11MARCH 2012
Software License Compliance Audits – Processes For Organizations And Auditors Revealed
Written by Phara E. McLachlan

ITAK V7 I5

Vendor audits are on the rise and the future outlook is that they will continue to increase, especially as vendors realize that the return on investment in a customer compliance program brings back an average ten dollars for every dollar spent.  More focus will be placed on compliance from both the vendor and the end-user perspectives.

We’ve already seen an increase in government compliance regulation in the form of the Sarbanes-Oxley Act (SOX), the Graham-Leach-Bliley Act (GLBA), and the Health Information Portability and Accountability Act (HIPAA), all of which have some level of IT governance written into them.

So, with the increase in compliance activity that is going on in the business world, is there anything that you can do to avoid a license compliance event in the future?  Not really, short of not buying software to help run your business, but who can afford to do that?  Vendor compliance audits are fast becoming inevitable for mid- to large-sized companies.  A recent straw poll conducted by an IT asset management web site indicated that 78% of companies who responded had experienced a vendor audit within the last year (Poll was taken in July 2010), with 2.5 audits being the respondents average.  Some observations of the pollster are that for the vast majority of organizations, the question is not if you get audited, but how many times and that larger organizations get audited more often.

Reducing Impact

You may not be able to avoid a software license compliance audit, but you can start now to reduce the impact that an audit may have on your organization by implementing some best practices for software asset management (SAM). These practices can reduce some of the red flags that non-compliant companies reveal to those vendors who audit.

Software Asset Management Best Practices:

  1. Established policies and processes for how software is used, distributed and managed within the enterprise.
  2. A software discovery method/tool for determining what is installed and/or being used throughout the enterprise.
  3. A repository for storing software license data (contracts, purchase records, etc.).
  4. A periodically scheduled self-audit process rooted in the same methodologies used by vendor auditors that allow you to address any over and under licensing.The added benefit to this is cost control.
  5. Centralized procurement processes to eliminate the many ways that software (and other assets) can be over or under purchased.
  6. A goal to negotiate better software license agreements, rather than accepting the stock “boilerplate” contract that a vendor will offer.

License Compliance Red Flags:

  1. “If something smells fishy, it probably is.” The “smell test” concept is a universal concept that applies to license compliance.If something does not seem right to an account manager with a customer, it probably isn’t and should be looked into.
  2. Conflicting/Correcting statements such as “Last week I told you I thought we were using 500 licenses, but I found out that we are using only 350.”Why the difference?  What changed?  What method did you use to arrive at that count?  These are questions you should be prepared to answer if you make conflicting statements to a vendor account manager.
  3. Most end-users want the increased functionality that comes with using the most recent version of a software product.Unwillingness to upgrade to a more current version may come across as suspicious, as a validation of licenses in use usually accompanies an upgrade or purchase of upgrade licenses.
  4. There may be a perception among end-users that they can overcome a shortfall in licenses by changing the licensing model under which they are purchasing and may request to explore other licensing models.Most publishers will automatically desire an audit in this situation, as they have set metrics for determining the exchange of licenses from one model to another and will need to determine what is currently in use to accomplish this.
  5. Shifts upward in the employee base, with no accompanying purchase order are another red flag.The acquisition or merger of two companies often becomes public knowledge, as does any company growth.  Most companies like to toot their horn with this positive news and a good account manager will be on top of changes to their client base like this.  Usually, more employees translate to more licenses being required to use the software and the vendor will be expecting a dialogue to address this.

In the end, the more a vendor account manager knows about and is involved with your efforts to manage your software licenses, the better off you are. The idea behind this is that the more a software vendor knows about your internal compliance initiatives, the less likely they will be to initiate an unexpected audit of your contract, as the expense will be perceived as unnecessary!

By implementing these changes and addressing these issues, you can be much better prepared for the inevitable vendor audit.

