Software Audit Defense Tactics

Responding to software vendor audits can cause serious disruption to your year, not to mention the inevitable bill to atone for any licensing shortfalls. Whilst it’s true that software audits are a strategically-timed, revenue-generating activity for software vendors, there are a number of tactics you can use to limit the impact or even prevent the audit altogether.

In this blog, Certero’s software audit defense experts break down the top 10 frequently asked questions around what you can do to reduce the risks of a software vendor audit.

1. Does the software vendor have the right to audit?

As described in our What is the Software Audit Process blog you should assemble a Software Audit Task Force in response to a vendor’s request to audit your business. This task force should include stakeholders from across the business, including Legal, who can be extremely helpful in querying the validity of the vendor audit request – it may be possible to deny the request and avoid the audit.

Your legal team should help to qualify:

• Does your vendor agreement contain the audit clause?
• Does your contract include any bespoke clauses that prohibit the request to audit?
• Is the request to audit against the most recent contract?
• Is there a potential conflict of interest with the 3^rd-party auditor? (i.e. have they audited you recently for another software vendor?)

2. Can you delay a software vendor audit?

Whilst software vendor audits are usually ultimately mandatory, the vendor should respect the fact that an audit presents unplanned additional workload. It is common for the vendor to give you 45 days to issue a receipt acknowledging the request, but they will usually push to arrange an initial kick-off meeting much earlier. There are however, reasons why this could be reasonably delayed, such as:

• Workload – you could be in the middle of a major new system launch or roll-out, which would impact the business to delay.
• Personnel – are all the required stakeholders actually available? Temporary delays would usually be accepted, however long-term absences should already be covered.
• Legal / due diligence – The validation of the audit request could reasonably take some time to qualify through legal, as would a request to sign an None Disclosure Agreement (NDA).
• Other audits – One software audit tends to follow another as vendors recognize the lack of control. If you’ve recently been through the process with another vendor, it is reasonable to delay the request.

Whilst delaying an audit is reasonable, it is not okay to use this time to correct any licensing problems and this impression should certainly not be given to the software vendor.

3. Can you limit the scope of a software audit?

Once engaged with the vendor, it is essential to define and agree the precise scope of the audit. Understanding scope prevents rival interpretations and any risk of the vendor from claiming later on to have ‘discovered’ any software on systems that you believed were out-of-scope. If unsure, seek external, independent expertise to clarify this.

This is the point that you can potentially negotiate the scope of the audit, either by the vendor’s products, or your business structure if there are specific legal entities, or potentially specific locations and geographic regions.

Also consider that if the vendor refuses to negotiate scope, they usually will negotiate an NDA. Therefore ensure that boundaries that define how information is shared and that it is only data directly applicable to the questions the vendor is allowed to ask.

4. Can you dictate what tools are used in a software audit?

It is general practice to use existing inventory tools you have installed to gather data, however there are some exceptions where this can become problematic.

Having good quality data is critical to audit defense, as the more you can prove, the more you can argue your position successfully.

There are risks where the software vendor stipulates that they will only accept inventory data from their own tools or scripts or from formally-verified 3^rd-party solutions, as this can mean you have no knowledge of the information being submitted.

Notable vendors include:

• Oracle – Oracle License Management Services (LMS) will typically deploy their own scripts in an audit, limiting your visibility of information being submitted. Alternatively, they have a select list of formally verified 3^rd party tool vendors, that ‘have been verified to provide information that Oracle will accept whenever accurate measurement data is needed’. Using one of these approved 3^rd party toolsets for ‘Oracle Database and Database Options’, ‘Oracle Fusion Middleware’ or ‘Java SE’ gives you visibility of your Oracle deployments and the data submitted to the vendor in an audit (Certero for Oracle is verified for all 3 categories).
• IBM – Contracts typically stipulate that IBM customers with sub-capacity (virtualized) environments need to have the IBM License Metric Tool (ILMT) installed, or risk becoming out of compliance and losing sub-capacity licensing rights. As ILMT can be a challenge to run and configure, solutions like Certero for IBM can be used to help to validate ILMT deployments and automate complex license reconciliation processes.
• Microsoft – Microsoft does not have formally verified 3^rd party toolsets, common popular misconceptions when certain tools are regularly used by appointed auditors. Tool selections by 3^rd party auditors are typically dictated by commercial agreements with the tool vendors, not the software vendor.

If using existing toolsets, you need to be aware of whether your data-gathering solutions are up to the task. The auditor will outline the data that they require, typically:

• Device names
• Users
• Device types (physical or virtual)
• Environments
• Hardware details (make, model, cpu, cores, etc.)
• Operating systems
• Application details (including version & edition…)

This should also be submitted in approved forms, such as:

• Exported reports from ITAM / SAM tools
• License files
• Log files

The challenge here is to ensure that the data you submit is accurate, as this can introduce risk into the processes.

