how to successfully manage software audits and reduce ... · use the rasci matrix to define the ......
TRANSCRIPT
CONFIDENTIAL AND PROPRIETARYThis presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
How to Successfully Manage Software Audits and Reduce Noncompliance Cost Risk With Gartner's C9 ProcessJo Ann RosenbergerResearch VP, Distinguished Analyst
1 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
66% of Clients Surveyed Were Audited by One or More of These Vendors …
It's Not a Question of IF You Will Be Audited but WHEN.
2 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
7.Collaborate
to PlanNegotiation
2.CreateAudit
Process
5.Control
Your Auditand Auditor
8.Consider Key
Dates for Leverage
3.CustomizeContracts
4.Communicate
AuditPolicy
9.Close UsingResolutionAgreement
1.Construct
Team
6.Correct ELPWith "True"
Position
4 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Prepare Your Audit-Readiness Kit
7.Collaborate
to PlanNegotiation
2.CreateAudit
Process
5.Control
Your Auditand Auditor
8.Consider Key
Dates for Leverage
3.CustomizeContracts
4.Communicate
AuditPolicy
9.Close UsingResolutionAgreement
1.Construct
Team
6.Correct ELPWith "True"
Position
5 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C1: Construct Your Audit Team Using a RASCI Matrix —Responsible, Accountable, Supportive, Consulted, Informed
Roles
Phase ActivityAsset
ManagerVendor
ManagerLegal
CounselIT
FinanceTech
ManagerBusiness
Owner IT SecurityContract Manager
Internal Audit
IT Pro-curement
Notification Assemble audit team R I I I I I I I I I
Check contract C R S I I S I A I S
Run inventory/usage reports A I I I R I I I I I
Acknowledge request C R C I I I I S S S
Preparation Update inventory tools/manual reporting processes A I I I R I I I S I
Validate entitlement R S S I I C I S I S
Define scope A R I I I I C S C I
Assess and agree methodology R S C I S I C I C I
Draft and sign NDA C A R I I I S I I S
Data transfer and retention policies C A C I I I R S S S
Make financial provision for likely liabilities C C I R I A I I I I
Engagement Run and validate inventory and usage data A I I I R I C I C I
Reconciliation of entitlement and inventory/usage data R C I I A C I I I C
Investigation of exceptions R C C I C C C C I I
Confirm compliance position R A I C S I C S C I
Update financial provision C C I R I A I I I I
Closure Agree compliance position R A I I S C C S C S
Agree settlement details C R S C C A C S C S
Make contract amendments C A S I C C S C I R
Make required purchases C C I C R R I I I S
1.Construct
Team
Use the RASCI matrix to define the roles and responsibilities of each
team member during the four phases of the software audit.
6 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C1: Construct Your Audit Team Using a RASCI Matrix —Responsible, Accountable, Supportive, Consulted, Informed
1.Construct
Team
Roles
Phase Activity Ass
etM
anag
er
Vend
orM
anag
er
Lega
lC
ouns
el
IT Fina
nce
Tech
nolo
gyM
anag
er
Bus
ines
sO
wne
r
Info
rmat
ion
Secu
rity
Con
trac
tM
anag
er
Inte
rnal
Aud
it
IT Proc
urem
ent
Notification Assemble audit team R I I I I I I I I ICheck contract C R S I I S I A I SRun inventory/usage reports A I I I R I I I I IAcknowledge request C R C I I I I S S S
7 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C1: Construct Your Audit Team Using a RASCI Matrix —Responsible, Accountable, Supportive, Consulted, Informed
1.Construct
Team
Roles
Phase Activity Ass
etM
anag
er
Vend
orM
anag
er
Lega
lC
ouns
el
IT Fina
nce
Tech
nolo
gyM
anag
er
Bus
ines
sO
wne
r
Info
rmat
ion
Secu
rity
Con
trac
tM
anag
er
Inte
rnal
Aud
it
IT Proc
urem
ent
Preparation Update inventory tools/manual reporting processes A I I I R I I I S I
Validate entitlement R S S I I C I S I SDefine scope A R I I I I C S C IAssess and agree methodology R S C I S I C I C IDraft and sign NDA C A R I I I S I I SData transfer and retention policies C A C I I I R S S SMake financial provision for likely liabilities C C I R I A I I I I
8 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C1: Construct Your Audit Team Using a RASCI Matrix —Responsible, Accountable, Supportive, Consulted, Informed
1.Construct
Team
Roles
Phase Activity Ass
etM
anag
er
Vend
orM
anag
er
Lega
lC
ouns
el
IT Fina
nce
Tech
nolo
gyM
anag
er
Bus
ines
sO
wne
r
Info
rmat
ion
Secu
rity
Con
trac
tM
anag
er
Inte
rnal
Aud
it
IT Proc
urem
ent
Engagement Run and validate inventory and usage data A I I I R I C I C I
Reconciliation of entitlement and inventory/usage data R C I I A C I I I C
Investigation of exceptions R C C I C C C C I IConfirm compliance position R A I C S I C S C IUpdate financial provision C C I R I A I I I I
9 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C1: Construct Your Audit Team Using a RASCI Matrix —Responsible, Accountable, Supportive, Consulted, Informed
1.Construct
Team
Roles
Phase Activity Ass
etM
anag
er
Vend
orM
anag
er
Lega
lC
ouns
el
IT Fina
nce
Tech
nolo
gyM
anag
er
Bus
ines
sO
wne
r
Info
rmat
ion
Secu
rity
Con
trac
tM
anag
er
Inte
rnal
Aud
it
IT Proc
urem
ent
Closure Agree compliance position R A I I S C C S C SAgree settlement details C R S C C A C S C SMake contract amendments C A S I C C S C I RMake required purchases C C I C R R I I I S
10 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C2: Create and Test Your Audit Management Process
Test Your Process for Continuous Improvement.Don't Use an Audit as Your Test.
