software licence audits · tell them why you are not renewing or buying licences, and tell them how...
TRANSCRIPT
Software Licence AuditsSurvive and Take Advantage
Compliance will be rewarded. Are you ready to comply?
2
For the past two years, I have sensed a gradual change of perception towards Enterprise Software Asset Management (SAM)
in the IT community – less so the traditional ‘how hard can counting computers and installations be’, and more focus placed
on keywords such as ‘compliance’, ‘contract optimisation’ and ‘cloud-readiness’.
Along with the change comes senior management support and investment. Many organisations have now built up dedicated
SAM teams, purchased shiny new tool sets or signed up Managed Service Agreements with their LARs or IT Service Providers.
So all looks good and promising, except for one small problem – I am still seeing major audit exposures and large
unbudgeted pay-outs from companies who invested in SAM. Why?
Being part of a well established audit firm that has conducted licensing audits for more than 20 years, and having worked with
most of the top 10 software vendors' compliance programmes, I believe my answer to this question will be interesting, and
more importantly, useful to you and your organisation when your next “Audit Notification Letter” lands.
This will be the first time in the industry that a vendor-appointed audit firm shares audit insights and bullet-dodging
techniques. Some of the things you read may be already known, while others will be complete surprises – so please buckle up
and I hope you enjoy the read.
Eric is the Director of Fisher IT Asset Consulting, with a team of 20 enthusiastic and highly experienced licence auditors and consultants. Prior to his
current role he managed a similar team at one of the “Big Four” audit firms and was responsible for the launch of UK compliance programs for a number
of major software vendors.
Who we are
3
Fisher IT Asset Consulting (FIAC) are part of HW Fisher &
Company, a top 30 UK chartered accountancy firm
founded in 1933. Collaboratively, our team of 20 contract
and licensing experts deliver Licence Compliance,
Software Asset Management (SAM) and IT Asset
Management (ITAM) services to organizations across all
industries globally.
At its core, our portfolio of services is designed to assist
organizations to:
Gain total visibility of their IT asset ownership and
liability and understand how the assets are being
utilized.
Identify and reduce risk of over-deploying software
licences to prevent vendor audit exposure and
significant penalty payments.
Optimize IT contracts and improve asset utilization to
reduce overall cost of IT asset ownership.
What will be covered in this Guide
4
Facts
• Fundamental
knowledge of the
Licence Audit
business
Survival
• What happens in an
audit and how to
watch your every step
Take Advantage
• Why licence audit can
be good for you and
how to reap the
benefits
Free
Assessment
• A high-value, no cost
independent check of
your readiness
Facts Fundamental knowledge of the Licence Audit business
5
Fact 1: There is no escape
6
A recent IDC survey shows that 63% of the enterprises in North America and Europe wereaudited by at least one software vendor for “licence compliance” in the past 12 months. Overone third of the survey respondents said that they paid more than £200,000 for auditsettlements and penalties.
Adobe, IBM, Microsoft, Oracle, SAP and Symantec are the vendors who initiate the mostaudits. However, many more software vendors are relying on licence compliance audits todayas one of their key revenue contributors under a challenging economy.
If your organization has never been audited before, you probably will receive one of thosenotorious ‘Audit Notification Letters’ soon.
8 out the top10, or13 out of the top 20
software vendors (by revenue) have active
Licence Compliance Audit Programmes
globally to safeguard licensing revenue
Fact 2: This is not about honesty
7
The average settlement fee per audit
equates to 34% of a company’s
existing annual contract value with the auditing vendor
This is not about whether your users are downloading cracks or ‘keygens’ from the internet.
The traditional whistle-blower-led anti-piracy raids can often be difficult to execute, costly
and sometimes political for Software vendors, while generating a limited return.
In comparison, checking on paying customers who may have been less than careful in
reading contractual terms and obligations, or in controlling the usage of legitimate software,
has proven to be a robust and sustainable revenue generating strategy.
You might see yourself as an honest customer for spending £1 million a year buying Oracle
or IBM licences and support annually. What your supplier sees, however, is a compliance
opportunity estimated at £340,000, waiting to be ‘recovered’!
