how to successfully manage software audits and reduce ... · use the rasci matrix to define the ......

CONFIDENTIAL AND PROPRIETARYThis presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

How to Successfully Manage Software Audits and Reduce Noncompliance Cost Risk With Gartner's C9 ProcessJo Ann RosenbergerResearch VP, Distinguished Analyst

1 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

66% of Clients Surveyed Were Audited by One or More of These Vendors …

It's Not a Question of IF You Will Be Audited but WHEN.


7.Collaborate

to PlanNegotiation

2.CreateAudit

Process

5.Control

Your Auditand Auditor

8.Consider Key

Dates for Leverage

3.CustomizeContracts

4.Communicate

AuditPolicy

9.Close UsingResolutionAgreement

1.Construct

Team

6.Correct ELPWith "True"

Position


The C9 Steps …


Prepare Your Audit-Readiness Kit

7.Collaborate

to PlanNegotiation

2.CreateAudit

Process

5.Control


8.Consider Key

Dates for Leverage


4.Communicate

AuditPolicy


1.Construct

Team


Position


C1: Construct Your Audit Team Using a RASCI Matrix —Responsible, Accountable, Supportive, Consulted, Informed

Roles

Phase ActivityAsset

ManagerVendor

ManagerLegal

CounselIT

FinanceTech

ManagerBusiness

Owner IT SecurityContract Manager

Internal Audit

IT Pro-curement

Notification Assemble audit team R I I I I I I I I I

Check contract C R S I I S I A I S

Run inventory/usage reports A I I I R I I I I I

Acknowledge request C R C I I I I S S S

Preparation Update inventory tools/manual reporting processes A I I I R I I I S I

Validate entitlement R S S I I C I S I S

Define scope A R I I I I C S C I

Assess and agree methodology R S C I S I C I C I

Draft and sign NDA C A R I I I S I I S

Data transfer and retention policies C A C I I I R S S S

Make financial provision for likely liabilities C C I R I A I I I I

Engagement Run and validate inventory and usage data A I I I R I C I C I

Reconciliation of entitlement and inventory/usage data R C I I A C I I I C

Investigation of exceptions R C C I C C C C I I

Confirm compliance position R A I C S I C S C I

Update financial provision C C I R I A I I I I

Closure Agree compliance position R A I I S C C S C S

Agree settlement details C R S C C A C S C S

Make contract amendments C A S I C C S C I R

Make required purchases C C I C R R I I I S

1.Construct

Team

Use the RASCI matrix to define the roles and responsibilities of each

team member during the four phases of the software audit.



1.Construct

Team

Roles

Phase Activity Ass

etM

anag

er

Vend

orM

anag

er

Lega

lC

ouns

el

IT Fina

nce

Tech

nolo

gyM

anag

er

Bus

ines

sO

wne

r

Info

rmat

ion

Secu

rity

Con

trac

tM

anag

er

Inte

rnal

Aud

it

IT Proc

urem

ent

Notification Assemble audit team R I I I I I I I I ICheck contract C R S I I S I A I SRun inventory/usage reports A I I I R I I I I IAcknowledge request C R C I I I I S S S



1.Construct

Team

Roles

Phase Activity Ass

etM

anag

er

Vend

orM

anag

er

Lega

lC

ouns

el

IT Fina

nce

Tech

nolo

gyM

anag

er

Bus

ines

sO

wne

r

Info

rmat

ion

Secu

rity

Con

trac

tM

anag

er

Inte

rnal

Aud

it

IT Proc

urem

ent

Preparation Update inventory tools/manual reporting processes A I I I R I I I S I

Validate entitlement R S S I I C I S I SDefine scope A R I I I I C S C IAssess and agree methodology R S C I S I C I C IDraft and sign NDA C A R I I I S I I SData transfer and retention policies C A C I I I R S S SMake financial provision for likely liabilities C C I R I A I I I I



1.Construct

Team

Roles

Phase Activity Ass

etM

anag

er

Vend

orM

anag

er

Lega

lC

ouns

el

IT Fina

nce

Tech

nolo

gyM

anag

er

Bus

ines

sO

wne

r

Info

rmat

ion

Secu

rity

Con

trac

tM

anag

er

Inte

rnal

Aud

it

IT Proc

urem

ent

Engagement Run and validate inventory and usage data A I I I R I C I C I

Reconciliation of entitlement and inventory/usage data R C I I A C I I I C

Investigation of exceptions R C C I C C C C I IConfirm compliance position R A I C S I C S C IUpdate financial provision C C I R I A I I I I



1.Construct

Team

Roles

Phase Activity Ass

etM

anag

er

Vend

orM

anag

er

Lega

lC

ouns

el

IT Fina

nce

Tech

nolo

gyM

anag

er

Bus

ines

sO

wne

r

Info

rmat

ion

Secu

rity

Con

trac

tM

anag

er

Inte

rnal

Aud

it

IT Proc

urem

ent

Closure Agree compliance position R A I I S C C S C SAgree settlement details C R S C C A C S C SMake contract amendments C A S I C C S C I RMake required purchases C C I C R R I I I S


C2: Create and Test Your Audit Management Process

Test Your Process for Continuous Improvement.Don't Use an Audit as Your Test.

