Essential Principles and Best Practices For Your Software Vendor Audit Response Process
Watch the webinar recording now!
2023 is underway and we have already supported dozens of clients respond to software audits.
With so much audit activity happening early in the year, we’ve decided to hold a webinar about navigating a software audit in 2023 to help you be prepared should you receive a software audit notification.
For this webinar, Anglepoint’s software asset management experts take a mid-level dive into the ins-and-outs of software audits, and share some of our observations from past and ongoing client experiences to help guide you through the process.
Software audits do not have to be time-consuming and stressful. With our tips and tricks, you will feel more confident during your organization’s next software audit.
Here are a few points we cover in the webinar:
- Identifying and responding to an software vendor audit notification
- Building a software audit response process that is repeatable and involves all of the right stakeholders
- Anglepoint’s experiences and best practices from helping our clients navigate software audits
- And much more
If you have specific questions or concerns, please reach out to us at firstname.lastname@example.org.
Watch today and gain insight into how you can prepare to navigate a software audit in 2023.
We hope you enjoy the webinar!
For more information on audits, check out our e-book Managing a Software License Compliance Audit
Thanks a lot, Braden. Thanks everyone for attending. What we wanted to do is walk through some best practices and discuss the state of the software audit machine, if you will, in 2023. So the, subtitle here is, Talking about how we really recommend taking a considered approach that, you can look at this as not the best thing in the world but potentially an opportunity if you have a proactive approach to working with your software providers.
There are some things that you can leverage as a result of some of these reviews and engagements that tend to happen.
All right, here we go. So my name’s Chris Hayes. I’m a lead consultant here, a senior lead consultant at Anglepoint. Have been with Anglepoint in our program transformation team for about five years. And prior to that I’ve been a practitioner, so I’ve got about 16 years industry experience and I’ve worked for a couple major multinational companies.
And, that’s where I’ve really cut my teeth. In terms of audits, so I’ve got, the bruises and scars to show from engaging and really going back and forth with a lot of these software publishers.
Quick agenda for this webinar. Like Braden said, we really do encourage asking questions and, making this a little bit more interactive. While, we do have a number of participants and we won’t necessarily be able to go into. Too much detail just because of confidentiality and, going down a rabbit hole at one specific issue.
I do want to have everyone share their topics and ask questions so we can have a, a good discussion as part of this. That’s, part of the intent of this. So what we’re going to be talking about is, talking about what publishers in the industry now that we’re seeing across multiple industry verticals and multiple clients, if you will.
Which ones are auditing, which ones are more aggressive, what are we as industry experts seeing across our client base today? The second bit is identifying when you are being audited. That’s a slippery slope, but also a bit of a gray area, right? You have to get in front and understand that some of these innocuous requests for information might actually be an entree into a formal kind of compliance check.
What happens when you’re notified of an audit who’s going to receive that what that looks like. We’ll talk a little bit more in detail about that. Like I mentioned up front, the importance of having a proactive response a framework and a process that’s sustainable and repeatable, that you can have the same things that you do every single time that’s going to position you for success here.
So I think this is one of the poll questions. Hold on a second. I’ll pull it over in a bit. Then some tips and tricks. So again, not full-on detailed scenarios, best practices from a mid-level on how to drive the process and be a little bit more effective and achieve these positive outcomes instead of really just being set upon and being reactive in the process.
That’s where you’re going to maximize your chance of a positive result. And then a little bit on best practice and like I’ve been mentioning we; we do want to have some time for questions and answers.
Okay, so poll questions. I think Braden, then we can pop those up here. And I think we want to just use the chat or there might be a poll response functionality. So let me pull this back over here. Okay, so first question here. When was the last time that you are audited as an organization that your organization has been visited by one of these publishers?
So are you being audited right now? Is it zero to 12 months? 12 to 24 months? It’s been 24 months. Or greater or not applicable for your situation. So fill that out and I think Braden can look at the results there. So I’m going to have a sip of coffee while you fill that one out, and then we’ll go to the next one.
Oh, okay. So it looks like we have the results here and hopefully everyone’s able to see this. Otherwise, I’m just talking about a blank box. This slideshow, hopefully is working. The last time that your organization is audited, it looks like a pretty even split between some of the respondents that you are currently under audit.
Or it’s been within the last year, the last calendar year, 12 months. So with I believe, where do I see the total of we’ve got about 80 participants currently. That tracks I think based on our client current client list that we’re working with. We see roughly. 20 to 30% undercurrent audit, or having at least been through an audit in the last 12 months.
So I’m not surprised with those results. There are a lot of factors, so we’ll get into some of the context around why that happens and why some of these auditors are a little bit more aggressive and when that happens, what are the, what’s the context that kind of precipitates some of that activity.
But that, that kind of tracks with what I’m familiar with. Okay. So Brandon, I’m going to close this and then the next question I think.
Question two. Does your organization currently, so not future plans right now today, do you have a defined and well documented process to respond to these audits? So when an information request comes in, looks a little fishy, or you get a full on compliance notification, do you have a documented process that you follow?
Yes. No, or. We could, I don’t know.
Oh, that’s excellent. Okay, so tracking in at almost half of the participants at your organizations, you do either have a process that you’re familiar with or something that is well documented that is being followed. So like we’re going to talk about that is best practice. That’s a minimum bar to entry, but you want to have that foundation.
