Are you prepared for a software vendor audit?
As software audits are on the rise now is the time to prepare your company for its next audit. Studies have revealed that more than 50% of companies have encountered software audits within the past two years with Microsoft, Oracle, SAP, and IBM being the most likely auditors.
This article is part of a series, focused on the factors that can cause organizations problems when on the receiving end of a software vendor audit. This first one looks at the role of inaccurate discovery and inventory.
Inaccurate discovery and inventory
The old adage ‘if you can’t measure it you can’t manage it’ has never been more true than with your IT assets. If you do not have an accurate and up-to-date picture of your IT assets, how will you know what software you have installed and need licenses for?
This in itself can lead to a number of additional challenges.
No control over software downloads
With most volume licensing agreements now allowing for easy and fast download of all a vendor’s software titles, you can very quickly find yourself in the position of not knowing what is where. Additionally, some vendor’s software, such as Oracle, will install with options switched on or management packs enabled that you may not be aware of. Subsequent use of these, whether accidental or deliberate, will mean you have to pay for them. When the audit comes around, this will quickly become apparent and the true-up invoice will shortly follow.
To prevent this situation from occurring in the first place, to discover what software is installed, most software asset management (SAM) tools require the installation of an agent on a device. However, this means you need to know that the device actually exists in the first place. Many SAM tools take a feed from Microsoft Active Directory (AD) and accept this as the definitive list of devices on which to install their agent.
AD alone is not the answer
The fact is, Microsoft AD is not comprehensive. For example, it does not pick up things like Linux/UNIX boxes, DMZ, Macs or anything in a workgroup or other domain. So, in such instances, you will not have a complete view of everything. For most organizations, we estimate that this leaves around 20% or so of your IT assets where the software will not be being properly inventoried, because its host device has not had an agent installed in the first place.
Also for AD, keeping it up-to-date is a major and ongoing task when the organization has regular leavers and new starters. For a larger organization with many thousands of AD Objects spread regionally or even globally, the chances of it being up-to-date are slim. This means that your AD listing will give you both an incomplete and inaccurate view of your IT assets and so your subsequent software inventory will be similarly inaccurate and incomplete.
Overcoming the challenges of inaccurate inventory and discovery
What is required to overcome this problem? How can you ensure an accurate and up-to-date inventory of all your IT assets?
The answer is a multi-layered approach that utilizes things like your AD listing and cross-references it against independent scans of your IT environment, using multiple scans and connectors. This will provide in-depth information of not just your software licenses but also all IT assets across your network, including instances where software has been downloaded.
Find the following three articles here:
- Software Audits: What can go wrong part 2
- Software Audits: What can go wrong part 3
- Software Audits: What can go wrong part 4