Software Licence AuditsSurvive and Take Advantage

Compliance will be rewarded. Are you ready to comply?

2

For the past two years, I have sensed a gradual change of perception towards Enterprise Software Asset Management (SAM)

in the IT community – less so the traditional ‘how hard can counting computers and installations be’, and more focus placed

on keywords such as ‘compliance’, ‘contract optimisation’ and ‘cloud-readiness’.

Along with the change comes senior management support and investment. Many organisations have now built up dedicated

SAM teams, purchased shiny new tool sets or signed up Managed Service Agreements with their LARs or IT Service Providers.

So all looks good and promising, except for one small problem – I am still seeing major audit exposures and large

unbudgeted pay-outs from companies who invested in SAM. Why?

Being part of a well established audit firm that has conducted licensing audits for more than 20 years, and having worked with

most of the top 10 software vendors' compliance programmes, I believe my answer to this question will be interesting, and

more importantly, useful to you and your organisation when your next “Audit Notification Letter” lands.

This will be the first time in the industry that a vendor-appointed audit firm shares audit insights and bullet-dodging

techniques. Some of the things you read may be already known, while others will be complete surprises – so please buckle up

and I hope you enjoy the read.

Eric is the Director of Fisher IT Asset Consulting, with a team of 20 enthusiastic and highly experienced licence auditors and consultants. Prior to his

current role he managed a similar team at one of the “Big Four” audit firms and was responsible for the launch of UK compliance programs for a number

of major software vendors.

Who we are

3

Fisher IT Asset Consulting (FIAC) are part of HW Fisher &

Company, a top 30 UK chartered accountancy firm

founded in 1933. Collaboratively, our team of 20 contract

and licensing experts deliver Licence Compliance,

Software Asset Management (SAM) and IT Asset

Management (ITAM) services to organizations across all

industries globally.

At its core, our portfolio of services is designed to assist

organizations to:

Gain total visibility of their IT asset ownership and

liability and understand how the assets are being

utilized.

Identify and reduce risk of over-deploying software

licences to prevent vendor audit exposure and

significant penalty payments.

Optimize IT contracts and improve asset utilization to

reduce overall cost of IT asset ownership.

What will be covered in this Guide

4

Facts

• Fundamental

knowledge of the

Licence Audit

business

Survival

• What happens in an

audit and how to

watch your every step

Take Advantage

• Why licence audit can

be good for you and

how to reap the

benefits

Free

Assessment

• A high-value, no cost

independent check of

your readiness

Facts Fundamental knowledge of the Licence Audit business

5

Fact 1: There is no escape

6

A recent IDC survey shows that 63% of the enterprises in North America and Europe wereaudited by at least one software vendor for “licence compliance” in the past 12 months. Overone third of the survey respondents said that they paid more than £200,000 for auditsettlements and penalties.

Adobe, IBM, Microsoft, Oracle, SAP and Symantec are the vendors who initiate the mostaudits. However, many more software vendors are relying on licence compliance audits todayas one of their key revenue contributors under a challenging economy.

If your organization has never been audited before, you probably will receive one of thosenotorious ‘Audit Notification Letters’ soon.

8 out the top10, or13 out of the top 20

software vendors (by revenue) have active

Licence Compliance Audit Programmes

globally to safeguard licensing revenue

Fact 2: This is not about honesty

7

The average settlement fee per audit

equates to 34% of a company’s

existing annual contract value with the auditing vendor

This is not about whether your users are downloading cracks or ‘keygens’ from the internet.

The traditional whistle-blower-led anti-piracy raids can often be difficult to execute, costly

and sometimes political for Software vendors, while generating a limited return.

In comparison, checking on paying customers who may have been less than careful in

reading contractual terms and obligations, or in controlling the usage of legitimate software,

has proven to be a robust and sustainable revenue generating strategy.

You might see yourself as an honest customer for spending £1 million a year buying Oracle

or IBM licences and support annually. What your supplier sees, however, is a compliance

opportunity estimated at £340,000, waiting to be ‘recovered’!