You want to know who is doing what to be more proactive and protect your organization against these potential risks. The 18% that, I don’t know, definitely reach out to your ITAM or software asset management department. Find that out. That is important to be able to start from a position of being organized with the activities.
Question three. On a scale from one to five, how confident are you in your organization’s ability to respond? To a software vendor audit. Now, I would say this rating is also how confident are you that you would achieve a positive result. So from one being the least to five being Yep. We are great at this and we’ve done this a lot and we have very positive outcomes.
So one to five, what’s your confidence level at your organization being able to respond to these publisher challenges?
I appreciate this. I have built in coffee breaks for each of these voting times, so it’s good.
All right, so that looks like we’re tending positive. I think, some of the respondents, maybe if that’s an overlay of, hey, I, I don’t really even know our process. We don’t have something documented. We’re setting up those standards. Maybe you’re just starting out, for example, looks like we have a few responses that are, a little bit less confident.
Majority is somewhere in the middle. Little bit positive tending though. So from that three area to four, what that tells me is, You’re confident in, maybe a portion of the process or a portion of the capability, or maybe sometimes you do a good job, but maybe it’s not repeatable and standardized.
So looks like there’s some opportunity there. And then we do have some portion of the attendees that say, great I’m here for tips and tricks, but I have a good handle, I have a good sense at my organization of what’s going on, how we’re handling this.
And Braden, are there three questions or are there more in the poll?
That’s all of ’em. We’re all set.
Okay. Perfect. All right appreciate everyone kind of filling in and giving us some further context and information. That’s something that we a appreciate kind of being able to tailor the conversation to where that’s going to make sense for the audience.
Publishers auditing in 2023. I would put, five or six asterisks after that. This is including but not limited to. So these are the kind of typical publishers that we see. We are in the middle of multiple audits. We will not name names of these publishers, but these are a lot of them that we see are very active and we, are currently managing have managed within, that first question either currently ongoing or have seen within the last year or so.
Autodesk, Broadcom, quest, Informatica, Microsoft. You do some of these, you can just rattle off the tip of your tongue. You would say, okay, who am I going to assume are some of the most aggressive in the industry? All of these organizations have, corporate wide. Organized audit programs, compliance programs.
That means they have full-time staff dedicated to looking at compliance topics and compliance challenges. This is not a, supplemental stream. This is a dedicated managed department that goes after additional revenue. By way of looking at compliance and looking at audits. So it’s very organized, it’s enterprise wide, it’s very coordinated.
And for some of these again, names will not be called out, but they are very aggressive in their approach. If you do get a review or you do get an audit, from some of these companies, they will use every last tip and trick on their side. Every kind of obscure contractual reference, the way they calculate your license, con consumption, et cetera.
And they’ll try and give you back penalties and interest and, so their approach is very aggressive. That’s the worst possible combination. You have something that’s enterprise wide and very organized, and when they approach your organization, they will be quite aggressive. One other thing I would call out here is that some of these providers, especially in the area where they’ve got a little bit legacy, oh, I’ve got a little bit legacy technology stack.
Let me go to the previous one. We’ll be auditing against their acquisitions. Again, not going to call anything out, but some of these organizations that acquire multiple organizations and amalgamate, what they’ll do is they’ll say, ah, product stack. We’re going to look at your existing contract, right?
That’s something where if you are using some of these technologies that have been acquired lately make sure you’re at a good position relative to compliance. They will review. So this is just a short list of what we’re seeing currently. They’re, there may be one that you’re, involved in and you’re familiar with in the industry.
But these are the ones that are typically most aggressive in what we’ve seen in the last let’s say 12 to 18 months.
Yeah, Lucas, that’s a great question. I think Braden is coming back with that so we can absolutely provide, some information about what we’re seeing here in a list format, et cetera. Okay. Is this even an audit? What is going on here? This is going to bleed a little bit into how do we know what an audit is and what an audit isn’t.
Are we being notified? How do we manage this? Do we have to manage this? Having that process is going to help, but. One of the things that we really advocate for in terms of best practices is identifying your key publishers, right? Let’s back up and say, okay, If we know that the following, 10, 15 publishers as a collection are gonna be very aggressive and have an enterprise coordinated approach to auditing and trying to get trying to get money we’ll cover that off in a second.
Then you need to be prepared.
That just makes sense. You’ve got to have a plan in place and you need to understand, but. You need to understand from a software asset management point of view, from a framework point of view what you’re doing at your organization. Do you have some of these publishers?
Do you even know? So that first step would be prioritize what you’re spending your money on in terms of software. What are your risky publishers and what are your strategic publishers? And do those mesh up, right? Are you spending a lot of money with a publisher that could be potentially ready to audit you?
If so, then you need to do your due diligence. You need to understand what is out there. So look at those. You can look at them by various lenses, by risk, by just spend, by both of them, by strategic importance of the business. That is a best practice, not only from audit response, but from software asset management.
You need to have that. Awareness of where your money is going so you can manage your risk. Second bit there would be a, a logical step, but it, you need to have a little bit more detail in terms of what are those contractual events. With your key vendors. If you have a renewal that’s going to come up in December and every couple years you’ve been audited by this publisher ahead of December, it would really make sense for your organization to have that proactive approach and understand that you have a trustworthy basis of data, right?
