Chris Hayes, Senior Lead Consultant at Anglepoint, illuminates the state of software license auditing in 2023—which publishers are auditing, which ones are more aggressive, and what are we, as industry experts, seeing across our client base today?
There are a thousand things to consider when it comes to software license audits. Who is most likely to audit you? What is your process when an audit lands? How can you learn from the experience to prevent future costly events? In this blog we will explore the state of software license audits today and tips and tricks for making sure you are prepared for whatever audits come your way, including transforming your relationship to them into a proactive one and having a response framework that’s sustainable and repeatable. Our new ebook, Managing a Software License Compliance Audit, has more information on navigating software compliance audits.
Understanding the aggressiveness of audits in 2023
The world of software license audits is changing, and these days they’re more aggressive than ever for several reasons.
Autodesk, Broadcom, Quest, Informatica, Microsoft. These are just a few of the big names in audits and these software publishers have implemented corporate-wide, organized software audit programs as part of their compliance initiatives. They have dedicated staff and departments solely focused on audit activities, aiming to generate additional revenue through licensing compliance. Their approach is highly organized, coordinated, and aggressive.
When facing an audit from these publishers, it is crucial to be prepared for their aggressive tactics. They may employ various strategies, including leveraging obscure contractual references and complex calculations of license consumption to impose penalties and accrued interest on your organization. The combination of their enterprise-wide approach and aggressive tactics can make software license audits particularly challenging to navigate.
If you do get a review or an audit from some of these companies, they will use every tip and trick to their advantage. In addition to their primary software products, some software publishers have expanded their product offerings through acquisitions. This means that if your organization is using technologies that have been recently acquired, you might face software license audits specifically targeting those legacy products. Publishers will thoroughly review your existing contracts and assess your compliance in relation to the acquired technologies. It is vital to ensure your organization is in a strong position regarding compliance for such products and understands all implications of the previous contractual relationship(s) with the software publisher.
Before an audit lands
Identify your key software publishers
The first step in successfully navigating software license audits is to identify the publishers who are most likely to conduct aggressive audits. Start by assessing which publishers are known for their enterprise-wide, coordinated approach to auditing and are actively seeking additional revenue via compliance measures. Consider factors such as their past audit activities, reputation, and industry trends. What are your risky publishers and what are your strategic publishers? Are you spending a lot of money with a publisher that could be potentially ready to audit you?
By prioritizing your IT spending and identifying your risky and strategic publishers, you can better prepare for potential audits.
We recommend you undertake an analysis to consider:
- What’s our IT spend?
- What’s our renewal date?
- What are the priorities?
- What are potential risky publishers and how are we going to manage our licenses even outside of compliance?
- How are we going to manage our licenses in a way that will add value to the organization?
Put a plan in place
Once you have identified your key publishers, it’s essential to have a well-defined plan in place to manage software license audits. Start by ensuring you have a robust software asset management framework and a clear understanding of your organization’s software usage and license consumption. Conduct due diligence on your publishers to understand their audit practices and requirements.
You can look at them through various lenses; by risk, by spend, by both, or by the strategic importance to the business. That is a best practice, not only from a software publisher audit response, but from a software asset management perspective.
By proactively managing your software assets, you can minimize compliance risks and be better prepared for audits.
Understand contractual events
To stay ahead of potential audits, it’s crucial to have a detailed understanding of your contractual obligations with key vendors. Pay attention to contract renewal dates, especially if previous audits have occurred around those periods. For example, if you have a software contract renewal that’s going to come up in December and every couple of years you’ve been audited by this publisher ahead of December, it will really make sense for your organization to have that proactive approach and understand that you have a trustworthy basis of data ahead of your contract renewal date.
By being proactive and having accurate and trustworthy data at your fingertips, you can confidently respond to audits and avoid surprises. Being prepared in advance will enable you to negotiate from a position of strength and mitigate risks effectively.
Understand the real purpose of audits
It’s important to understand that the ultimate goal of software license audits is often centered around financial settlements rather than software license compliance. Publishers are keen on securing additional revenue streams, especially during challenging economic times. We’re seeing this trend very clearly.
Recognizing this reality will help you approach audits with a clear understanding of the publisher’s motivations. Focus on managing your software licenses proactively and effectively to add value to your organization while ensuring compliance.
When the audit notification comes:
Educate your stakeholders on what to do
Audits can arrive in various formats, such as phone calls, emails, or certified letters, and can occur at any point in your supply chain. Educating stakeholders across different departments such as procurement and IT legal about the software audit response protocol is crucial. Ensure that everyone knows to report audit notifications to your central software asset management team as soon as they are received.
By establishing clear communication and education, you can prevent the inadvertent sharing of sensitive information and enable all potentially impacted departments to understand their role(s) in the process. Remember, the standardized response should involve stakeholders reaching out to the software asset management team immediately upon receiving a notification.
Establish clear roles and responsibilities
To streamline the audit response process, define clear roles and responsibilities for each stakeholder. Establish a documented framework that outlines the sequence of events and ensures no tasks are duplicated or overlooked. Time is of the essence, so having a standardized and repeatable approach is essential. Whether you develop your own framework or adopt industry best practices, make sure it is tailored to your organization’s needs and allows for efficient coordination among stakeholders. The key is that it operates the same way. Every single time.
The script should be very clear for all involved stakeholders. For example, if procurement receives an audit notification they can say, “We’ve received an audit notification. I will notify my SAM team. I’m doing X. Legal is doing Y, infrastructure’s doing Z.”