Steps after the Letter Arrives

Once you’ve received the audit notification letter, the following steps should be taken to disseminate, cooperate, aggregate and mitigate for this and future audits:

  1. Disseminate – There are certain internal organizational entities that must be notified when a software audit is imminent, so as to give them time to prepare for it and assign a person to be a part of the audit response team.
  1. Legal – Whether it is internal or external, your legal department should be notified and given a copy of the audit notification letter. They are in the best position to counsel on what legal steps there may be to lessen the impact of the audit process.  Hopefully, they have experience in software licensing and can add that experience to the process.
  2. IT Management – IT management that is not aware of the audit, but ought to be notified may include senior management up to the CIO level. Systems and/or Network administrators may need to be notified if their systems will be impacted by the audit process.
  3. Senior Management – Depending on our corporate culture and how involved senior management wants to be, you may need to notify even the CEO of an upcoming audit.
  4. Purchasing – Both internal procurement staff and external software fulfillment agents need to be notified so that they can provide the relevant purchase data for proof of license ownership. The vendor will bring their own purchase data, but do not count on their data to be accurate.  It is quite possible that you may show information in your files that adds to what they will bring, as fulfillment agents do not always pass on the purchase information back to the vendor in a timely manner.
  1. Cooperate – Being cooperative throughout the audit process will make the process go more smoothly and have less impact on your time and business. Of course, that does not mean you should agree to everything the auditors ask of you, but you should weigh carefully your responses to reasonable requests and avoid an escalation of rhetoric based on an emotional response.  The auditors have a process to follow that may be flexible and it may not, depending on the vendor.  It’s more or less the same process they use for all of their customers.  Working cooperatively with them to accomplish the scope of their audit eliminates the red flag that is being thrown when unreasonable responses are the result of reasonable requests.
  1. Schedule audit date – There may be a requested audit date or range of dates in the notification letter, but these are still usually negotiable. Find a date that works best for you and offer it, or a range of alternatives, as a counter-proposal to the auditors.  At times, on-site audits are scheduled in the same geographic area to reduce travel costs and maximize the usage of time by the auditors and there may be less flexibility in a situation like that, so be prepared for this type of response to your counter-proposal.
  2. Be responsive to inquiries – Giving the same courtesy of a quick response to inquiries by the auditors that you would give to any of your customers can go a long way to building that level of trust you want during the audit process.
  3. Ask lots of questions – Knowing what is in store for you throughout the audit process helps to ease your own mind and can help to set up your expectations of what the final result will be of the audit. The auditors should provide some information about their process and scope, but be prepared to ask lots of questions to fill in any gaps you may feel are there.
  1. Aggregate – Having at hand all of the relevant information to prove your case is essential to your audit preparation activities.
  2. Collect purchase records – As mentioned, your purchase history is absolutely essential to proving what you’ve purchased and are entitled to use.
  3. Collect proofs of purchase – Any proofs of purchase you have (Certificates of Authenticity, purchase invoices, license certificates, etc.) need to be gathered in case they are asked for.
  4. Contract/software license agreement – Obtaining a copy of your contract and/or software license agreement puts you on even ground with the auditors, as the audit scope is always determined by the contract you have with the vendor. The contract is the audit baseline.
  1. Mitigate – Reducing the impact of the audit on your business operations as much as possible, as well as reducing the risk that future audits are going to negatively impact your business is the goal of mitigation.
  1. Self-audit – Conduct a self-audit to give yourself a heads up on what may be an approximate outcome of the audit. Self-auditing should also be an integral part of any license management program and will do much to maintain compliance on a go-forward basis.
  1. Audit Response Team – Assign an audit response team and a point of contact for the audit process. This person is responsible to acquire what the auditors need, for all communication, and to liaise between various parties within the company.
  1. Frontloading – Reduce the audit’s impact on your business through frontloading the audit process. This means that you do as much as possible before the auditors actually arrive on-site.  For instance, if there are documents to be provided, send them to the auditors and if there is data to be collected, collect it and send it to the auditors for processing.  Don’t wait until they arrive.  Through frontloading, your “opening meeting” could actually turn into a “closing meeting” because all of the work was done before the auditors arrived.

A Special Look at the Vendor/Auditor License Compliance Review Process

The License Compliance Review process of vendors and auditors is broken out into 5 phases. Due to the flexible nature of the review process, not all reviews will go through all phases and may actually skip certain phases. All reviews begin with the Identification/Investigation Phase. The potential review candidates then go through the Internal Notification Phase. The approved review candidates then go through the Customer Notification Phase. During the Customer Notification Phase, some audits may be dropped, while most others will transition either to the Audit Phase (an actual audit – either a self audit or an audit conducted by an independent auditor) or jump directly to the Settlement Phase. Each of these phases is described below in more detail.