If that publisher does try and audit you ahead of your big contractual renewal like they have in the last couple cycles, you’ll be ready for that, right? So that’s just an overlay to say, know what you’re spending your money on and being strategic, but also being prepared, right? You don’t want to be caught.
The key message here for a lot of these is being proactive and being prepared with your information ahead of time. Not being reactive and getting caught out and saying, ah we’ve been auditing the last two or three years by this like clockwork. And it’s happening again. I can’t believe you want to make sure you’re prepared.
And just to talk about this point as well on, on the left, the typical audit and what we’re talking about here. And actually this is this. Open secret in the industry. It’s not really about compliance. When these audits close, it’s going to be a payment, a settlement fee, a check cut from your organization to one of these publishers.
And they’re rarely, if ever, going to certify, ah, we hereby certify you are 100% compliant. They’ll say, oh, this audit is closed. This engagement is closed because you paid his money. So at the end of the day, It’s a lot less about compliance. It’s a lot more about some of these publishers shoring up their revenue streams and no coincidence that in 2023 there’s a potential, wobble or downturn in the global economy.
We see a lot more and more supplemental revenue streams, acquisitions of these companies. So in the industry as such, when you have challenges in the economy, we will see a corresponding spike in audit activity. Read into that as you will, but since there is a little bit of challenge in the economy, we’re absolutely seeing a lot of these publishers, especially like I mentioned, the ones that have been acquired and incorporated.
They’re very aggressive currently. These are just a couple examples of something that we would do internal analysis on publisher prioritization. These are just mocked up figures, but we see, some publishers and we see the renewal dates, we see coverage analysis and we see relative risks.
So we would recommend you undertake something similar to this, if not identical, to say, okay, what’s our spend? What’s our renewal date? What are the priorities? What are potential risky publishers to orient yourself and say, okay, how are we going to manage our licenses even outside of compliance? How are we going to manage our licenses in a way that will add value to the organization?
Because outside the current. Or the, operative asset life cycle of managing software assets. We view compliance as in the middle. You want to make sure that you’re always compliant and that deals with all of these challenges. What we also recommend doing just as best practice in software asset management, is looking at how this distribution lines up of your spend.
And then you can do things like okay, we want to look at the most risky. You see these in red up here, the most risky and most strategic publishers. As a way to really get ahead, be proactive with your compliance metrics on the we have a question here. Are there metrics on, the average cost of conducting an audit?
Yeah, there are some figures you can throw around there, but I think it’s unique to each organization. It’s really hard to say, oh you get audited by this company. We guarantee you’re going to spend, 20% of your annual spend on that, on, on the audit. I think a lot of times it has to do with the individual scenario.
You could have a smaller spend with a smaller publisher that could be unbelievably nasty or a larger spend with kind of an enterprise publisher that, might not be that bad. So I think what you have to do is overlay that what you’re certain position is with your organization.
So it’s really hard to say Yep, across the board 20%. I think. The soft cost is what really kills an organization and an audit, right? Not doing business as usual and not being, proactive in managing compliance. You basically, you’ve got to stop everything and just have the audit proceeding.
I think that’s the biggest challenge. So calculating those soft costs are more thumb in the air as well. Got a couple question here. One is about snow coverage. So this was with a client who was using, I think, snow License Manager. So it’s important to understand from your solutions point of view, what data you have available going into an audit.
And then something about trends about publishers. Oh, how about tactics? Yeah. So let’s talk about that a little bit later once we get into tips and tricks. That’s a great one. I love Vinny, the publisher coming to visit, shake you down and try to get the audit settlement.
Okay. So audit notification.
You’re going to have a lot of different kind of formats and forms here, right? So what you want to do is again, understand, is this something that we need to be concerned about? Is this an actual audit or is it an informational request? Best practices here before we talk about the formats, make sure you are communicating and educating to the rest of the business.
Make sure that other functional areas in your organization who might not be involved in the day-to-day of software asset management. Understand and know and are not going to share information on wittingly, then they understand that risk. But at the same time, what you want to do with your documented process, you need to be enabling all of these other potential stakeholders.
If there is a procurement analyst that might receive something, if there is someone from IT legal, if there is someone from the C-suite that doesn’t necessarily know or wouldn’t anticipate something, you need to have any potentially impacted departments understanding their role, right? So they know the right and wrong steps that they need to take.
Spoiler alert, the right step is. Always. To come centrally to that software asset management team or that function to say, I just received this. They do that immediately. And then you can take that assessment and say, is this something we have to be concerned about? So sometimes you’ll get a phone call, sometimes you get an email, sometimes you’ll get a certified letter.
It could go to all of your various sites. It could come to headquarters; it could go to purchasing these notifications.
It’s not always straightforward. And like this other point is saying, this can happen any, anywhere along your supply chain. It’s not always going to be very clean and apparent, oh, I’m the head of software asset management, therefore I’m guaranteed to get these notifications on my desk and then I can use them.
It’s going to be the opposite. It will be, I. Such and such a system integrator are talking with your infrastructure folks. And there’s a side conversation or an email. It’ll be your procurement analyst is looking at a renewal and they receive some kind of ominous or threatening email from, your reseller or another organization or the publisher directly.
