A very large organization (over 35,000 employees) is undergoing rapid expansion due to numerous mergers and acquisitions. They were using a command and control tool to manage Active Directory that allows them to better automate the creation of user objects and computer objects such as usernames, passwords, etc.
This organization uses the tool at scale in order to keep up with the pace of employees being hired, promoted, changing roles, and retiring. Aware that they would likely go out of compliance before their next audit, they had come up with a creative solution – each year, they bought enough licenses to true-up and then added 10%.
The Problem 466% – wha???
This strategy worked well until the publisher was bought by a private equity firm and became one of the most aggressive auditors in the field. In this case, an auditor showed up unexpectedly, asked for reports from the command and control system, and came back with a true-up number that was 466% more than the organization anticipated. That kind of budget shock would force the organization to lay off employees.
Why was there such a vast difference between what the organization had budgeted for and the number the auditor gave them? There are three reasons:
- The publisher’s license agreement cites a California law that allows them to claw back upwards of 5% of missed payments. The logic behind this is if the revenue had been invested, it could have earned at least 5%. It’s called the missed investment opportunity cost, and it compounds month-over-month.
- The auditor insisted on going all the way back to the beginning of the contract, which was three years before, and wanted to charge retroactively – 36 months of compound interest at 5%.
- On top of the licensing cost, the auditor also wanted to charge maintenance and support for each license, all the way back to the beginning of the contract.
The Solution The devil (& the angel) is in the details.
We got ahold of the reporting scripts the auditor used to scan the corporate environment. Immediately we noticed that date created and date retired details around user and computer accounts had not been captured. This meant that every user and computer object that had been retired during the previous three years still appeared on the auditor’s report. The result is an over-inflated count of licenses being actively used by the organization.
Secondly, the auditor did not notice language in the agreement that guaranteed the organization would receive free maintenance and support for each new license purchased for a year. Because the publisher is giving away free maintenance, they are not missing revenue as defined by the California law.
Lastly, we created a timeline that graphically described how many A/D accounts were created and retired throughout the three-year agreement. That showed the 10% growth was actually accurate enough that the org was not nearly as much out of compliance as the auditor claimed.
After much Sturm und Drang, the publisher finally admitted their calculations were wrong, and the organization was not out of compliance by $850K. A new agreement was drafted, specifically limiting audits to once a year. In turn, the organization upped its license purchasing from 10% to 30% per year. And, they still get a year of free maintenance and support with each new license.
This is an example of how a good ITAM program can push back against predatory license audits by taking the time to carefully examine all reports auditors use to calculate penalties and be thoroughly conversant with the language in their contracts.
Thanks to the Pragmatic ITAM Method, the organization avoided an $850K penalty and didn’t have to lay off even one employee.