Do you know your audit risk? Part 2

In my previous blog, I looked at the some of the most common triggers that will spur a supplier into asking to audit your IT estate. These varied from the differing ‘personality’ traits of various publishers, to global economic forces. These factors – and many more – all have a bearing on the likelihood of an audit request arriving on your desk, so pose a risk to your organization.

Here, I’ll go one step further, providing ITAM teams some advice on how to mitigate against these risks.

Get familiar with your contracts

This may sound like an obvious place to start but, often, organizations will sign up to a contract without proper scrutiny of the terms, particularly, how they will apply in the medium- to long-term.

What was right for your company when you signed a multi-year license agreement, might not be right now or, indeed, in the future. Perhaps you have accelerated your migration to the cloud to ensure your workforce to remain operational during the lockdown; does your contract facilitate this? There’s a good chance it won’t.

Of course, you also need to bear in mind that vendor-issued contracts can be ambiguous and opaque. While your inventory may match your licensing entitlement, there are countless other pitfalls that could impact your ability to prove compliance. For example, we often encounter restrictions around named users, territory, usage by third-parties. There are even bigger pitfalls around cloud-based and virtual deployments, around product changes and use rights, in relation to upgrades and in hardware and software transitioning, where both are running in parallel for a period of time.

If your contract clauses feel like they’re open to interpretation, then we have two pieces of advice.

First of all, seek independent help from experts with deep knowledge in the contracts issued by the vendor(s) that pose the greatest risk to your operations. They will advise you on each suppliers’ modus operandi, so you go into the process with your eyes wide open. Secondly, always assume the worst. Vendors use audits as a way to protect their revenue streams, so you can be sure they will try to extract as much value as they can.


Gather proof

To defend an audit, you will need to provide evidence that your license grant and usage matches the terms set our in your contract. If you can’t provide this information, it will be like a red rag to a bull to your supplier, as they will presume you are non-compliant.

Vendors will often ask you to deploy an approved reporting tool during the audit, so they can get the information they require first hand, but our advice is don’t wait for this – it’s too late in the process. Ensure you can proactively supply the data to satisfy the audit. This will help you stay in control of the situation, will provide constant reassurance that you are compliant, and will also give you rich intelligence about your usage, helping you mitigate risk, identify efficiency savings and optimize your estate.


Collaborate with other departments

A vendor audit is not – and should never be – the sole responsibility of the ITAM team. Prepare for audit with the help of other key stakeholders. These could be IT buyers or lines of business managers, who must understand the licensing implications of their purchasing decisions. Likewise, the working group should include C-Level, procurement, finance and legal personnel. It takes a team effort to navigate through an audit, and it is critical that all these stakeholders are aware of the process, and collectively understand what is required and the desired outcome.


Develop a mitigation plan

Publishers are likely to be kinder to non-compliant organizations if they have a mitigation plan in place that illustrates how they will return to a state of compliance. Set out how you intend to remove or redeploy software that’s in use, and how you will deal with services associated with people who have since left your company or changed roles.

Your mitigation plan should also set out your future usage plans. If the supplier can see you are committed to invest with them in their long-term, they may soften their stance.


Know your audit rights

Again, check your contracts to ascertain whether your vendor has the right to review your estate and to what extent. In other words, find out which products and divisions of your organization are included in the scope. Don’t presume they can audit everything. It’s also perfectly reasonable to ask to postpone, after all, you could be managing another audit, maintaining business as usual activities or working on key business critical initiatives. Overall, a project and resource plan will need to be put in place and agreed with the vendor before an audit commences, as audit activities will impact the business and the personnel involved.

Find out what information the publisher wants and ensure that, by providing it, you are not in breach of GDPR or any other regulations or security policies. Check also the terms of your NDA with the vendor to ensure it is fit for purpose. Some of their data requests may be unreasonable or not required.

Subject to compliance with all applicable regulations and security policies, the vendor may deploy a tool in order to collect information. The outputs or reporting produced by such tools will need to be thoroughly checked for accuracy before they are sent to the vendor. More importantly, they should be analyzed to ensure they only report back on deployments that are within the scope of the of the audit.

It is key that any risks areas are thoroughly understood and mutually agreed before signing off the audit report and before proceeding with commercial negotiations to resolve non-compliance. Furthermore, any future requirements should be taken into consideration, as these may leverage negotiations.

These are just some of the ways an organization can ensure that – when the inevitable audit happens – they are prepared, and that the whole process is as painless as possible. For more information about how to proactively prepare for an audit, please listen to our recent webinar.

About the Author

Author: Paul Stevens-Craig, Head of Audit Practice

Paul is our Head of Audit Practice and has worked closely with many of our clients and partners delivering strategic business outcomes. He leads our highly experienced and qualified consultancy team, creating a centre of excellence.

Paul provides customers with expertise and advisory services with reference to IT Asset Management and IT/Digital Transformation initiatives. Having worked in the IT Industry for over 25 years, he has had roles in senior management and software & license consultancy for companies such as Oracle, Hitachi Consulting and PricewaterhouseCoopers (PwC).

Since leaving Oracle in 2005, Paul primarily focused on complex vendors such as Oracle, SAP and IBM, providing advisory services such as process and contract management, licensing, optimisation and risk mitigation for many UK and Global companies, across different industries within the private and public sector.