2.CreateAudit

Process

Step 1Audit Request

Received

Step 2Audit Team

Notified

Step 3Inform

Business and Stakeholders

Step 4Contract Audit

Rights Reviewed

Step 9Audit

Engagement/ Receive

Draft ELP

Step 10Document Your Position in Final

ELP

Step 8Scope and

Methodology Agreement

Step 7Reconcile

Entitlement Data and Quantities

Step 6Entitlement

Data Required From Vendor

Step 5NDA Before

Kickoff Meeting

Step 11Use Team to Strategize Settlement

Negotiations

Step 12Audit Closure/ Compliance Resolution Agreement

No audit starts until steps

1 to 8 take place


C3: Customize Agreements to Be Audit-Specific

ü Security Policy

ü Data/Privacy Policy

ü HIPAAü PCI Compliance

ü Industry and Organization Specifics

ü Laws and Regulatory Requirements

ü Bilateral and Trilateral NDA Versions

ü Project Plan Agreed

ü Audit Start Date Documented

ü Central Point of Contact Namedü Sites/Locations Agreed

ü Part Numbers/SKUs/PIDs Reconciled

ü Governing Agreement(s) Agreed

ü Process Defined and Agreed

Audit-SpecificNon-Disclosure Agreement

Scope and Methodology Agreement


Work With Legal Counsel to Create These Contract Templates as Part of Your Audit-Readiness Kit.


C4: Communicate Your Audit Policy Organization-wide

Vendors/Contractors Are Not EmployeesEmployee Confidentiality Terms Still Apply During Offsites and After-hours ActivitiesMeetings Conducted via Conference Rooms/Offices Versus Open Workspace or CubiclesVendor Technical Support Calls Should "Stick to the Point"Business Partners/Resellers Are Still Vendors —NDAs for Protection

4.Communicate

AuditPolicy


C5: Control Your Audit and Auditor 5.Control


Vendor agrees to split the "fines" and settle

We found another product to audit

Complete this workbook and run these scripts

We will be auditing "everything"

Flying in for kickoff meeting

Vendor/Auditor Says:

Use vendors' quarter/year ends for negotiation leverage

Scope agreement limits this audit —no "fishing"

Our NDA prohibits this risky disclosure

Require scope and methodology agreement — defines "everything"

Require NDA before meeting

Your Response/Action:


Negotiate Your Audit Settlement —Treat It Like A Deal!

7.Collaborate

to PlanNegotiation

8.Consider Key

Dates for Leverage


2.CreateAudit

Process

5.Control


3.CustomizeContracts4.

CommunicateAuditPolicy 1.

ConstructTeam


Position


C6: Correct Effective License Position (ELP) by Asserting Your Position

Action Item: Add "Customer Comments" Section to Assert,Document and Communicate Your "True" Noncompliance Position.


Position

Sample Auditor Draft Effective License Positon

AffiliateName

Agreement Number

Product Name

Metric Type

License SKU

Customer Entitlement

Quantity

License Requirement

Quantity

License Discrepancy

(Over +/ Under-)Auditor Notes

Customer Positionand Comments

ABC Germany 111111 ABC Software

User #00001 800 840 (40) See Tab 1 40 Licenses Installed by Vendor During Engagement/SOW #123

ABC France 111111 DEF Software

Processor #00004 300 250 50 Credit Requested as Vendor Configured Quantity and Over Estimated Need

ABC Sweden 222222 XYZ Software

Task #00005 74 100 (26) See Tab 3 Footnote 1,2

Customer Governing Agreement Different Than Auditor Reference -—Unlimited Tasks Allowed

Above Data for Illustrative Purposes Only and Not Reflective of Any Client-Specific Product Portfolio or ELP


Sample Auditor Draft Effective License Positon

AffiliateName

Agreement Number

Product Name

Metric Type

License SKU

Customer Entitlement

Quantity

License Requirement

Quantity

License Discrepancy

(Over +/ Under-)Auditor Notes

Customer Positionand Comments

ABC Germany 111111 ABC Software

User #00001 800 840 (40) See Tab 1 40 Licenses Installed by Vendor During Engagement/SOW #123

ABC France 111111 DEF Software

Processor #00004 300 250 50 Credit Requested as Vendor Configured Quantity and Over Estimated Need

ABC Sweden 222222 XYZ Software

Task #00005 74 100 (26) See Tab 3 Footnote 1,2

Customer Governing Agreement Different Than Auditor Reference -—Unlimited Tasks Allowed

Above Data for Illustrative Purposes Only and Not Reflective of Any Client-Specific Product Portfolio or ELP

C6: Correct Effective License Position (ELP) by Asserting Your Position

Action Item: Add "Customer Comments" Section to Assert,Document and Communicate Your "True" Noncompliance Position.