Fact 3: Many names for one goal

8

Licence audit is costly for all software vendors whether they are using an internal team or

working with independent audit firms to conduct the exercise.

Yet we have never seen any software vendor that had a compliance program and decided to

‘switch it off’ – every licence compliance program that we know is ‘self-funded’ and in

most cases, highly profitable.

This means that you, the customers, are footing the bill. Some vendors are generous enough

to only demand for the licences owed plus back maintenance; others may even ask you to

pay for the auditor’s fee.

‘SAM Engagement’, ‘True-up’, ‘Licence Optimization’, ‘Baseline’ and many more … no matter how the vendors call it, it is always an audit that will cost you money.

Fact 4: Can’t outsource the challenge

9

Whoever ‘looks after’ licensing for you,

whether it is a LAR, SAM service provider or

SAM tool vendor, no one will guarantee your

compliance or pay your audit bills

As long as you still buy software under your company’s name (an exception will be having no

IT department and using an external provider to deliver IT as a Service),

licence management remains your responsibility.

Outside support can help you automate processes and improve the underlying data quality to

make calculation of licensing positions easier and more accurate. However, it is ultimately your

(the software licensee’s) responsibility to make sure that you are consuming software licences

in accordance with the agreed terms and levels you have with the software vendor.

This is why there are many organizations providing Software Asset Management support and

services, yet no one sells ‘software licence compliance insurance’.

Survival What happens in an audit and how to watch your every step

10

Audit Target

SelectionCustomer

Notification

Audit Scoping &

Initiation

Audit Data

Collection

Factual Accuracy

Verification &

Confirmation

Settlement

Discussions

Vendor License Compliance Audit Process

11

Vendor

Relationship

management

Pre-Engagement

NegotiationScoping Assistance

Data Gathering

Assistance

Compliance Report

Verification

Commercial

Negotiation

Support

Vendor License Compliance Audit Process

FisherITS Audit defense Strategy

Audit Target Selection

12

What happens

Because licence audits are often costly to conduct and sometimes triggeremotional reactions from the customer, the last thing a software vendor wants isan audit that identifies no compliance issues (and subsequently, no revenue).

Therefore, very rarely a software vendor will pick its audit targets randomly. To‘recover’ the maximum amount of revenue under a set compliance budget everyyear, most vendors use a combination of indicators to gauge the ‘reward level’ ofan audit candidate and prioritise their selections accordingly. The most commontype of such indicators used are:

Customer’s

purchase level

with the

vendor

Organisational

structure

complexity

Level of

organisational

change such as

M&A activities

Complexity of

licensing

model agreed

Purchase

pattern that

does not

reflect growth

SAM maturity

intelligence

gathered from

account team

How to Survive

Unfortunately many of the ‘risk indicators’ used by vendors to select audit targets are often beyond your control. However, there are still two practical tips that can be useful to lower your rank on the target list:

Maintain an open and transparentrelationship with your account managers.Tell them why you are not renewing or buyinglicences, and tell them how you control andmonitor the use of licences

Negotiate yourself out of licensing metricsthat are difficult to measure, especiallywhen there is no licence consumptionreporting mechanism built-in to the software.

Customer Notification

13

What happens

You will receive a formal notificationfrom your software vendor or theirappointed auditors.

This could come in as a letter or an e-mail addressing the contract signatorywithin your organisation, oftenrequesting a ‘kick-off’ meeting todiscuss the audit strategy and expectedtimeframe of completion.

It will often inform you that anyadditional licences purchased beyondthe date of the letter will not becounted towards your licence ownershipfor the purpose of the audit.

How to SurviveThe first thing you should do is to look for your licence agreements and the auditclause within. You should also notify the relevant stakeholders and assemble a teamthat can provide both resource and expertise during the audit process.

At this point, if you are not confident of your compliance status, you should quicklyarrange a mini-audit internally. If this is restricted by in-house expertise or resourcelevel, it will be a good time to seek outside expert assistance.

It is vitally important that you have a clear view of your compliance position before thevendor does it. This is not about trying to hide or delete over-used software – because,even if you do, most auditors can still find them.