2.CreateAudit
Process
Step 1Audit Request
Received
Step 2Audit Team
Notified
Step 3Inform
Business and Stakeholders
Step 4Contract Audit
Rights Reviewed
Step 9Audit
Engagement/ Receive
Draft ELP
Step 10Document Your Position in Final
ELP
Step 8Scope and
Methodology Agreement
Step 7Reconcile
Entitlement Data and Quantities
Step 6Entitlement
Data Required From Vendor
Step 5NDA Before
Kickoff Meeting
Step 11Use Team to Strategize Settlement
Negotiations
Step 12Audit Closure/ Compliance Resolution Agreement
No audit starts until steps
1 to 8 take place
11 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C3: Customize Agreements to Be Audit-Specific
ü Security Policy
ü Data/Privacy Policy
ü HIPAAü PCI Compliance
ü Industry and Organization Specifics
ü Laws and Regulatory Requirements
ü Bilateral and Trilateral NDA Versions
ü Project Plan Agreed
ü Audit Start Date Documented
ü Central Point of Contact Namedü Sites/Locations Agreed
ü Part Numbers/SKUs/PIDs Reconciled
ü Governing Agreement(s) Agreed
ü Process Defined and Agreed
Audit-SpecificNon-Disclosure Agreement
Scope and Methodology Agreement
3.CustomizeContracts
Work With Legal Counsel to Create These Contract Templates as Part of Your Audit-Readiness Kit.
12 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C4: Communicate Your Audit Policy Organization-wide
Vendors/Contractors Are Not EmployeesEmployee Confidentiality Terms Still Apply During Offsites and After-hours ActivitiesMeetings Conducted via Conference Rooms/Offices Versus Open Workspace or CubiclesVendor Technical Support Calls Should "Stick to the Point"Business Partners/Resellers Are Still Vendors —NDAs for Protection
4.Communicate
AuditPolicy
13 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C5: Control Your Audit and Auditor 5.Control
Your Auditand Auditor
Vendor agrees to split the "fines" and settle
We found another product to audit
Complete this workbook and run these scripts
We will be auditing "everything"
Flying in for kickoff meeting
Vendor/Auditor Says:
Use vendors' quarter/year ends for negotiation leverage
Scope agreement limits this audit —no "fishing"
Our NDA prohibits this risky disclosure
Require scope and methodology agreement — defines "everything"
Require NDA before meeting
Your Response/Action:
14 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Negotiate Your Audit Settlement —Treat It Like A Deal!
7.Collaborate
to PlanNegotiation
8.Consider Key
Dates for Leverage
9.Close UsingResolutionAgreement
2.CreateAudit
Process
5.Control
Your Auditand Auditor
3.CustomizeContracts4.
CommunicateAuditPolicy 1.
ConstructTeam
6.Correct ELPWith "True"
Position
15 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C6: Correct Effective License Position (ELP) by Asserting Your Position
Action Item: Add "Customer Comments" Section to Assert,Document and Communicate Your "True" Noncompliance Position.
6.Correct ELPWith "True"
Position
Sample Auditor Draft Effective License Positon
AffiliateName
Agreement Number
Product Name
Metric Type
License SKU
Customer Entitlement
Quantity
License Requirement
Quantity
License Discrepancy
(Over +/ Under-)Auditor Notes
Customer Positionand Comments
ABC Germany 111111 ABC Software
User #00001 800 840 (40) See Tab 1 40 Licenses Installed by Vendor During Engagement/SOW #123
ABC France 111111 DEF Software
Processor #00004 300 250 50 Credit Requested as Vendor Configured Quantity and Over Estimated Need
ABC Sweden 222222 XYZ Software
Task #00005 74 100 (26) See Tab 3 Footnote 1,2
Customer Governing Agreement Different Than Auditor Reference -—Unlimited Tasks Allowed
Above Data for Illustrative Purposes Only and Not Reflective of Any Client-Specific Product Portfolio or ELP
16 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Sample Auditor Draft Effective License Positon
AffiliateName
Agreement Number
Product Name
Metric Type
License SKU
Customer Entitlement
Quantity
License Requirement
Quantity
License Discrepancy
(Over +/ Under-)Auditor Notes
Customer Positionand Comments
ABC Germany 111111 ABC Software
User #00001 800 840 (40) See Tab 1 40 Licenses Installed by Vendor During Engagement/SOW #123
ABC France 111111 DEF Software
Processor #00004 300 250 50 Credit Requested as Vendor Configured Quantity and Over Estimated Need
ABC Sweden 222222 XYZ Software
Task #00005 74 100 (26) See Tab 3 Footnote 1,2
Customer Governing Agreement Different Than Auditor Reference -—Unlimited Tasks Allowed
Above Data for Illustrative Purposes Only and Not Reflective of Any Client-Specific Product Portfolio or ELP
C6: Correct Effective License Position (ELP) by Asserting Your Position
Action Item: Add "Customer Comments" Section to Assert,Document and Communicate Your "True" Noncompliance Position.