Phase 1: Identification/Investigation

The Director of License Management will review all non-compliance leads and assign those leads to be actively investigated based on available resources and the nature of the leads. Once an Audit Manager is assigned a customer compliance target to investigate, a case file is created and the investigation begins.

Using internal resources and external information, the Audit Manager compiles the information required to complete the Customer Review Packet. The packet contains four main analysis documents:

  1. Target Analysis Form – With three main sections that include purchase data, subjective indicators around asset management practices, and other external factors that may be known.
  2. Account Manager Questionnaire – Used to document issues from the perspective of the customer’s Account Manager.
  3. Purchase Reconciliation Form – Used to summarize all internal customer purchase data that must be obtained from the Account Manager.
  4. Contract Summary Form – Used to identify potential compliance issues that are specific to that customer contract. It is to include any amendments to the standard contract.

Once the information is complete, the Audit Manager makes an audit recommendation to the Director of License Management. In most cases, identified compliance issues must exist in the analysis when an audit is recommended. Submitting this recommendation (via e-mail) as part of the completed Target Analysis Form in the Customer Review Packet is the final task of the Identification/Investigation Phase. Typically, this phase should take no more than 2 weeks to complete.

Phase 2: Internal Notification

The Target Analysis Form is reviewed for completeness by the Director of License Management. An internal e-mail signifying the intent to audit this targeted customer is sent to the Sales Management team for the customer account, as well as other company executives, e.g., the VP of Business Operations, the EVP of WW Field Operations, the General Counsel, and the CFO. Provided no unexpected issues arise, the audit recommendation is approved. This portion of the Internal Notification phase takes approximately 2-4 days.

For those audit candidates where the recommendation is NOT to continue with an immediate audit, the target analysis is filed. The complete Customer Review Packet is stored in the Compliance Group department files. If a deferred audit is recommended, it is the Audit Manager’s responsibility to set up a calendar reminder.

For those candidates where the recommendation is to proceed with an audit and the decision is made to engage an independent auditor, the Director of License Management must first contact the independent auditor to obtain in writing that there are no potential conflicts of interest between the candidate and the auditing firm. If any arise, the Director of License Management contacts an alternate auditing firm. Once a potential auditing firm has been identified and cleared of any conflict of interest, the Internal Notification Phase is complete. Only in cases where there are conflicts of interest will this portion of the process take more than 1 week.

Once an audit has been approved, the Audit Manager is responsible to notify each regional sales VP and the VP finance. This notification should include the customer name and type of audit, and should be done via e-mail.

Phase 3: Customer Notification

The Audit Manager begins this phase by completing the Customer Notification Letter. This includes working with the sales team to identify the appropriate customer contact if this information is not already included in the Customer Review Packet. If the sales team does not have an appropriate contact, then contact information is pulled from Hoovers. In many cases it may take multiple customer contacts before the appropriate contact is identified which may delay the timing of the actual customer notification. The Audit Manager will contact the customer via telephone to inform them of the desired audit and to expect the written notification. The notification letter, on official letterhead, is then e-mailed to the customer. If the customer has not responded within a week, the Audit Manager follows up the e-mail notification with telephone contacts.

Based on the customer response, the Audit Manager may just clarify the notification contents and proceed to an onsite audit. Typically there is an escalation process that requires the License Management Services (LMS) management team to become involved in the notification. At this stage, the customer may agree to an audit, or propose either a self audit or a settlement offer. This first round of customer notification escalation should take no more than 1-2 weeks.

If an audit date is not agreed to within the initial 1-2 week notification period, the case will be escalated to the Director of License Management, who sends out an internal notification email to the VP of Business Operations, the General Counsel, and the EVP of WW Field Operations. Additional customer meetings are held and within the following 1-2 weeks, another determination is made as to how to proceed: audit, self audit, settlement or drop the case. (At this stage, a self audit is rarely a preferred option due to the customer’s resistance and the low likelihood of an accurate outcome.)