However, most vendors are willing to give significant discounts for up-front settlementfor the sake of saving their effort and cost of running an audit

Ask Yourself

Are you aware of all licence restrictions and obligations stated in the EULA?

Can you measure software usage that is not licensed on user or install basis?

Does your Discovery tool cover non-Windows or test/dev servers?

Is your compliance calculation based on words or validated facts?

Audit Scoping & Initiation

14

What happens

This is the initial meeting where you and theauditing software vendor, often with theirappointed auditors, sit together andnegotiate on the scope, approach and timeline for the coming audit.

Typically, the audit scope can begeographic, organisational or limited byproduct families.

The auditors will outline the informationthey will need to gather to conduct theaudit, and discuss the methods of collectingsuch information with you.

How to Survive

There are a number of important steps to safeguard your interest in the kick-off meeting:

Ensure that the agreed scope only includes software licences under your direct ownership and management. Do not include subsidiaries or overseas entities unless they are covered by the same licence agreement that is owned and managed by you.

Request for NDA to restrict the use of audit data from other purposes.

Ask for a reasonable timeline – you are not contractually bound to complete an audit within a set-timeframe, as long as its ‘reasonable’, so do ask for extra time if you are under-resourced or migrating your data centre.

Audit Data Collection

15

What happens

The auditors will start the audit by gathering information afterthe kick-off meeting. The most common types of informationgathering exercise include:

Interviews: auditors talk to your staff and collect information verbally or through on-screen observations

Self-declaration: you will be provided with a guided templateto populate software usage information

Request existing records: these can be any records that you already own from CMDB reports to HR records

In-App reports: the auditors may ask you to generate built-inreports in some applications, such as user or connectionreports.

Execute scripts / tools: the auditors may ask you to run software they provide to scan your machines

How to Survive

The data collection process needs to be very carefully managed so that only relevant and requested data is submitted to the auditors. The most important tips on managing data collection include:

Have your own project manager who understands the audit scope, to oversee data collection, so your ‘techies’ won’t give away more than necessary.

Make sure you understand the rationale behind each data request – don’t be afraid to ask ‘what do you need this for?’ or ‘why are you running this script?’

Be extra-careful with what you declare – if you are not sure, spend the time and effort to investigate, instead of giving a ‘half-correct’ answer that will expose you into deeper scrutiny by the auditors later on.

Factual Accuracy Verification & Confirmation

16

What happens

After the auditors finish collecting the required audit information, they will prepare a Draft Licence Compliance Report with Effective Licence Positions (ELP) for each software title that you licence and consume.

Some will share the same draft with the vendor at the same time, but most will ask for your comment, and if possible, your acceptance of the report’s ‘factual accuracy’ before doing so.

How to Survive

If you have done something wrong earlier in the process, whether by supplying outdated user information or including decommissioned servers in your self-declaration, this is your last chance to fix the issue. Once you have ‘accepted’ the report, it will be extremely difficult to reverse what you have said – even if what you have said does not reflect the reality. Therefore, it is vitally important that, at this stage, you:

Check the entire report thoroughly. Don’t just look at the summary ELPs; review the underlying datasets at least for the software titles that are in ‘red’ – identified as under-licensed.

Ask for clarification if you do not understand any part of the report entirely. It is the auditors obligation to explain how they arrive at their conclusions.

Involve the original person who supplied the auditor with raw data in the review process, to make sure the data has not been manipulated or interpreted incorrectly.

Try to remove any ‘assumptions’ the auditors made in the report due to lack of data from you, as most of these will not be in your favour. Supply them more data where possible.

Settlement Discussion

17

What happens

Any red or minus lines in the ComplianceReports indicates that you owe the vendormoney and you will be asked to pay up.

Depending on who the vendors are and thedegree of non-compliance, you may be askedto purchase the licences owed at full list pricewithout discount, paying back-maintenance andsometimes even the cost of the audit.

You will also be asked to clear the paymentwithin a given timeframe, usually at 4 or lessweeks upon audit completion. It is likely thatyour OPEX budget is not big enough to ‘takethe hit’, and conversations with CFOs asking forad-hoc cash are rarely pleasant.