For example, here are some common pitfalls:

• ITAM tools – beware that a software inventory provided by an ITAM tool may lack the intelligent Software Recognition to accurately identify what discovered software really is, in terms of licensable versions and editions. If information submitted to a vendor is vague, the vendor would typically err on the side of caution in their own favor. So, if software is discovered and it is unclear whether it is a standard or professional version for example, the vendor would typically assume it is the most expensive option, as you have not provided evidence to the contrary.
• Microsoft System Centre Configuration Manager (SCCM) – be mindful of potential gaps in coverage, such as with servers or any none-windows environments.

5. Can you challenge the results of a Software Audit?

Not only can you challenge the results, you absolutely should validate the finding against your own Effective License Position (ELP). SAM is difficult to get right and it’s very common for software vendors and their audit partners to make expensive mistakes, as this Certero Case Study demonstrates.

Always be prepared to challenge anything that doesn’t look correct and bear in mind that there is always a degree of assumption when interpreting data. Therefore, the better armed with accurate information you are, and the stronger your licensing knowledge, the better positioned you are to interpret results in your favor; reducing exposures and cost.

If the software vendor is using a 3^rd party to audit you, then you may be able to access the audit results before it’s submitted to the vendor.

6. Can you get help with a software vendor audit?

Yes – you can get help before, or even during an audit and it will have two major benefits:

1. The entire process is FAR less time consuming and disruptive. For example – Certero’s Audit Defense Service provides everything you need in one complete package:

Technology – to accurately discover and identify all the software in scope.

People – a team of licensing experts including dedicated specialists for the most challenging               licensing vendors, like Microsoft, Oracle, IBM and SAP.

Process – Certero guide you through the dialogue with the vendor and ensure you’re           informed and in control.

2. You can reduce costs. Software audits are revenue generating activities for vendors, and whilst it’s only fair that you rightly pay for the software you’ve had the ability to use, expert audit defense makes sure you’re not paying for any mistakes in the ELP process itself, any unfair interpretations of your contractual rights or anything that should not be in-scope.

As long as you can provide evidence for your license position, you can use the rules in your favor. Therefore, highly experienced SAM experts using the best technology available to get clarity of your software, are in the best possible position to achieve cost-savings and reduce risks.

7. Can you negotiate a software audit settlement?

Yes – you can always negotiate. The best result of an audit for a software vendor is to maneuver you to sign up for another lengthy and profitable contract. So, following an audit, if there is a significant settlement figure to pay, then the vendor will usually leverage this against the cost of signing up to a new agreement and further investing in their products.

Don’t forget that audits are sales activity and salespeople will usually be incentivized to sell new volume licensing agreements, so it’s in their interest to negotiate. Ultimately, there’s no escaping the fact that you owe money and certain vendors are much more likely to demand payment than others, but you can use this to make the most out of the situation and limit the wasted expenditure as much as possible and potentially add-in clauses that reduce the likelihood of another unforeseen audit – typically a no-audit assurance of 2-3years would be accepted.

 8. Can you delete software that is out of compliance?

No – you can not simply delete software that you’ve used but not correctly licensed. Aside from the fact that you’ve deployed the software and therefore entered into the End User License Agreement (EULA) and trying not to pay for it later is essentially theft, you must also bear in mind that if the audit processes ends up in court, any semblance of dishonesty could end up being very costly. Being publicly exposed as dishonest in a court room would also bring your organisation into disrepute.

9. Can you control the data submitted to the software auditor?

Yes – you can and should control any data submitted to the auditor as you will want to make sure it’s accurate and has been rightly approved by your audit task force. This does not mean however, that you should try to manipulate of falsify the data in any way. Again, and suggestion of wrong doing and the issue will go to court.

You need to control the data being submitted so that you understand the landscape and don’t give away anything unnecessary. It is after all; private and confidential company information and all communications should be marked as such.

10. How do you avoid software audits?

Of course, the best way to avoid all of the unnecessary cost and disruption around software audits is to proactively manage software and optimize your licensing. This can be done with either the right tools and expertise developed in-house, or simply and effectively through a SAM Managed Service.

Certero SAM for example, is about maintain a state of constant compliance and control over software strategy and costs, so when a vendor comes knocking, the information you require is already available and most importantly – proves you’re neither at risk of under-licensing or routinely over-spending on software you don’t need…

If you’d like help with a software vendor audit or any aspect of your IT Asset Management, speak to experts at Certero today.