Software Audit Management: Are You Ready?

By Jim Hussey


September 23, 2021

Interested in learning more about NPI’s services?

Contact Us

A great deal has been written on the subject of how to manage a software audit. You can find easy-to-follow, multi-step software audit management programs that align neatly with a logical workflow – all claiming to lead followers towards a successful conclusion with minimal findings and penalties levied. The issue, of course, is those are merely claims – not real-world outcomes. In many respects, these white papers and process flows should be labeled and filed under “fiction.”  In reality, the actual outcome rarely leaves a company unscathed.

So, why is there such a disconnect when it comes to effectively managing a software audit? Given the intricacies of enterprise software vendors and the complexity of large-scale software deployments, why do we turn to a pre-set methodology of A leads to B leads to C leads to a successful outcome? Shouldn’t we know better?

Countering the Emotional Aspect of a Software Audit

Software audits are emotion-driven events. They inevitably shine a bright light on internal (in)competencies across several important process areas. Each of these process areas are led by a team that will likely be threatened by what a software audit uncovers, leading to internal dynamics that put forward a dysfunctional view of the environment.

The emotional dynamics of a software audit typically work to the benefit of the auditor, not the customer being audited. Auditors are well-trained to sniff out dysfunction, which typically leads to the unveiling of noncompliance within the customer’s environment, and they’re also adept at taking advantage of any conflicting information the customer provides.

As 2021 has been a very busy year for audits with no sign of slowing, procurement, IT and software asset management professionals should consider the following activities to help the team understand how to best respond to an audit long before the notice is received.

First, Conduct an Internal License Position Assessment Annually on Your Top Three Software Vendors (By Spend)

Even if your organization has a SAM platform deployed and a team of SAM analysts, engaging an expert to perform a license position assessment (LPA) in your environment is a powerful risk management best practice. Consider this a scrimmage or pre-season game to prepare you for a real software audit – it will allow you to determine (and correct!) your weak spots without having any real exposure.

By conducting an LPA, you get to see how an auditor interprets your deployment, which will likely be very different than how a traditional SAM analyst would interpret it. You will also be able to see where deployment process breakdowns occur and where opportunities to optimize user-based license metrics exist. It will also give you an idea of how your internal teams react to the detailed analysis and exposure of their contribution to gaps between license entitlements and license deployments. Almost 100% of the process gaps that lead to compliance issues are unintentional, and a proactive approach to sussing them out will benefit the organization operationally and, at audit time, financially.

Second, Prioritize License Management Education as Part of Software Audit Readiness

Everyone is busy! That goes without saying. And it’s impossible for those on point to deploy software to be fully up to date and abreast of all the requirements, restrictions, and rights associated with all major software deployments – especially since they change over time. This is why focus-narrowing is critical. Pick those on-premise software estates that carry the most significant exposure in the event of an audit and educate your teams through ongoing communications – the usual suspects are Microsoft, SAP, Oracle and IBM.

Note – internal knowledge gaps are common, and that’s understandable given the complexity of large software estates. Enlisting outside licensing specialists is one way to effectively bridge these gaps and increase your organization’s overall software audit readiness.

Third, Determine Rules of Engagement for ALL Interactions with Software Vendors That Are Prone to Audit

Communications with any software vendor representative – sales, implementation, service desk, etc. – can trigger a software audit. Many times, it is an innocent request of offering to optimize and suddenly there’s a bill to true-up or an audit notification.

It’s important to clarify rules of engagement for each role in your enterprise who could have an interaction with a software vendor. Understand who is permitted to communicate and who’s not, what can and cannot be shared, how requests should be escalated, etc. Be clear and detailed.

Remember, Software Audit Management Starts Before an Audit is Formalized

Software audit readiness and defense starts long before an audit notification is received – and so does the software audit management process. Despite the availability of linear, textbook processes, software audit management must be – above all else – pragmatic and flexible. Establishing the foundations above   prior to any formal audit activity will give organizations a better chance to be prepared and present a comprehensive, coordinated front when called upon.