It’s going to be at different points in the supply chain. So basically, the best practice is. Make sure all of that is covered with communication and education internally, saying this stuff is risky and it’s going to happen. We have to prevent that risk. And in order to do that, here are some steps internally to the organization that we are going to take to enable you as a stakeholder.
When you get this notice, talk to us. Talk to the software asset management team process. So we’ll flip this one around. Just we’ll go on the left initially establish a framework or response process, and then not surprisingly, educate, understand your key stakeholders and have them buy into the process.
Have them support the process from procurement and sourcing. So people who are purchasing licenses and man managing entitlements to your VMO or contract management staff. They would. Potentially be part of sourcing or maybe you have those separate functions, application owners who are managing the installations, and sometimes that infrastructure, you could also talk to infrastructure management.
They will likely be part of the response in terms of collecting data before you provide that to the to the publisher. Tool or platform managers. So if you need to collect additional scan data or you have an entire platform that we’re interrogating or need to find out where this software is being consumed and where it’s deployed, and obviously last but not least IT legal, they should be involved in any kind of response process.
What I would say is you want to have this documented to a very clear degree, almost like a swim lane to say, okay, this role does this first, then this role does this next. Then this role does this to make really. Really transparent and very clear for all these stakeholders, what they’re going to do in the sequence of events.
That’s that first kind of point here in terms of best practice. Make sure the roles and responsibilities are very clear, and by having kind of that swim lane view, you can then visualize and make sure that you don’t have anything duplicated, because time is going to be of the essence in some of these steps.
And that you don’t have any potential gaps. Oh I thought they were going to do, oh they said they were going to do well. You guys said No, you don’t want to have that, right? You want to have very clear responsibilities so you’re not dropping any of these key tasks. And then I keep on hammering on this point, but you really want to have this standardized every single time as soon as you get a notification.
Again, it’s not the end of the world, but you need to respond very quickly in that. Standardized way. And if you say everyone knows what they’re doing, it’s, hey guys, okay, everyone hand off the keyboards. We’ve received an audit notification. Go and you say up, I’m doing this. Legal is doing this, infrastructure’s doing this.
Every single time. Working that through and doing that standardized and repeatable way, you’re going to get better and better, and you’re going to have higher degree of success. And just a shameless plug down here. Of course as one of the leaders in software asset management and IT asset management in the industry, we have our own customized framework.
We’re happy to discuss if you want to reach out we’re happy to chat that through with you guys. Tips and tricks. So use your framework and your specific process.
If it’s ours, if it’s industry best practice, if it’s adaptive, if it’s internal, it doesn’t necessarily have to be ours, but you have to have a framework, right?
You have to have a repeatable process. Otherwise you’re running around like a chicken with your head cut off and you’re trying to, coordinate all these activities. You’ve got A less A lesser degree of confidence and you’re going to have a greater chance of having potential risk here.
So first thing, verify that this is valid. Talk to it legal. Hey, we got this email. And it’s not really referencing a contract. I’m not sure if we have an end user license agreement with this publisher. They’re telling us they need data, they’re threatening us with fees. What is this? Or, if it’s more innocuous, hey we want to help you understand your license consumption.
Can you please start sending us some information so we can help you with your contact renewal? No, you don’t have to. The, long and the short of this, not every informational request, and that’s where this gray area comes in, has to be answered. If the publisher says, hey, pretty, please give us data.
That’s the importance of that communication and education we talked about earlier, making sure other areas of the organization are aware that unless a publisher is invoking a specific term and condition a specific audit clause within a legally binding contract between your organization and the publisher.
Don’t have to respond. Now, there might be, a generic response that you say, hey we’re declining to provide you information. Obviously this is a kind of a slippery slope. You don’t want this to escalate. You don’t want to say, yeah, get lost or be rude, or, whatever. Back to these publishers or say, yeah, we’re not going to do anything without an audit notice.
They won’t absolutely turn that around and say, okay, great. Here’s your formal audit notice. Great. You can answer these in a way that you avoid having that full-blown compliance check. So not everything that you receive from the publisher is a valid audit to request. However, best practice is definitely to get that IT legal opinion, right?
Some of these are legal terms and conditions and you don’t want to say, oh, I’m the head of SAM and software asset management I’ve read a bunch of contracts. I’m really good here. I know to a legal degree of certainty. No, bring in IT legal for that legal degree of certainty, confer with them. So that’s the best practice.
Push the tempo. Oh, this one’s really good. So our audit response framework and how we view this and how we respond to a lot of these requests is based on the fact that we are being proactive. In our software asset management or in our IT asset management, we’re using this a little bit interchangeably here.
If you’re executing proactive IT asset management, in other words, you know what you have and how you are managing it and you are looking at standardized, repeatable processes and you’ve got trustworthy information, there is no reason. You can’t flip the script a little bit, so these publishers will be saying, ah, we need information.
Here’s this audit. We’re ready to look at this. We’re going to assess these penalties. We’re going to do this. Depending on if it’s directly with the publisher or they’re working with a third party organization to do some data collection such as your, KPMGs or Deloitte’s of the world. There is no reason you can’t flip that around because the publisher.