Position

License Discrepancy(Over +/ Under-) Customer Position and Comments

(40) 40 Licenses Installed by Vendor During Engagement/SOW #123

50 Credit Requested as Vendor Configured Quantity and Over Estimated Need

(26) Customer Governing Agreement Different Than Auditor Reference -— Unlimited Tasks Allowed


C7: Collaborate to Strategize Settlement Negotiations —Treat It Like a Deal!

Ensure ELP "Customer Comments" Can Be Supported With Documentation

Identify All Missing or Unclear Vendor Policies — HA/DR, Virtualization, Test Use Rights

Create List of Products Installed But Not Used — Agree to Certify Never Been Used

Keep Track of How Many Internal Resource Hours Were Used During Audit

Create a List of New "Nice to Have" Products or Services to Negotiate in Settlement

Use CxO Power — Strategically Plan Executive Management Escalation Timing

7.Collaborate

to PlanNegotiation

Create Timelines Documenting Vendor Knowledge of Client Usage and Licensing

List All Ambiguous License Metrics With Your Interpretation — User, Core, Device


C8: Consider Key Dates for Leverage and Bargaining Power During Settlement Negotiations

Fiscal Year-End Dates

Action Item: Strategize Timing to Align Final Audit Settlement Negotiations With Vendor Quarter-End and Fiscal Year-End Dates for Bargaining Power.

8.Consider Key

Dates for Leverage

Note: This is not an exhaustive list of all major vendors that may be applicable to your product and service portfolio or future needs.

Sour

ce: G

artn

er (M

ay 2

017)

Vendor Fiscal Year-End Vendor Fiscal Year-EndAdobe November Infor AprilAmazon December Informatica DecemberAutodesk January Lenovo MarchASG Technologies December Micro Focus (Attachmate, HPE software) AprilBMC March Microsoft JuneCA Technologies March Oracle MayCisco July Salesforce JanuaryCitrix December SAP DecemberCompuware March SAS DecemberDell (EMC, VMware) January ServiceNow DecemberFujitsu March Software AG DecemberGoogle December Symantec MarchHitachi March Tableau Software DecemberHP Inc. October Unisys DecemberIBM December Workday January


C9: Close Audit With ComplianceResolution Agreement Signed by Both Parties

Compliance Resolution Checklist þ Concessions Documented With Clarity

þ Consider "In Lieu of" Tables With New Product Substitution Rights

þ Agree on Not-to-Exceed (NTE) Pricing for Future Maintenance

þ Document Final Compliance Position Itemized by Product

þ Document That Audit Is Closed and Release Date

þ Clearly Establish Vendor and Your Responsibilities After Audit

þ Both Parties Should Sign to Be Legally Binding



C9 at a Glance

Publish C9 onITAM Portal —Communicate Throughout Organization

3

4

5

1

2

6

7

8

9

Prepare Your Audit-Readiness Kit:Construct Team:

§ RASCI Matrix§ Define/Update Roles

Create Audit Process:§ Test Process§ Continuous Improvement

Customize Contracts:§ NDA§ Scope and Methodology§ Compliance Resolution

Communicate Audit Policy:§ Organizationwide§ Make Part of Compliance Policy

Control Audit and Auditor:§ Central Point of Contact§ Use Customized Contracts

Negotiate Your Audit Settlement:Correct ELP With "True" Position:

§ Document "True" Compliance Position§ Add Customer Comments Section

Collaborate to Plan Negotiation:§ Use Audit Team to Brainstorm Tactics § Engage CxOs and Stakeholders § Treat Settlement Like a Deal!

Consider Key Dates for Leverage:§ Maintain a Fiscal Year End Database§ Strategize Timing of Settlement Negotiations§ Use Qtr./Year-Ends for Bargaining Power

Close Using Resolution Agreement:§ Document Concessions§ Consider All Contractual Options§ Both Parties Sign to Be Legally Binding

how to successfully manage software audits and reduce ... · use the rasci matrix to define the ......

Documents