In those cases where little progress is made towards reaching an audit agreement, the LMS management may elect to terminate the audit process. As with all audit terminations, all customer correspondence and background information is filed in the case file. The Director of License Management sends out an internal notification email to the VP of Business Operations, the General Counsel, and the Sales Management team for the customer account.

Phase 4: Audit

The Audit Phase can take one of two forms: an on-site audit or a customer self-audit. Either format has the same goal – to collect enough data regarding what product is installed and how it is managed to enable the software company to make an informed decision as to the extent to which the customer may or may not be in compliance with their license agreement. Both versions follow the same high level approach, and both may take up to 6-10 weeks to complete. The key difference is in who performs certain audit tasks.

On-site Audit – Once the customer has agreed to the audit, the Audit Manager or the independent auditing firm may proceed with the review.  The auditor then contacts the customer to schedule an opening meeting to introduce the team and review process, establish review objectives and scope, and review the customer’s contractual responsibilities.  This should take no more than 2-3 weeks to accomplish.  On a high level, the objectives of each review will include:

  1. Educating the customer on their obligations and responsibilities under the contract.This will include highlighting those issues that have been identified in the Customer Review Packet and addressing specific licensing questions posed by the customer.
  2. Reviewing the customer’s SAM procedures and providing recommendations when needed.
  3. Obtaining and analyzing the customer’s purchase and license usage data.

The scope of the review is verified with the customer and all parent and subsidiary companies under the contract (that are within scope) are documented with how they relate to the IT environment being tested.

The process for determining the customer’s license usage has two main parts – gathering customer technical data and reconciling the customer’s purchases:

  1. Collect information about the customer’s IT environment and how the software company’s products are deployed within it.
  2. Obtain certification on the completeness of the IT environment being tested as documented from the IT Director or above.
  3. Review the customer’s Software Policy (if applicable) and, if not applicable, emphasize the relevance of having one.
  4. If the customer utilizes a third-party SAM application within their IT environment, review the results of any reporting they can provide.This can provide an additional benchmark for the customer’s license usage.  Unless the customer’s results can be validated completely, continue with the established routine process.
  5. Review discovery tool and its functions with the customer.Have them run the tool and retrieve the data, providing you with the data in an acceptable format and through an acceptable medium.
  6. Analyze data and review with customer, asking appropriate questions that will assist both parties in coming to an acceptable count of product licenses currently being used/deployed.
  7. Meet with the customer purchasing representative and have them provide you with all purchasing data they have that falls within the scope of the review.
  8. Reconcile the software company’s purchase data with what the customer provided, noting variances and reasons.
  9. Input both the technical data and the purchasing data into a findings sheet that compares the customer’s usage with their purchases and identifies any variances.

The customer review will end with a closing meeting where all relevant participants in the review are required attendees. The review facts and findings will be presented and the customer will sign off on the findings sheet that the findings are accurate and they are in agreement. If the findings indicate the customer must make a purchase, then the customer will also agree to make the purchase. This may also complete the settlement phase of the audit process.

The software company will monitor incoming orders to verify the receipt of any required purchase order as per the review findings.

Within 2-3 days following the audit, the independent auditor provides verbal preliminary feedback to the Audit Manager.  The actual written Audit Report is sent to the Audit Manager within 10 days from the end of the audit.

The Audit Report is reviewed by the LMS management team to determine if the audit is complete and if the customer appears to be compliant.  This review can take 2-3 days.  The next step depends on the customer:

  • If the customer appears compliant, then the audit is closed.The Audit Manager files all case documentation: the Customer Review Packet, the Customer Notification Letter, the Audit Report, and any other customer correspondence, including all copies of purchase data.   The Director of License Management sends an internal notification email to the VP of Business Operations, the General Counsel, the EVP of WW Field Operations, and the Sales Management team for the customer account detailing the results of the audit.
  • If the customer appears to NOT be compliant, then the audit proceeds to the settlement phase.

If needed, further review may be determined to be necessary at the discretion of the LMS management team.  At some point, the audit will be determined to be complete, or as complete as it ever will be and a decision will be made to proceed to the settlement phase or to close the audit.