They will be on the back foot a little bit. They’re looking to put you as an organization on the back foot and say, we need this information, we need this. And if it’s already good to go, if hey, we’ve been doing license balances, we’ve been doing ELP or effective license positions every year or every six months or every quarter, or whatever your cadence is based on that publisher’s strategic prioritization.
You say, look. I’ve got the results right here. It doesn’t mean you’re going to share information, but as soon as they ask for information, it’s good. You’ve vetted it, you validated it, you were in the driver’s seat. What I would also say here is a tips, As a best practice or tip and trick is control all the written record.
You schedule all the meeting invites, you take the meeting minutes, you take down the actions, and you follow up and you hold the publisher and their third party representative, so KPMG or Deloitte, to account to that higher standard and say, look, we were looking for this data. You guys didn’t provide it to us.
We asked for the list of entitlements and contracts that are going to be the basis from this audit. You haven’t sent that to us yet.
It’s going to really discombobulate and flip that script, right?
If you’ve got the information, you can be proactive, leverage that to be proactive, go quickly through this review.
The publishers are used to, organizations saying and I don’t have information. I don’t know who to talk to. I just being all disorganized and they’re pushing the tempo. If you’re pushing the tempo, it’s going to throw them off. It’ll flip around that script. Never use external scripts for data collection, discovering inventory.
So a lot of times what’s going to happen is in terms of them pushing the tempo, the publisher, they’ll say, oh, no problem. Data collection is really simple. Just run this command, give us the results. Yeah, it’s going to be the CSV file. You won’t be able to interpret it. Don’t worry.
Or even worse, there’s that other level of obfuscation in the third party data collectors, right? Oh, yeah. Work with KPMG. They’re going to get us the data. We’re, as the publisher, we’re going to look at your license and entitlements in your contracts. We’re going to put everything together at the end, work with KPMG, and it’ll be super easy. And KPMG will say just in as an example here, right?
KPMG will say, we’ve got these five scripts in this questionnaire to fill out. Here you go. No, no problem. Yeah, don’t worry about what’s in it. Absolutely. You need to worry about what’s in it, right? Never just run a script and hand over information to an external party, right? So if there’s any folks here from IT security or info security, they’re probably, biting a, biting their pencil right now, they’re probably thinking, what in the heck?
No, you can’t even, for security reasons, disclose internal information to a third party that should be the least of your concerns here. That’s actually one tip and trick. You can say, look, this is an IT security policy. We will not disclose confidential information without understanding what this is.
So the way you would flip this around for the publisher is say, great, what is this script doing? At a minimum, you would want your IT security people to understand what this is doing and what data it’s providing.
Because usually what the publishers will do is they’ll say, okay, we need this much information for actual license compliance, but we’re going to ask for this much if we get this much, this additional information out here.
They can use to make additional claims and look for more money and try and get you in more kind of compliance related issues. So the long and the short of this one is always you want to be disclosing information that you understand and is just limited to what is being asked for. You can say, ah, what’s this script do?
What five data points do you need? Great. We have an internal solution to provide you these five data points.
Then that puts it back on the publisher to say, that they want more than the five data points to get more money and look for more compliance issues.
They won’t be able to say that, right? If this is really about compliance, they’re asking for five data points, you’re going to give them the five data points, just not with an external script, then they don’t have an answer there, right?
That’s that plan of attack. Always maintain control and review anything that goes out, right? So if the scenario is, Hey, we have to use that script, but it security says it’s okay, what a bare minimum. You want to make darn sure you, you understand what’s being disclosed before it goes out there.
Not, Hey, here’s the keys to the kingdom. Here’s all this data. We don’t really know what’s in it. That’s bad news. Bears clarify the scope of the engagement ahead of time before any data collection happens. This goes with communication and education. This goes with your process. So obviously if there’s another party who’s already shared information, that’s a little bit different scenario.
It’s a little bit more damage control. You don’t want that. You want to be proactive and you want the software asset management team to be controlling that full process. And if you control that process and you’re executing through on your framework, one of the things that you really want to make sure to do is clarify.
You want to clarify. The contractual scope, the date, scope, right? Is it a contract from 30 years ago? Is it five contracts? Is it 300 contracts? Is it everything? Try and obviously limit that scope as much as possible. But those are the clarifying questions that likely you want to ask as soon as you get the audit notification.
Oh, okay. I see you’re invoking an audit clause.
Can you, Mr. And Mrs. Publisher, can you please tell me, what contract this is from and what specific term or condition you are referencing. That will be some initial homework for the publisher to do upfront while you, if you don’t have that information while you’re scrambling internally to collect your information, understand your compliance position.
So you want to say, what contract is this? What’s the scope? What are the transactions, what is the date range, et cetera. And this is before you start collecting any information, right? If they’re saying, we actually are invoking a right to audit, we are going to audit. You can’t challenge this. You can’t do anything with it legal, okay?
We have to be audited. The next thing is we need to understand that scope. It can’t be, here’s your script. Oh, here’s your data back. Then they can start expanding the scope. Oh, we were just going to look at this product line, but very interesting. This other product line, we want to see some information about it.
It’s opening that door, so limit that scope as much as possible upfront. Someone else is saying publishers are becoming very creative here and they’re not doing an audit. Oh, it’s license review or softer message. Absolutely.