Of course, as one of the leaders in the software asset management and ITAM industry, we have our own customized framework. We are happy to help you design your own that’s built on industry best practice. But whether it’s ours or not, a repeatable framework is essential.
Verify that the software license audit is valid
Not all software audit notifications are legitimate. Take the time to verify the validity of each request. Engage with your IT legal team to assess whether the request aligns with any contractual obligations or audit clauses. If the request seems innocuous or lacks proper documentation, you can politely decline to respond. Educating your organization about these nuances will help stakeholders distinguish between valid audits and informational requests.
For example, you don’t have to respond to a software audit notification for data from the publisher that’s just to help with a contract renewal.
That’s the importance of communication and education; to make sure other areas of the organization are aware that unless a publisher is invoking a specific term and condition or a specific audit clause within a legally binding contract between your organization and the publisher, there is no legal requirement to share any data.
Otherwise, if it IS just an informational request, you can politely decline.
Differentiate audits from soft audit requests
Software publishers may employ creative tactics, such as soft-audit requests, to gather information without explicitly invoking a formal audit clause in a contract. Be aware of these tactics and ensure that the engagement’s purpose and scope are clearly defined. Effective communication, education, and awareness are crucial to navigate these scenarios successfully.
By implementing proactive IT asset management best practices, you can be one step ahead in audits. Maintain accurate records of your software licenses, regularly conduct license balances, and develop effective license positions (ELPs) based on your publisher’s prioritization. When software auditors request information, you can confidently provide validated and vetted data, putting your organization in the driver’s seat. Flipping the script allows you to proactively respond to auditors and showcase your management of license compliance.
It doesn’t mean you’re going to share information, but as soon as they ask for information, you are good to go. You’ve vetted it, you validated it, and you are in the driver’s seat.
Control the written record
When it comes to software audits, maintaining a clear and accurate written record is vital. You can really get the upper hand in this area and take charge of the process by scheduling all meeting invites, capturing detailed meeting minutes, and documenting all action items. By doing so, you can hold the publisher and their third-party representatives accountable for meeting the agreed-upon standards. If the publisher fails to provide the requested data or doesn’t follow through on an agreed action, you can refer to the documented records to address the issue.
The publishers are used to organizations saying, “I don’t have that information. I don’t know who to talk to.” If you’re pushing the tempo, it can turn the tables in your favor and flip this relationship around. You will be the organization holding the software publisher’s team to a higher standard.
Avoid external scripts for data collection
Software publishers will suggest running external scripts or using third-party data collectors to facilitate data collection. However, it’s essential to exercise caution in such cases. Never run a script or share confidential information without fully understanding its purpose and implications. Consult with your IT security or information security teams to assess the script’s impact on your organization’s security policies and protocols. No data should be shared with an external party without a thorough internal review from the IT Security and ITAM teams.
Proactively control information disclosure
To maintain control and limit compliance risks, disclose only the information that is explicitly requested by the software publisher. If the publisher or auditor provides a script or questionnaire, review it thoroughly and ensure it aligns with your organization’s policies. Consider providing the requested data points using your internal solutions rather than relying on external scripts. By controlling the disclosure of information, you prevent the publisher from expanding the scope of the audit and making additional claims.
What publishers will often do is say, “Okay, we need only this much information for actual license compliance, but we’re going to ask for more to see what we can get.”
They can use this information to make additional claims. The long and the short of it is—you want to be disclosing information that you understand and can control and is limited to only what is being explicitly asked for.
Clarify the scope of the audit
Before initiating any data collection, it’s crucial to clarify the scope of the audit. Request specific details such as the contractual scope, date range, relevant transactions, and product lines to be audited. Is it a contract from 30 years ago? Is it five contracts? Is it 300 contracts? Is it everything? Obviously try to limit that scope as much as possible.
Understanding these parameters upfront allows you to focus your efforts and mitigate the potential for additional claims or expanded scope later in the process. Promptly seek clarification from the publisher if any information is missing or unclear. Again, ensure this agreement is captured in the written record of meetings.
Execute a confidentiality agreement
To protect your organization’s interests, consider negotiating the contract and executing a confidentiality agreement with the publisher or auditor. Work with your legal and vendor management teams to include preferred terms and conditions that safeguard your rights and ensure transparency. While this agreement may not always guarantee complete compliance from the publisher, it can provide additional legal standing and improve your audit position.
Take a stepwise approach to entitlement baselining
Entitlement baselining involves understanding your organization’s legal rights to use the publisher’s software. Take a systematic and stepwise approach to this process. Begin by identifying the contractual scope and any associated limitations. Ask the publisher for specific contract references, date ranges, transaction details, and legal entity names associated with the audit. Is it a specific contract? Is it a specific product line?
This approach helps you gain clarity and prevents the publisher from counting incomplete or inaccurate license information against your organization.
Get help from the experts
If you need further assistance or want to explore this topic in more detail, don’t hesitate to reach out to us at Anglepoint or refer to our eBook on managing license audits.
Remember, an audit should not only provide clarity on your software license compliance position but also offer an opportunity to optimize your license management practices.
Much of our team are former auditors with years of experience on both ends of the software audit process, having worked in the compliance teams for Microsoft, IBM, Oracle, and others. We know all the tricks of these publishers and any framework we develop with you will have this knowledge baked in. Included in this is information on how to communicate, how to respond, templatized instructions, how to work with these providers, some strategic tactics on what works and what doesn’t and how to get under their skin.
If you don’t have clarity on one of your strategic publishers and you have an audit as a result, make sure you are baselining your entitlements and take that forward in your internal process, understand your license consumption, and put in place processes and procedures.
Learn more in our ebook Managing a Software License Compliance Audit.