Customer Self-Audit – Once a self-audit has been agreed to by both parties, the customer must identify an employee to act as the Customer’s Audit Coordinator.  The Audit Manager schedules the audit and e-mails a Self Audit Package to the Customer’s Audit Coordinator.  An opening meeting is scheduled with the Customer’s Audit Coordinator to review the process, establish the review objectives and scope, review the customer’s contractual responsibilities and answer any customer questions about the Self Audit Package.   The customer then agrees to a timeframe to complete the gathering and analysis of data to conclude the review.  This portion of the Self Audit process may take between 2-4 weeks, depending upon the knowledge and expertise of the Customer’s Audit Coordinator, the overall level of cooperation and the institutional knowledge of their company’s compliance practices.

The actual Self Audit then takes place.  The Customer Audit Coordinator completes the relevant portions of the Self Audit Package and e-mails it back to the Audit Manager for review.

The Self Audit Package is first reviewed by the Audit Manager to determine if the Self Audit is complete.  If it is, then it is evaluated to determine if the customer appears to be compliant.  These should take 2-3 days.  The next step depends on the customer:

  • If the audit is complete AND the customer appears compliant, then the audit is closed.The Audit Manager files all case documentation: the Target Analysis Form, the Customer Notification Letter, the Work Plan, the Self Audit Package, and any other customer correspondence.   The Senior Director of Anti-Piracy sends the internal notification email is to the VP of Business Operations, the General Counsel, the EVP of WW Field Operations, and the Sales Management team for the customer account.
  • If the audit is complete AND the customer appears to NOT be compliant, then the audit proceeds to the settlement phase.
  • If the audit is NOT complete, then a follow-on Self Audit must take place.

Before a follow-on Self Audit takes place, the Director of License Management sends out an internal notification email to the VP of Business Operations, the General Counsel, the EVP of WW Field Operations, and the Sales Management team for the customer account.

The Audit Manager then contacts the Customer’s Audit Coordinator to explain the necessity for a follow-on Self Audit.  This should take no more than 2 weeks to set up.

The follow-on Self Audit may take between 1-3 days, depending on the nature of the additional information being collected.  The Customer Audit Coordinator obtains the additional information to complete the Self Audit Package and e-mails it back to the Audit Manager.

The Self Audit Package is again reviewed by the Audit Manager to determine if the audit is complete.  If it is, then it is evaluated to determine if the customer appears to be compliant.  This review should take 1-2 days.   If the follow-on Self Audit is still not complete, additional self audits are not undertaken.   Instead, if additional information is still needed, a full onsite audit is performed.

Phase 5: Settlement

Using the information collected during the audit, the Audit Manager creates/reviews the Customer Review Findings Sheet.  The findings sheet covers any costs/fees to be paid, specifies the quantities of software licenses the customer will own, and compares what they own to what they are using, noting any license variances that they will need to purchase.  All findings are then finalized and sent for LMS management team approval.   This should take 1-3 days.

The findings are reviewed and approved by the Director of License Management and then sent to the VP of Business Operations and the Sales Management team for the customer account for their review.  Any issues are resolved and the final proposal is ready to be presented to the customer within 5 days.

The Audit Manager presents the Customer Review Findings Sheet to the customer.  If the customer does not accept the terms within a week, the settlement is escalated to the Director of License Management.   If the settlement is still not resolved after an additional 2-3 weeks, it is then escalated to the General Counsel, the VP of Business Operations and the EVP of WW Field Operations.  If no settlement is reached after an additional 1-2 weeks, a decision must be made on whether to proceed with litigation or to drop the case.

Throughout the settlement process, once the customer has signed and sent back the original Customer Review Findings Sheet, which is legally binding, the audit will be considered closed.  The originals are filed in the case file, and the software company will monitor incoming orders to verify the receipt of any required purchase order as per the review findings.  Any corresponding Purchase Orders or settlement payments are booked and should be received within 4 weeks.  All correspondence and audit materials are filed in the case file and the Director of License Management sends out an internal notification email to the VP of Business Operations, the General Counsel, the EVP of WW Field Operations, and the Sales Management team for the customer account, notifying them of the completion of the audit process.