That’s a really good call out and really good point. When you have these. Soft audit type requests, not a formal audit.
They’ll be very creative. I’ve seen software asset management engagement it is going to use nominally positive language. So you have the opportunity to right size your contract. Let’s just look at these key data points and. All of that goes with communication, education, right? Being aware that the software publishers have seen this a little bit, they’ve been responded to, they understand, as much as we’re all getting some best practice and, very much appreciate, we’ve got, almost 80 people on the line understanding some of these tips and tricks.
You better believe that these software publishers are doing something similar. Ah when we audit this tactic hasn’t been too effective. Oh, let’s come up with something else. Or, they’re iterating their process too. So it’s always a continuous education process.
So in recommended best practices before we get into a little bit of q and a to close out, first is execute a confidentiality agreement. So what you can do here is try to put a couple preferred terms and conditions in. You’ll have varying degrees of success, right? So I’m not going to say this is your silver bullet and it’s always going to work, but this is a typical response and a best practice response to come back to the publisher to say.
Look, you want this information. You want to engage with an audit. We demand a few things. We demand total confidentiality. We demand transparency. In all calculations that are done, you can put a few other requirements. You can actually work with both IT legal and your VMO, your vendor management organization to talk about what those preferred terms would be in responding to the software publisher.
If the software publisher is that desperate for data right up front. They may agree to some of those terms and providing that information, so it should not just be a standard NDA. You can see if you can put some additional terms in there to improve your legal standing in the audit. Take a stepwise approach to baselining your entitlement.
So for those of you who might just be starting out or are not quite familiar with some of the terminology, your license entitlement is the legal right that your organization has to consume, deploy, and install the publisher’s software.
You’re granted entitlement, right against a contractual relationship.
So when we say entitlement baselining, that means understanding all of your proofs of purchase and right to use the publisher’s software. And what we’re saying here is you want to take a very stepwise approach, and that starts with. Understanding that contractual scope and limitation. So is that everything you’ve ever purchased, ever?
Is that the last 10 years? Is it a specific contract? Is it a specific product line? Again, best practice is to try and limit that as much as possible to limit your risk, but be very deliberate and step-wise and ask, and don’t be afraid to ask that information of the publisher. And if they say is everything everywhere?
Okay, that doesn’t help. You need to come back and say, look, you, if you want data, Mr. And Mrs. Publisher, you need to tell us where we need to be looking. What contract is this? What entitlement is this? If you can try and flip that around and say, okay, you want to audit this, fine. You want some information?
You tell us what contract are you looking at? What date range are you looking at? What transactions are you looking at? What legal entity names are you looking at? So for those organizations that are very complex or are distributed or multinational, that’s one thing that you want to make very sure of upfront, Mr. And Mrs. Publisher, what legal entity names are you using and what have you queried in your database to come up with our entitlement baseline? Oh, chances are they’re not internal, they’re just an external party. They might be missing names, and what that means is they are missing licenses. They are counting something that’s incomplete and they’re going to try and penalize you for it.
So take a very stepwise approach and don’t let the publisher push that on you. License consumption and deployment recognition. Should follow the entitlement baseline. This is 100% opposite of how the publishers want. Oh, runner scripts collected data then we’ll do something on the back end and then, oh, you’ll see a big bill.
Right? That’s how they want it to proceed. Easy. No, no fuss from their side. No, no due diligence. They’re just going to go away and do some calculations, not tell you what it is. Give you a big bill. We want to set you up in the opposite scenario whereby, you’re forcing them to be very transparent and tell you what they’re calculating.
All the assumptions, all the details involved with that. First, that confidentiality agreement, you want to push that to them, have that entitlement baseline done in a very step-wise and controlled fashion. But then this third bit about license consumption. This is the, what you’re comparing to, what you own, what you’re using versus what you own is the crux of the issue.
What you’re using are the license consumption either installed, deployed, consumed somehow. So how you’re using that. Software, how you’re calculating that and how you’re finding that data. Again, the publisher’s going to say, run the script, send us this. Immediately, what you can do is you can try and flip that around and say, look, we don’t know what products we’re even talking about here, so how can we possibly go out and run your script or do discovery or whatever, medium kind of compromise.
It’s not best case is at least to understand that, that scope, okay, we’re looking at these two product lines instead of everything that you’ve provided ever. That’s a little bit harder to collect. The publisher will often say yeah, we don’t trust you. We think that you’re just looking at your entitlement to understand what consumption you need to look at to match it up, and you can flip that around to say, look if this is really about compliance, again, that previous point that the publishers are after money, that’s the open secret to say, look, if you’re really interested in compliance, then we need to do this in a logical way. We need to understand what transactions are here and help match that up.
And then you flip that around and say, actually, Mr. And Mrs. Publisher, that helps us go quicker. That helps you have the correct information. That means you don’t have to go back and look at it. New entitlements. You don’t have to reclassify anything. We don’t have to redo this exercise. We can do it once.It’ll be quick. Why wouldn’t you wanna do it that way?
Kind of start asking those naughty questions back to the publisher and that’ll put them a bit on the back foot because they’re not going to out and say, yeah, at the end of the day, it’s not really about compliance, it’s about us getting more money and it’s easier for us to get more money if you just send us a bunch of data and we send you a bill.