Fact 3: Many names for one goal
8
Licence audit is costly for all software vendors whether they are using an internal team or
working with independent audit firms to conduct the exercise.
Yet we have never seen any software vendor that had a compliance program and decided to
‘switch it off’ – every licence compliance program that we know is ‘self-funded’ and in
most cases, highly profitable.
This means that you, the customers, are footing the bill. Some vendors are generous enough
to only demand for the licences owed plus back maintenance; others may even ask you to
pay for the auditor’s fee.
‘SAM Engagement’, ‘True-up’, ‘Licence Optimization’, ‘Baseline’ and many more … no matter how the vendors call it, it is always an audit that will cost you money.
Fact 4: Can’t outsource the challenge
9
Whoever ‘looks after’ licensing for you,
whether it is a LAR, SAM service provider or
SAM tool vendor, no one will guarantee your
compliance or pay your audit bills
As long as you still buy software under your company’s name (an exception will be having no
IT department and using an external provider to deliver IT as a Service),
licence management remains your responsibility.
Outside support can help you automate processes and improve the underlying data quality to
make calculation of licensing positions easier and more accurate. However, it is ultimately your
(the software licensee’s) responsibility to make sure that you are consuming software licences
in accordance with the agreed terms and levels you have with the software vendor.
This is why there are many organizations providing Software Asset Management support and
services, yet no one sells ‘software licence compliance insurance’.
Survival What happens in an audit and how to watch your every step
10
Audit Target
SelectionCustomer
Notification
Audit Scoping &
Initiation
Audit Data
Collection
Factual Accuracy
Verification &
Confirmation
Settlement
Discussions
Vendor License Compliance Audit Process
11
Vendor
Relationship
management
Pre-Engagement
NegotiationScoping Assistance
Data Gathering
Assistance
Compliance Report
Verification
Commercial
Negotiation
Support
Vendor License Compliance Audit Process
FisherITS Audit defense Strategy
Audit Target Selection
12
What happens
Because licence audits are often costly to conduct and sometimes triggeremotional reactions from the customer, the last thing a software vendor wants isan audit that identifies no compliance issues (and subsequently, no revenue).
Therefore, very rarely a software vendor will pick its audit targets randomly. To‘recover’ the maximum amount of revenue under a set compliance budget everyyear, most vendors use a combination of indicators to gauge the ‘reward level’ ofan audit candidate and prioritise their selections accordingly. The most commontype of such indicators used are:
Customer’s
purchase level
with the
vendor
Organisational
structure
complexity
Level of
organisational
change such as
M&A activities
Complexity of
licensing
model agreed
Purchase
pattern that
does not
reflect growth
SAM maturity
intelligence
gathered from
account team
How to Survive
Unfortunately many of the ‘risk indicators’ used by vendors to select audit targets are often beyond your control. However, there are still two practical tips that can be useful to lower your rank on the target list:
Maintain an open and transparentrelationship with your account managers.Tell them why you are not renewing or buyinglicences, and tell them how you control andmonitor the use of licences
Negotiate yourself out of licensing metricsthat are difficult to measure, especiallywhen there is no licence consumptionreporting mechanism built-in to the software.
Customer Notification
13
What happens
You will receive a formal notificationfrom your software vendor or theirappointed auditors.
This could come in as a letter or an e-mail addressing the contract signatorywithin your organisation, oftenrequesting a ‘kick-off’ meeting todiscuss the audit strategy and expectedtimeframe of completion.
It will often inform you that anyadditional licences purchased beyondthe date of the letter will not becounted towards your licence ownershipfor the purpose of the audit.
How to SurviveThe first thing you should do is to look for your licence agreements and the auditclause within. You should also notify the relevant stakeholders and assemble a teamthat can provide both resource and expertise during the audit process.
At this point, if you are not confident of your compliance status, you should quicklyarrange a mini-audit internally. If this is restricted by in-house expertise or resourcelevel, it will be a good time to seek outside expert assistance.