How to Survive

If you are still on the path of DIY audit defence at this stage, below are some basics that you should know before joining the table alone:

Mitigating circumstances: strong and verifiable ‘excuses’ for accidental usage or mis-deployment may be considered as mitigating circumstances

Publisher goodwill: collaborating with the vendor’s compliance team, rather than being purposefully obstructive, is more likely to land you goodwill on some liability waivers.

Vendor Demand Matrix: like all negotiations this is about give and take. Vendor compliance teams want immediate revenue, increased future revenue and swift payment without upsetting you. Look at what you can afford and choose your tactic accordingly.

Immediate

revenue

Future

revenue

Time of

payment

Relationshi

p

Mitigating circumstances

Publisher’s Goodwill

Take AdvantageWhy licence audit can be

good for you and how to reap the benefits

18

Don’t forget the Green lines

You can’t really blame the auditors or vendors for not emphasising the ‘over-licensed’ positions –after all, it is not in their interest and no EULA has a ‘refund’ clause. Sure, there are sometimes goodreasons for why you have purchased more licences than needed – up-coming projects or buying abit more for the future and for the discount.However, if these licences became excess due to genuine reduction of requirement, you can savesignificantly and instantly by switching off their annual support & maintenance payment, usuallyworth around 20% of the full licence cost.You may also want to explore the used-software market, where there are increasing numbers ofbrokers paying cash to acquire unwanted perpetual licences from end-user organisations.

19

Most companies do not take action on the

green lines in a compliance report – these are

the over-licensed positions where you are

paying more licences than required.

Get up from where you fell down

20

The compliance reports issued by the auditors and vendors will always have limited scope;

nonetheless they are the next best thing you can have without major investment in your

Software Asset Management practice.

With this validated baseline, as long as you carefully track all new licence purchases and

deployment post audit, you will maintain good visibility over your licence position of the given

vendor.

Of course, such tracking is more difficult to say than do. However, before you get that board

approval on investments in SAM, this is still a very good ‘interim’ practice to keep your head

above water.

Don’t throw away your compliance report.

It is a perfect baseline for you to accurately

manage your licence positions going

forward, so harvest it.

Learn from the auditors

21

We are not talking about counting basic software users or installs here, we are talking about

understanding PVUs and RVUs for IBM, Core Factors for Oracle or one of the hundred types of

users for SAP, plus all restrictions hidden within those 30-page Enterprise Agreements.

Measuring the ownership and consumption levels for complex software licences are often

challenges to your LARs or even the vendors’ own sales teams. However, you have been given

unique access to the best solution because of the audit.

Ask the auditor how they calculate each number, because they will have to explain. Document

the process and keep a copy of their data collection instructions. Perform the same process

yourself in the future so that your SAM practice will be audit-proof.

It takes years of investment for the world’s

largest audit firms to find efficient methods to

measure licence compliance, and this is shared

with you during every audit.

Audit Readiness Assessment

A high-value, no cost independent check of your

readiness

22

Audit Readiness Assessment

23

What it is

A one-day independent assessment of your licence compliance readiness

Interviews, on-screen observations plus data and document reviews

Focus on ‘what you don’t know’

Same-day presentation of findings, with optional follow-up remote presentations at a later date.

Covered by NDA

What you get

Visibility of licence compliance risks and gaps that were previously unknown

Estimated financial exposure and saving opportunities

Ammunition for your SAM business case

Understanding the limitations of your existing discovery and SAM tools

A suggested plan of action, or a high-level requirement specification, should you wish to seek external support

www.fisherits.com @auditdefence24

FISHERITS EUROPE (HQ)

ACRE HOUSE, 11-15 WILLIAM ROAD, LONDON, NW1 3ER, UK

PHONE: +44 (020) 7388 7000EMAIL: CONTACT@FISHERITS.COMOFFICE HOURS: MONDAY - FRIDAY, 9AM - 6PM (GMT)

GET IN TOUCH