix of supplementary scripts and/or manual declarations. If you do not have the time to purchase a tool you might want to approach a third party to carry out a Discovery & Inventory Service exercise.
- Entitlement discovery – can begin at any stage and is the process of collecting all proof of license entitlement for the vendor’s products. The demands of this job should not be underestimated, especially if your organization is one that may have poor records of its entitlement. Once obtained, there is a contract interpretation phase to review all contractual terms and conditions to create a baseline entitlement relevant to the organization.
- ELP generation – is where the deployment and usage data is reconciled against the entitlement data to produce an Effective License Position (ELP). This will typically be a spreadsheet and a report and provide the basis for vendor negotiation. The AssetStudio SAM suite will product a dynamic ELP but without a tool this may be more difficult to achieve.
Ready to defend against a software audit? The best approach is to be proactive and ensure there are no nasty surprises within your estate.
If you have any questions about defending against a software audit, please get in touch.