It is vitally important that you have a clear view of your compliance position before thevendor does it. This is not about trying to hide or delete over-used software – because,even if you do, most auditors can still find them.
However, most vendors are willing to give significant discounts for up-front settlementfor the sake of saving their effort and cost of running an audit
Ask Yourself
Are you aware of all licence restrictions and obligations stated in the EULA?
Can you measure software usage that is not licensed on user or install basis?
Does your Discovery tool cover non-Windows or test/dev servers?
Is your compliance calculation based on words or validated facts?
Audit Scoping & Initiation
14
What happens
This is the initial meeting where you and theauditing software vendor, often with theirappointed auditors, sit together andnegotiate on the scope, approach and timeline for the coming audit.
Typically, the audit scope can begeographic, organisational or limited byproduct families.
The auditors will outline the informationthey will need to gather to conduct theaudit, and discuss the methods of collectingsuch information with you.
How to Survive
There are a number of important steps to safeguard your interest in the kick-off meeting:
Ensure that the agreed scope only includes software licences under your direct ownership and management. Do not include subsidiaries or overseas entities unless they are covered by the same licence agreement that is owned and managed by you.
Request for NDA to restrict the use of audit data from other purposes.
Ask for a reasonable timeline – you are not contractually bound to complete an audit within a set-timeframe, as long as its ‘reasonable’, so do ask for extra time if you are under-resourced or migrating your data centre.
Audit Data Collection
15
What happens
The auditors will start the audit by gathering information afterthe kick-off meeting. The most common types of informationgathering exercise include:
Interviews: auditors talk to your staff and collect information verbally or through on-screen observations
Self-declaration: you will be provided with a guided templateto populate software usage information
Request existing records: these can be any records that you already own from CMDB reports to HR records
In-App reports: the auditors may ask you to generate built-inreports in some applications, such as user or connectionreports.
Execute scripts / tools: the auditors may ask you to run software they provide to scan your machines
How to Survive
The data collection process needs to be very carefully managed so that only relevant and requested data is submitted to the auditors. The most important tips on managing data collection include:
Have your own project manager who understands the audit scope, to oversee data collection, so your ‘techies’ won’t give away more than necessary.
Make sure you understand the rationale behind each data request – don’t be afraid to ask ‘what do you need this for?’ or ‘why are you running this script?’
Be extra-careful with what you declare – if you are not sure, spend the time and effort to investigate, instead of giving a ‘half-correct’ answer that will expose you into deeper scrutiny by the auditors later on.
Factual Accuracy Verification & Confirmation
16
What happens
After the auditors finish collecting the required audit information, they will prepare a Draft Licence Compliance Report with Effective Licence Positions (ELP) for each software title that you licence and consume.
Some will share the same draft with the vendor at the same time, but most will ask for your comment, and if possible, your acceptance of the report’s ‘factual accuracy’ before doing so.
How to Survive
If you have done something wrong earlier in the process, whether by supplying outdated user information or including decommissioned servers in your self-declaration, this is your last chance to fix the issue. Once you have ‘accepted’ the report, it will be extremely difficult to reverse what you have said – even if what you have said does not reflect the reality. Therefore, it is vitally important that, at this stage, you:
Check the entire report thoroughly. Don’t just look at the summary ELPs; review the underlying datasets at least for the software titles that are in ‘red’ – identified as under-licensed.
Ask for clarification if you do not understand any part of the report entirely. It is the auditors obligation to explain how they arrive at their conclusions.
Involve the original person who supplied the auditor with raw data in the review process, to make sure the data has not been manipulated or interpreted incorrectly.
Try to remove any ‘assumptions’ the auditors made in the report due to lack of data from you, as most of these will not be in your favour. Supply them more data where possible.
Settlement Discussion
17
What happens
Any red or minus lines in the ComplianceReports indicates that you owe the vendormoney and you will be asked to pay up.
Depending on who the vendors are and thedegree of non-compliance, you may be askedto purchase the licences owed at full list pricewithout discount, paying back-maintenance andsometimes even the cost of the audit.
