The Quick & Dirty Software License Audit Checklist
There’s a good chance you landed here because you just received a notice that your company has been selected for a software license audit. If you’re like most IT directors and SAM/ITAM leads, you don’t have a playbook already in place to rely on to launch a successful audit defense strategy. Don’t panic! As an ITAM consultant and coach who saves companies millions of dollars in unnecessary penalties each year, I’m going to share a software license audit checklist that can save you time, money – and your mental health.
But First, Let's Talk About Software
Before you start perusing the software license audit checklist below, we need to talk about software for a minute.
We all know that software is duplicatable and easily abused. This fact frequently leads to disruptions and costly license penalties when it’s time for an audit. If you’re an IT director, ITAM team lead, or SAM manager, it’s your job to maximize assets your company has purchased by always being on top of what’s being used in your computing environment.
Sounds easy, right? It’s not. But it’s doable. An essential tool I use with teams is what I call The Quick And Dirty Software License Audit Checklist. (Read it below or download it free by clicking here.)
The Quick and Dirty Software License Audit Checklist
Step 1: First, Establish If It Really Is An Audit
As soon as you receive an audit notice, especially if you weren’t expecting it, you need to determine if it is an actual audit. First, pull out your EA and look for the date your official audit is supposed to occur each year – and how many days in advance the publisher is obligated to notify you about it.
Every organization is required to participate in annual audits, but when a notification comes out of the blue, it may not be an actual audit.
Step 2: Work With IT, Finance, & Legal To Unearth “Gotchas”
You have an End User License Agreement (EULA) for each publisher. The EULA contains the definitions and descriptions around how a publisher’s software in your environment is licensed, how that usage is measured, and how it’s supposed to be used by your organization. And the EULA documents will tell you whether or not your Asset Managed Data Repository (MDR) is calculating your license position correctly.
This information is useful in two ways – first, it tells you whether you have a problem and can expect to face a penalty cost. Second, it tells you how a software auditor is supposed to calculate the license position. So, if the auditor comes up with an answer you weren’t expecting, you can push back and ask them why.
To avoid unexpected “gotchas,” you must answer these three questions:
- Is there a control issue? Is the software supposed to be used at one particular location, by one group of users, or by one specifically-named user?
- Is there a pass-through issue? Was the software purchased directly, or did it come in as part of another software package? If it came in as part of another software package, it’s a gotcha because you don’t have a license, as far as the publisher is concerned.
- Is there a missed-benefit issue? The Right-Of-Second-Use is a poorly understood but often missed opportunity to cut back your license counts. Some publishers will discount license costs based upon the type of CPU running their software. DEV and TEST environments sometimes, but not always, can be excluded from installation calculations.
The answers to the above are in your supporting documents – but you gotta get ’em and read ’em!
OK, now you’re ready for the next step in the Quick & Dirty Software License Audit Checklist:
Step 3: Control The Narrative
You’ve probably heard the adage, “Loose Lips Sink Ships.” In the software license world, nothing could be more accurate.
Software publishers and their auditors will try to get as much information out of your teammates as possible and use it against you. The minute you get the audit notification, get the word out to the rest of the group and let them know if they receive a call or get an email, only one person should talk to the publisher, the auditors, or their representatives – and that’s someone from the ITAM team.
Controlling the narrative reduces the risk of mistakes, unintended consequences, or assumptions that will cause more headaches and more penalties down the line.
And this is very important: get (in writing!) the exact scope of the audit and what information you are required to provide. Don’t let the auditor turn an initial data request into a fishing expedition – you don’t want them to start looking for C, D, and E when they say they want to look at A, B, and C.
Step 4: Don’t Be Afraid To Call In An Expert
While my quick and dirty software license audit checklist is helpful, remember that software publishers bring in third-party software auditors to help them conduct their investigations, and you have every right to do so. A software audit can cost your organization millions of dollars in unbudgeted expenditures, and you need to put everything into your audit defense strategy that’s available to you.
An ITAM coach (may I suggest yours truly?) will speed up the time it takes to get your ITAM program on its feet and make progress. An ITAM coach can also impart best-practice knowledge and experience to your existing team members, making them more valuable corporate resources after the coach’s work is done.
Finally, an ITAM coach can provide much-needed suggestions and advice during the audit and give you a software license audit defense strategy you can depend upon to help avoid costly mistakes.
Step Zero: Always be prepared!
Although Step Zero is at the end, it is the most critical step on this quick and dirty software license audit checklist. The best audit defense strategy starts before you receive an audit notification. You need a playbook that lays out who’s involved, who needs to be notified, and what steps to take. You need to ensure your software is properly licensed when you install it. And that your Asset MDR is giving you accurate reports.
You can’t build a good defense on the fly, so don’t wait until you need to rely on the data to know whether the data is trustworthy and accurate.