Make sure you’re going through and holding them to that standard and use that confidentiality agreement to do that. But also do not send them any of that consumption data. Until you have agreed on that entitlement baseline, they will push very hard to have this be different. One of the things that you can do is hold that information in escrow.
Say, look, we are going to zip this up and we’re going to have an encryption key. Here’s the file. We’ve done our work, we’ve collected this information. Now we’re not going to send you that, that key to re-encrypt this data so we can look at the consumption information. Until we have an entitlement baseline.
That way there’s zero argumentation on the publisher’s side. Hey, you collect that data. Yeah, we’ve done it. It’s sitting here, but we’re not going to talk about any of this until we have our entitlement baseline done. They hate that, but that’s a good tips and tip and trick there.
Looks like we have another comment here from Mallory.
So our company is made up of a group and additional international organization. So occasionally they’re licensing centrally, sometimes not. Ah, when you are clarifying scope. Yes. Very much I think you’re on the right track there, Mallory. You’re saying that, you’re pushing to, to clarify that that contractual scope.
One of the ways that you can do that is what I mentioned with understanding the legal entities involved. So if the publisher is going to ask for information, And they can disclose some things. There’s no onus on you to disclose anything that’s not being asked if you understand between the lines there, right?
So if you say they’re talking about a global scope and they say what about these entities?
And you’ll have to say, okay, if you want us to, similar to this path, you want us to collect information. We need to understand what contracts and what legal entities. And they’ll say we want to see the following five international entities and you got 30, right?
You say, oh, okay, you’re asking for these five. Here are the names of these five. Meanwhile they’re 25. They’re not looking at, so I think that’s a decent approach. You focus in on that contractual scope and you want to clarify that upfront, and if their understanding the publisher’s understanding is not complete and correct. There’s no onus on your organization to dis disclose that.
Now, the flip side, and if they say we want to understand your international organization and it’s your holding company centrally, however that’s legally set up and all of your affiliates and subsidiaries. Because that’s an audit scenario, you have to disclose that, right?
You can’t withhold information and say, we know that we’ve got 30 and we’re only going to give you five. If the publisher proactively says, we want information for these five, what I’m saying is, you’re not going to volunteer. Oh yeah. What about these other ones you didn’t ask about? This is the scenario where you provide only what’s being asked, and then it might come back and say, are there any more?
Okay, then you’ve got to truthfully answer. But if they’re not, if they’re not aware and they’re saying, oh, we want information for these five, great. They get information for those five.
And yeah, if they’re not forthcoming with that data, that’s that hard sticking point. And I think that’s your best option is scoping down to the contracts of what they’re auditing and then that’s going to limit your scope on data you have to provide.
That’s a good question though. That’s a good comment.
And then last but not least, don’t rush. You can own the tempo, you can be proactive, you can set yourself up for success by understanding what you’re consuming and what your entitlement basis is. You’re doing your effective license positions or your ELP for your strategic publishers on a regular basis.
So you’re ready to say, I know where we are. I know that we have extra licenses or I know that all of our product lines are good except for this one. And we have a small issue here. We’re going to steer away from that, how to manage the proceeding.
Excuse me. But don’t be forced into confirming anything before you’re ready.
Hey, we confirm this. It’s going to be back and forth until we are satisfied and we both formally agree that this is entitlement baseline. Full stop.
Otherwise it’s, Hey, provided some data, go back and forth. We saw an email. This isn’t official and a giant bill, right? You want to make sure you’re formally confirming. That goes back with the principle of, If this is not just about money why don’t we want to confirm this? Kind of push that narrative with the publisher. Don’t do that until you’re ready to do because at the end of the day, the publisher’s not able to send a bill or anything unless they have that data and that analysis, right?
They depend on you. The organization that they’re licensing to as a key part in this process. Now, not to say you can flip that to an extreme and be very successful if you just don’t give them any information. Eventually that’s going to escalate, right? If there’s something that’s severe enough or a large enough potential compliance issue, some of these publisher organizations will say, great.
We’re going to serve you with the court papers. We will talk about this in a court of law. That’s not where you want to be either. Where you do want to be here is not being forced into confirming, not being rushed into confirming until you’re ready.
And it’s a little bit to close out on our audit response framework before we do question and answers. So I mentioned we have an industry best practice framework that we’ve informed over. Several, way too many to comment on audits and audit proceedings over, decades of collected experience.
A lot of the folks at Anglepoint, if you’re not familiar with our organization, are former auditors. So having worked for the compliance organizations in IBM, Oracle, Microsoft, et cetera, we know. All of the tips and tricks that these publishers will try to leverage against you, and we bake them into our audit response framework.
So included with that are how to communicate, what to respond, templatized instructions, how to work with these providers, some strategic tactics on what works, what doesn’t really, how to get under their skin. And flip the script a little bit more detail than what we’ve talked about, just at a mid-level today.
Principles and process. So the very specific process, steps to take, you can obviously adapt those internally to your organization to have that that best chance of success application of this framework. So how would you look at current audits or historical things to think, okay, how could we have improved that outcome, how we implement this?