You will also be asked to clear the paymentwithin a given timeframe, usually at 4 or lessweeks upon audit completion. It is likely thatyour OPEX budget is not big enough to ‘takethe hit’, and conversations with CFOs asking forad-hoc cash are rarely pleasant.
How to Survive
If you are still on the path of DIY audit defence at this stage, below are some basics that you should know before joining the table alone:
Mitigating circumstances: strong and verifiable ‘excuses’ for accidental usage or mis-deployment may be considered as mitigating circumstances
Publisher goodwill: collaborating with the vendor’s compliance team, rather than being purposefully obstructive, is more likely to land you goodwill on some liability waivers.
Vendor Demand Matrix: like all negotiations this is about give and take. Vendor compliance teams want immediate revenue, increased future revenue and swift payment without upsetting you. Look at what you can afford and choose your tactic accordingly.
Immediate
revenue
Future
revenue
Time of
payment
Relationshi
p
Mitigating circumstances
Publisher’s Goodwill
Take AdvantageWhy licence audit can be
good for you and how to reap the benefits
18
Don’t forget the Green lines
You can’t really blame the auditors or vendors for not emphasising the ‘over-licensed’ positions –after all, it is not in their interest and no EULA has a ‘refund’ clause. Sure, there are sometimes goodreasons for why you have purchased more licences than needed – up-coming projects or buying abit more for the future and for the discount.However, if these licences became excess due to genuine reduction of requirement, you can savesignificantly and instantly by switching off their annual support & maintenance payment, usuallyworth around 20% of the full licence cost.You may also want to explore the used-software market, where there are increasing numbers ofbrokers paying cash to acquire unwanted perpetual licences from end-user organisations.
19
Most companies do not take action on the
green lines in a compliance report – these are
the over-licensed positions where you are
paying more licences than required.
Get up from where you fell down
20
The compliance reports issued by the auditors and vendors will always have limited scope;
nonetheless they are the next best thing you can have without major investment in your
Software Asset Management practice.
With this validated baseline, as long as you carefully track all new licence purchases and
deployment post audit, you will maintain good visibility over your licence position of the given
vendor.
Of course, such tracking is more difficult to say than do. However, before you get that board
approval on investments in SAM, this is still a very good ‘interim’ practice to keep your head
above water.
Don’t throw away your compliance report.
It is a perfect baseline for you to accurately
manage your licence positions going
forward, so harvest it.
Learn from the auditors
21
We are not talking about counting basic software users or installs here, we are talking about
understanding PVUs and RVUs for IBM, Core Factors for Oracle or one of the hundred types of
users for SAP, plus all restrictions hidden within those 30-page Enterprise Agreements.
Measuring the ownership and consumption levels for complex software licences are often
challenges to your LARs or even the vendors’ own sales teams. However, you have been given
unique access to the best solution because of the audit.
Ask the auditor how they calculate each number, because they will have to explain. Document
the process and keep a copy of their data collection instructions. Perform the same process
yourself in the future so that your SAM practice will be audit-proof.
It takes years of investment for the world’s
largest audit firms to find efficient methods to
measure licence compliance, and this is shared
with you during every audit.
Audit Readiness Assessment
A high-value, no cost independent check of your
readiness
22
Audit Readiness Assessment
23
What it is
A one-day independent assessment of your licence compliance readiness
Interviews, on-screen observations plus data and document reviews
Focus on ‘what you don’t know’
Same-day presentation of findings, with optional follow-up remote presentations at a later date.
Covered by NDA
What you get
Visibility of licence compliance risks and gaps that were previously unknown
Estimated financial exposure and saving opportunities
Ammunition for your SAM business case
Understanding the limitations of your existing discovery and SAM tools
A suggested plan of action, or a high-level requirement specification, should you wish to seek external support
www.fisherits.com @auditdefence24
FISHERITS EUROPE (HQ)
ACRE HOUSE, 11-15 WILLIAM ROAD, LONDON, NW1 3ER, UK
PHONE: +44 (020) 7388 7000EMAIL: [email protected] HOURS: MONDAY - FRIDAY, 9AM - 6PM (GMT)
GET IN TOUCH