While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
With software makers such as IBM promising customers a licensing compliance review at least once every two years, undergoing a software audit isn’t a question of if, but of when.
Robert Scott, managing partner of Scott & Scott, a Texas-based law firm specializing in software audits, says the risk of an audit is just as high for small and medium-sized enterprises as it is for large organizations.
When an audit letter arrives, the best defense is to be prepared. These tips can help IT managers ensure the audit process goes as smoothly and quickly as possible.
Whether the audit is conducted by a software publisher, a third-party agency or an association such as BSA | The Software Alliance or the Software & Information Industry Association (SIIA), most auditors seek the same information. They’ll ask where the software is deployed, how it’s configured, who’s using it and if they can see proof of purchase.
Establish a software asset management program and begin tracking this essential information now. Victoria Barber, a research director for Gartner’s IT Sourcing, Procurement and Asset Management Group, describes SAM in a 2015 report as “a framework and set of processes that allow organizations to strategically track and manage the financial, physical, licensing and contractual aspects of software assets throughout their lifecycle.”
Having detailed SAM information can stop an audit in its tracks, providing organizations with leverage for negotiating with an auditor and making them aware of licensing issues well before they’re subjected to an audit.
Keith Rupnik, director of education and IT for the International Association of Information Technology Asset Managers, points out that for smaller organizations, establishing a SAM program doesn’t have to be complex.
“It’s just record keeping — make certain that you have the appropriate documentation in the right places, be a bit methodical in how you install and uninstall software, and be aware of it,” he advises.
Rupnik recommends analyzing the data first to discover any instances of licensing shortfalls or overlicensing before sharing the records with an auditor.
Whether organizations hire an attorney or involve an in-house legal team, they’ll need legal advice before and during an audit. IT managers should enlist legal counsel to closely examine a licensing agreement with them to ensure they have a full understanding of their usage rights.
Legal counsel can also help negotiate the scope of an audit. For example, will the audit cover a particular program, location or users?
“You want the scope, you just don’t want to hand things over,” explains Scott.
In the same vein, Scott cautions organizations in an audit situation to guard data carefully and only share what is absolutely necessary.
“My experience tells me you should be very closely guarded in what you share and you should be skeptical about the publisher or the auditor’s intent, which transparently is to make money,” Scott says. “Just because they are acting nicely toward you doesn’t mean that are not going to use the information you provide to them against you.”
Rupnik agrees and advises against discussing relationships with resellers as well as past software and hardware purchases. “Think of it in the terms that you find in a court of law. Don’t say anything more than what has been asked of you.”
One mistake many organizations make at the end of an audit is failing to negotiate and make a counteroffer. But this one step could save a lot of money. Rupnik shares the example of an organization that was audited and found to owe $500,000. Through negotiations and supporting evidence in the form of proper documentation, the organization was able to decrease the penalty to $4,000.
The key here is to understand that an auditor may interpret data differently. That doesn’t mean IT managers can’t negotiate and make a counteroffer, especially if they have an IT asset management program in place and keep good records.
“An audit is a pain, it’s counterproductive and it doesn’t add anything to your top line but it can certainly hammer your bottom line,” says Rupnik. Start preparing now to save pain later when an auditor comes knocking.