Great. This is all good in theory, how you actually do this. And there’s more. So if you’re interested in that certainly get in touch with us. And then finally happy to connect with any and all of you on LinkedIn. I’m out there. I think my information is here. You can also get in touch with Anglepoint directly.
And then just to call out. We are going to publish an eBook about managing license audits as well. How to be more proactive and guarantee that highest chance of a successful outcome. Let’s see what Lucas is saying here. So he’s saying, If you have organizations under audit, then you can exempt them yet potentially.I think that depends on the terms and conditions and the audit clause itself. So some of the audit clauses in contracts that are active will say every x, y, Z term, right? Every 12 months we can review every 24 months.
That’s definitely something to check and confirm with legal.
And you can also do a sequential audit.
I like that strategy as well. That’s going to be a long time of collecting that data. It could drag it out in smaller pieces. I agree. And depending on the organization, that’s also a good call at Lucas. Some of these organizations have similar challenges on their side, right? So if you’re dealing with a large multinational corporation publisher, right? These big household names, not going to name names, but if you’re dealing with an organization like that, they have the same challenges in collecting and coordinating information that your organization does. Oh we have to talk to our subsidy in Italy.
Okay, that’s the publisher organization pit from Italy, or maybe the publisher’s headquarters is in the US and they’re looking at information from Japan and they’ve got to coordinate. They will have the same challenges. So procedurally, that could muddy the waters to your advantage, let’s say it that way.
And yeah, they having too long of a period often hampers their ability to be very effective, let’s put it that way. Allure, you are very welcome. It’s always good to share some tips and tricks and impart knowledge and arm everyone in the industry so that you’re not just.
Reactive and really having a headache here. We, as software asset management practitioners, we can get a lot more proactive and we can really have a good outcome, a positive outcome for your organization, leveraging a lot of this information. I think that’s what I’d say before we get into q and a as well.
View this, and I mentioned this briefly, view it as an opportunity,
If you don’t have clarity on one of your strategic publishers and you have this audit as a result, Make sure you are baselining your entitlements and you take that forward, understanding your license consumption, putting in place some processes and procedures, or if you’ve not talked to these areas of your organization before, use it as an opportunity to loop them in and understand how you’re managing those licenses to set yourself up for success coming out of this compliance review.
Cause what you don’t want to have happen is you have a nasty, maybe painful compliance review. And then you don’t get any benefit, right? The benefit should definitely be at least a clear understanding on your position and where you are being able to leverage that moving forward. Oh, and Lucas is putting in some further information here.
Development environments, yes, there are usually, Clauses or terms and conditions where the licensing may be not required or may be fundamentally different. Also, cold, warm or hot, cold standby environments. Sometimes they’re free, depending on the publisher. Passive versus active instances, sometimes with VDI information, what you can or can’t run on servers Other than to say, get into the details on license consumption.
Understand your terms and conditions to a very technical level, and understand what that means, right?
If you have a question, reach out. Reach out to your infrastructure folks. Reach out to your licensing expert folks. Reach out to your software asset management sneeze to say, okay, what does this meaning?
Reach out to legal. Get a good understanding and a grip on what the implications of those terms and conditions are, then you’ll be able to design processes to ma run and maintain. If you’re saying looks like we’re not licensed here and potentially we need a license, but at a different factor, we need, maybe one to every four instances of standby implementation of this software.
You’ve got to understand that in the contract, you don’t want to be caught out. Where you don’t want to be is on the receiving end and in the audit, the publisher’s saying, Ah, term and condition number four out of 300 you didn’t satisfy and therefore, you want to know that upfront.
Absolutely. And yeah, depending on how you are managing the environment, we’re going a little bit farfield here. If you’ve got proactive IT asset management, so you’ve got good CI information and you’re managing your assets in a CMDB. You can utilize your naming conventions to your advantage. What Lucas, I think is implying is unless you have very clear naming conventions, it’s going to be hard for them as an external to tell, ah, this is a disaster recovery environment.
This is backup, this is active, this is passive. That’s some ways you can steer things to your advantage if it’s not already apparent from the data. That’s another reason why you don’t just want to turn over data without understanding what’s in it, right? Never just run that script and give them the data.
You want to know what you are disclosing, in other words, what they can hold against you. Really good comments though, Lucas. Thanks for that.
Any other questions? We have this question and answer facility here, so go ahead and type. If you’ve got any further, I think we have a couple minutes left.
What I would mention as well definitely, get in touch with us. If you have follow on questions or you want to have a discussion with us or get deeper on any of these topics, feel free to reach out.
So Braden, I’m not seeing any others coming through right now. I will turn it back to you then.
Excellent. Thank you. Thank you so much, Chris. Thanks everyone for attending today. We hope you found it valuable. Yeah. Just before we close out, just want to remind you, we will be sending the recording that’ll happen tomorrow or Friday. We’ll also be sharing some other resources like. We mentioned that we are, we’re coming out with a new eBook.
We’re going to share that with all of you as well. So just keep your eyes out for that. Chris said, if you do have more detailed questions or anything that you want to learn more about from what you talked about, we’re happy to talk about those things. If you reach out to us, you can email us info angle point.com or you can schedule a 30-minute call with us at the link there.
So really appreciate it. Hope you have a great rest of your day. Yep. Thanks everyone. Have a good day. Bye.