Vendor audits are a fact of life and if anything, the expectation for this year is that they will be increasing in frequency. As soon someone in an organisation signs the 'EULA' (Enterprise Unlimited License Agreement) contract, opens the wrapping on a software box, breaks the seal on a disk, ticks the box confirming that T&Cs have been read or in some cases, even just starts using the software, an implicit agreement to be audited at some point in the future has been made. Every software contract and/or terms and conditions page contains an audit clause.
According to a 2013 report published by KPMG, 90% of software vendors admitted that their compliance program is a source of revenue, with 10% using audits as a strategy to secure 10% of overall revenues. Over half of all vendors have confirmed audits help to secure 4% of their revenues and in about 59% of cases, vendor audit specialists are incentivised using sales commissions.
Since an audit typically cannot be avoided entirely, the question to consider is whether or not this is a bad thing? Users are nearly always alarmed at the prospect of being audited but in reality, vendor audits are not necessarily a negative occurrence. They can be used constructively, as an opportunity to potentially save money by getting a better understanding of actual usage and potential software over spend from excess licensing.
Imagine the scenario of a company that has seen rapid expansion over the last two years as a result of organic growth and M&A activities. In normal circumstances, keeping control over one organisation's license entitlement records, software purchases, software deployments and generally ensuring people adhere to official SAM processes, is a fulltime, complex task.
Now add in the complexity of having to integrate the newly acquired part of the business. Collecting license entitlements and transferring these across to the new entity, potentially without the support of a software asset management (SAM) tool to assist with software discovery and building a license repository, can make obtaining an accurate picture of whether or not the organisation is compliant difficult to achieve. This is typically where the 'troubles' start and why using automated inventory technology is able to create a baseline of installed applications and then recording license entitlements within a single repository is essential.
The mere fact that an organisation has been acquired or been acquisitive will have placed it on a vendor's target list for an audit. Vendors know how to take advantage of 'low hanging fruit' and this is always a lucrative one. So rather than fret about the possibility of an audit, accept it is inevitable and use it as an opportunity to obtain an agreed entitlement baseline with a vendor. Ideally this should be done proactively, as part of an internal audit focusing on reconciling software usage against entitlement prior to the vendor's own assessment taking place.
Returning to the more positive aspects of vendor audits, they represent a way to test whether tools and processes are working efficiently. An organisation is rarely knowingly non-compliant, as that is illegal. However, the complexity of managing software licensing, procurement processes and license metrics contracts, whilst ensuring that day to day company operations are not affected, means that mistakes can and will happen.
The main benefit of approaching software auditing in a proactive and methodical way is the potential to make significant cost savings through having a more detailed understanding of precise utilisation requirements.
Just as an internal audit can highlight an under licensing issue, it frequently highlights where an organisation is over licensed or not taking advantage of the most cost-effective licensing schemes available to it. This is a surprisingly common scenario as risk averse companies have traditionally opted for unlimited licensing agreements in the belief that it is better to 'play safe' because potential audit penalties will be greater. It's a bit like avoiding a customer satisfaction survey because the results won't be complementary. Forewarned is forearmed, as they say.