6.Correct ELPWith "True"
Position
License Discrepancy(Over +/ Under-) Customer Position and Comments
(40) 40 Licenses Installed by Vendor During Engagement/SOW #123
50 Credit Requested as Vendor Configured Quantity and Over Estimated Need
(26) Customer Governing Agreement Different Than Auditor Reference -— Unlimited Tasks Allowed
17 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C7: Collaborate to Strategize Settlement Negotiations —Treat It Like a Deal!
Ensure ELP "Customer Comments" Can Be Supported With Documentation
Identify All Missing or Unclear Vendor Policies — HA/DR, Virtualization, Test Use Rights
Create List of Products Installed But Not Used — Agree to Certify Never Been Used
Keep Track of How Many Internal Resource Hours Were Used During Audit
Create a List of New "Nice to Have" Products or Services to Negotiate in Settlement
Use CxO Power — Strategically Plan Executive Management Escalation Timing
7.Collaborate
to PlanNegotiation
Create Timelines Documenting Vendor Knowledge of Client Usage and Licensing
List All Ambiguous License Metrics With Your Interpretation — User, Core, Device
18 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C8: Consider Key Dates for Leverage and Bargaining Power During Settlement Negotiations
Fiscal Year-End Dates
Action Item: Strategize Timing to Align Final Audit Settlement Negotiations With Vendor Quarter-End and Fiscal Year-End Dates for Bargaining Power.
8.Consider Key
Dates for Leverage
Note: This is not an exhaustive list of all major vendors that may be applicable to your product and service portfolio or future needs.
Sour
ce: G
artn
er (M
ay 2
017)
Vendor Fiscal Year-End Vendor Fiscal Year-EndAdobe November Infor AprilAmazon December Informatica DecemberAutodesk January Lenovo MarchASG Technologies December Micro Focus (Attachmate, HPE software) AprilBMC March Microsoft JuneCA Technologies March Oracle MayCisco July Salesforce JanuaryCitrix December SAP DecemberCompuware March SAS DecemberDell (EMC, VMware) January ServiceNow DecemberFujitsu March Software AG DecemberGoogle December Symantec MarchHitachi March Tableau Software DecemberHP Inc. October Unisys DecemberIBM December Workday January
19 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C9: Close Audit With ComplianceResolution Agreement Signed by Both Parties
Compliance Resolution Checklist þ Concessions Documented With Clarity
þ Consider "In Lieu of" Tables With New Product Substitution Rights
þ Agree on Not-to-Exceed (NTE) Pricing for Future Maintenance
þ Document Final Compliance Position Itemized by Product
þ Document That Audit Is Closed and Release Date
þ Clearly Establish Vendor and Your Responsibilities After Audit
þ Both Parties Should Sign to Be Legally Binding
9.Close UsingResolutionAgreement
20 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
C9 at a Glance
Publish C9 onITAM Portal —Communicate Throughout Organization
3
4
5
1
2
6
7
8
9
Prepare Your Audit-Readiness Kit:Construct Team:
§ RASCI Matrix§ Define/Update Roles
Create Audit Process:§ Test Process§ Continuous Improvement
Customize Contracts:§ NDA§ Scope and Methodology§ Compliance Resolution
Communicate Audit Policy:§ Organizationwide§ Make Part of Compliance Policy
Control Audit and Auditor:§ Central Point of Contact§ Use Customized Contracts
Negotiate Your Audit Settlement:Correct ELP With "True" Position:
§ Document "True" Compliance Position§ Add Customer Comments Section
Collaborate to Plan Negotiation:§ Use Audit Team to Brainstorm Tactics § Engage CxOs and Stakeholders § Treat Settlement Like a Deal!
Consider Key Dates for Leverage:§ Maintain a Fiscal Year End Database§ Strategize Timing of Settlement Negotiations§ Use Qtr./Year-Ends for Bargaining Power
Close Using Resolution Agreement:§ Document Concessions§ Consider All Contractual Options§ Both Parties Sign to Be Legally Binding