A Guide to Backdoor Software License Compliance Audits

June 29, 2022
Audit IT

Interested in learning more about NPI’s services?

Contact Us

Economic headwinds are putting pressure on most businesses in most industries – including tech companies. Even the largest IT suppliers are feeling the heat, including the likes of Apple and Microsoft, which are both warning of lower-than-expected financial performance in the coming weeks and months. For customers with large software estates from certain enterprise vendors (think Microsoft, Oracle, SAP, Adobe, IBM, Quest, for example), the effect is a bit of a double whammy. Not only are IT costs rising, but the risk of a software license compliance audit has also become significantly greater.

We’ve seen this play out before on different stages – sometimes the backdrop is a recession or market correction; other times it’s when a vendor is acquired, or the company is losing market share. Whatever the reason, whenever large software vendors are concerned about lagging profits, they tend to turn to a tried-and-true set of tactics. And one of those is to increase software license compliance audits.

An increase in audit activities allows software vendors to capture revenue. This happens either by charging the customer a penalty fee for any noncompliance discovered (which almost always happens), or by driving incremental purchases to head off penalty fees.

There are two major challenges in mitigating the risk of a software audit. The first is the number of software license compliance audits is increasing, and NPI anticipates this trend to continue for the foreseeable future. The second issue is not all audits look the same. Therefore, it’s critical for Procurement, ITAM and IT operations leaders understand the difference between a front-door and backdoor audit.

What is a Backdoor Software License Compliance Audit?

When a software vendor employs a “front-door” audit approach, the selected client receives a formal notice stating the vendor is invoking its contractual right to validate compliance by conducting a deployment review. There are several forms the front-door audit can take. Notification can include a third-party auditor assigned to carry out the objective analysis, or it can be performed by the software vendor’s own compliance team.

“Backdoor” audits don’t arrive via formal notification. The software vendor uses various techniques and points of entry to request deployment environment data outside of formal channels. Here are some of the watchwords associated with backdoor audits:

  • Environment Review
  • Certification
  • Deployment Profile
  • Measurement
  • Optimization Analysis

However it’s being termed, one thing is certain: you’re being audited.

To add to the challenge, the request for data typically comes from an account manager, service delivery or implementation support member and is targeted to an associate-level member of the client’s IT operations team. The unfortunate outcome for the client is their environment data is shared with no validation or optimization, usually leading to receipt of an unbudgeted true-up or settlement order form.

Establish Clear Rules of Engagement Before a Backdoor Software Audit Strikes

The first step in heading off the financial ramifications of a backdoor software license compliance audit is for Sourcing, ITAM, IT Finance and IT leadership to work together to craft clear Rules of Engagement (RoE). These will define communication protocols that will limit exposure and prevent IT operations from unnecessarily creating a budget impact. RoE should cover the following:

  • Educate IT leaders on the potential threat of a backdoor audit. Make certain they communicate to their teams that absolutely no environment data is to be shared with any partner unless reviewed and approved by the appropriate executive.
  • Ensure all requests for environment data are channeled to the appropriate internal point-of-contact (POC).
  • When a software vendor representative follows up, IT is to inform them the issue is being managed by the designated POC and all correspondence needs to be with that individual.

As software vendors seek to generate audit and compliance revenue to offset potential shortfalls, establishing clear Rules of Engagement (RoE) will help reduce the risk exposure for backdoor audits. But it will not eliminate the threat.

That takes us to the second step. Performing annual license position assessments for certain large software estates allows customers to identify and remediate compliance before a backdoor (or formal front-door) audit arrives. For enterprises, this level of software asset management hygiene is crucial to avoiding seven and eight-figure noncompliance penalties.

Remember, now is the time to take action. A less hospitable business climate is a sure sign your company will be exposed to more software audit activity. Don’t be caught off guard!

If you have questions about how to determine and mitigate software audit risk, NPI can help. Contact us to learn more.