Frequently Asked Questions

What is the License Management Services Program?  The purpose of the License Management Services (LMS) program is to assist customers in obtaining the goal of legal licensing throughout their enterprise IT environment.  While we are concerned about contract compliance, this will be an educational process that will provide customers with the ability to assess themselves on an ongoing basis and provide them a methodology for maintaining contract compliance going forward.  Customers will also establish a baseline for license ownership and usage that will allow them to look back to that point to know what products are owned and deployed in their environment.

The LMS Program is a global program that encompasses all Enterprise and Master License customers.

Who will perform the work?  The review will be conducted by members of the LMS team of Business Objects.  It is possible that involvement by a third-party organization will be utilized for on-site work, but the review would still be overseen by internal team members.

Who will be involved from my organization?  Because of the many components of most enterprise customers’ IT environments, and the breadth of any compliance review, involvement in the review may require input from any of the following: CIO, IT director(s), Business Unit IT Managers, Network/Systems Administrators, Purchasing Manager, Contract Administrator, and employee users of products.

What will be reviewed?  The LMS team will seek to determine your compliance with the terms of your contract and to understand your internal controls over software asset management (SAM) as it relates to the purchase/usage of software.  For a more detailed overview of the process, please refer to the above process narrative.

How long does a typical review take?  Since all organizations are different, the amount of time a review will take depends on many things.  The size of the organization; the complexity of their IT environment and the deployment within that environment; the availability and cooperation level of key players; the on-site versus remote approach; these all play into the length of the review.

Most on-site reviews will not take more than 5 business days to complete, but may last longer or even significantly shorter.  The length a remote review can take is difficult to determine, due to variances in time between correspondences.

It should also be noted, that from the time of notification to the customer until the final closure of the review, the process may take from 6-10 weeks.

What can I do to prepare once I’m notified of an upcoming review?  You can prepare by collecting as much information as possible prior to the review, including purchasing data, usage data, IT environment information, etc.

You can also contact the software company or the independent auditor when you have questions, so as to mitigate as many issues as possible prior to the review.

What if I am not legally licensed?  Are there penalties for non-compliance?  The contract states:

Section 9.8:  If, as a result of Licensor’s audit, it is determined that Licensee owes Licensor additional fees, then Licensee shall bear the reasonable cost of Licensor’s audit and pay all past-due fees in accordance with the terms of this Agreement.

If the review shows that you are not in compliance with your contract, the software company asks that you purchase the required number of licenses shown as the variance on the findings sheet and all associated Maintenance fees back to the last co-term date or a reasonable alternative date.

What benefits can my organization receive from a compliance review?  The License Compliance Program is designed to be an educational experience for the customer.  The review process can provide a forum where product licensing questions can be addressed and SAM principles and best practices will be reviewed.  It can also provide an alternative feedback channel for the customer.

Because of this process, you will have better insight into your usage of software assets.  In today’s Sarbanes-Oxley environment, this kind of information and the internal controls around it can be immensely beneficial.  The process will also help IT management establish a pattern of software legitimacy within the organization as a whole.

How can I know that results of the review are accurate?  The compliance review process is designed to engage the customer in all aspects.  From the outset, the customer is an integral part of the review process.  All aspects of the review will involve someone from the customer’s organization and be as transparent as possible.  All license usage data will be drawn directly from the customer’s IT environment as well.

At the conclusion of the review, the customer will recognize the accuracy of the results because they will see how those results were arrived at, having been engaged throughout the entire process.

How will results be communicated?  During the closing meeting, the final results of the review will be presented to and discussed with the customer.

The results would be sent to the customer prior to the closing conference call of a remotely conducted review or self audit.

Contributed by:

Phara E. McLachlan

Chief Executive Officer

Phara is the Chief Executive Officer of Animus Solutions, has over 20 years of strategy and operations, technology and consulting experience in Americas, Asia and Europe. Phara founded Animus with a passion for assisting organizations reduce costs and manage risks while enhancing revenues and growth by optimizing their people, technology and business operations.

Phara specializes in IT and software asset management, organization and change, process improvement, customer and user experience.

More recently, Phara and her talented team have been advising clients with virtualization, customer experience strategies, and working with clients on managing and maintaining compliance on their IT and software assets.