Don’t have time to read the whole article? Download Jeremy’s Quick & Dirty Software License Audit Checklist here.
But First, Let's Talk About Software
Before you start perusing the software license audit checklist below, we need to talk about software for a minute.
We all know that software is duplicatable and easily abused, and this fact frequently leads to disruptions and costly license penalties when it’s time for an audit. If you’re an IT director, ITAM team lead, or SAM manager, it’s your job to maximize the assets your company has purchased by always being on top of what’s being used in your computing environment.
Sounds easy, right? It’s not. But it’s doable. An essential tool I use with teams is what I call The Quick And Dirty Software License Audit Checklist. (Read it below or download it free by clicking here.)
The Quick and Dirty Software License Audit Checklist
As soon as you receive an audit notice, especially if you weren’t expecting it, you need to determine if it is an actual audit. You need to pull out your EA and find the date that your official audit should occur each year – and how many days in advance, the publisher is obligated to notify you about it.
While every organization is required to participate in annual audits, when a notification comes out of the blue, it may not be an actual audit.
Once you have your EA in front of you, if you discover that the timing of the “audit” you’ve been notified about is not what was agreed to in your EA, your next step is to reach out to your VAR (Value-Add Reseller). Your VAR is obligated to communicate with the publisher on your behalf and push back if necessary.
Step 2: Work With IT, Finance, & Legal To Unearth “Gotchas”
Suppose you’ve determined that the notification is legit and you, indeed, are due for an audit. In that case, it’s time to loop in IT, Finance, and Legal to gather the documents you need to put together your audit defense strategy.
You have an End User License Agreement (EULA) for each publisher. The EULA contains the definitions and descriptions around how their software in your environment is licensed, how that usage is measured, and how it’s supposed to be used by your organization. And the EULA documents will tell you whether or not your Asset Managed Data Repository (MDR) is calculating your license position correctly.
This information is useful in two ways – first, it tells you whether you really have a problem and if you can expect to face a penalty cost. Second, it tells you how the software auditor is supposed to calculate the license position. So, if they come up with an answer you weren’t expecting, you can push back and ask them why.
Finance holds the underpinning documents and all purchase records in most organizations, and Legal holds the contracts. Finance tells you what you bought, and Legal tells you what you have a right to.
To avoid unexpected “gotchas,” you must answer these three questions:
- Is there a control issue? Is the software supposed to be used at one particular location, by one group of users, or by one specifically-named user?
- Is there a pass-through issue? Was the software purchased directly, or did it come in as part of another software package? If it came in as part of another software package, it’s a gotcha because you don’t have a license, as far as the publisher is concerned.
- Is there a missed-benefit issue? The Right-Of-Second-Use is a poorly understood but often missed opportunity to cut back your license counts. Some publishers will discount license costs based upon the type of CPU running their software. DEV and TEST environments sometimes, but not always, can be excluded from installation calculations.
The answers to the above are in your supporting documents – but you gotta get ’em and read ’em!
OK, now you’re ready for the next step in the Quick & Dirty Software License Audit Checklist:
Step 3: Control The Narrative
You’ve probably heard the adage, “Loose Lips Sink Ships.” In the software license world, nothing could be more accurate.
Software publishers and their auditors will try to get as much information out of your teammates as possible and use it against you. The minute you get the audit notification, get the word out to the rest of the group and let them know if they receive a call or get an email, only one person should talk to the publisher, the auditors, or their representatives – and that’s someone from the ITAM team.
Controlling the narrative reduces the risk of mistakes, unintended consequences, or assumptions that will cause more headaches and more penalties down the line.
And this is very important: get (in writing!) the exact scope of the audit and what information you are required to provide. Don’t let the auditor turn an initial data request into a fishing expedition – you don’t want them to start looking for C, D, and E when they say they want to look at A, B, and C.
Step 4: Don’t Be Afraid To Call In An Expert
While my quick and dirty software license audit checklist is helpful, remember that software publishers bring in third-party software auditors to help them conduct their investigations, and you have every right to do so. A software audit can cost your organization millions of dollars in unbudgeted expenditures, and you need to put everything into your audit defense strategy that’s available to you.
An ITAM coach (may I suggest yours truly?) will speed up the time it takes to get your ITAM program on its feet and make progress. An ITAM coach can also impart best-practice knowledge and experience to your existing team members, making them more valuable corporate resources after the coach’s work is done.
Finally, an ITAM coach can provide much-needed suggestions and advice during the audit and give you a software license audit defense strategy you can depend upon to help avoid costly mistakes.
Although I Step Zero is at the end, it is the most critical step on this quick and dirty software license audit checklist. The best audit defense strategy starts before you receive an audit notification. You need a playbook that lays out who’s involved, who needs to be notified, and what steps to take. You need to ensure your software is properly licensed when you install it. And that your Asset MDR is
giving you accurate reports.
You can’t build a good defense on the fly, so don’t wait until you need to rely on the data to know whether the data is trustworthy and accurate.
Like this Quick & Dirty Software License Audit Checklist? Feel free to subscribe to
my blog, and I’ll periodically send you more helpful content – and case studies, too
to your inbox.