For on-premise IT, vendors have been the “auditors” – policing customers to assure license compliance. In the cloud, vendor audits are no longer a necessity. Customers are free to consume (and spend) all they want, and are in a constant state of compliance because vendors are directly authorizing access rights. Responsibility – and the purpose – for audits have shifted 180 degrees. Without regular self-audits of cloud usage and without detailed usage data from vendors, many companies may find themselves overbuying and overspending.
For enterprise IT and sourcing professionals, the topic of software license audits is a hot button. Discourse and frustration are primarily focused on two points:
Enterprises have growing concern and frustration. It’s not uncommon for a company to undergo large-scale licensing audits from multiple vendors in the same year. Furthermore, a vendor’s audit findings are usually incorrect, and defending against them is costly and disruptive. At the end of the day, a true compliance position is usually achieved, but it’s a painful process.
But what about audit risks in the cloud? Do they even exist? What are they? How are they different from the risks associated with traditional on-premise audits? The answers to these questions may surprise you.
In the cloud, the risk and responsibility model for audits gets turned on its head. What was once the role of the vendor is now the role of the customer.
To understand how the cloud has impacted everything we know about audits, let’s first view audit risk and responsibility from an IT vendor’s perspective in an on-premise setting. Improper or under-licensing across a vendor’s customer base is a credible and significant threat to revenues. That threat has grown as customers’ IT ecosystems have evolved to become more tightly integrated and include more devices and users, and as IT spending and asset management have become more decentralized. Of course, every enterprise wants to abide by their licensing rights and obligations, and it is extremely rare to find intentional non-compliance. But vendors know that unintentional non compliance is common – especially when licensing rights are (in most cases, intentionally) complex.
Without audits, vendors have little visibility into the state of licensing compliance with a particular customer. While some vendors have taken a more predatory stance on licensing audits in the past year (mainly as a way to “motivate” customers to migrate to newer cloud offerings), vendors do have a right to enforce their licensing policies and to collect appropriate fees when customers are improperly licensed.
In the cloud, the risk and responsibility model gets turned on its head. For the most part, vendors have deep visibility into cloud usage and compliance. The risk of under-subscription is minimal because the vendor is directly authorizing usage rights. If a customer needs a seat/subscription, they pay the fee or they don’t access the vendor’s solution. There is no reason for vendors to conduct audits.
In a cloud scenario, lack of visibility into usage has shifted from the vendor to the customer. Therefore, the audit responsibility doesn’t lie with the vendor – it lies with the customer. In order to avoid overbuying and overspending, enterprises have to regularly audit usage to determine if spend and usage are aligned. There is certainly no risk for the vendor if the company is oversubscribed.
The issue of visibility is key here. Vendors are not motivated to provide their customers with detailed usage data and insights. In fact, the usage data that most cloud vendors provide to their customers is a 10,000-ft. view articulated through slick dashboards. The lack of granular detail makes it difficult for customers to accurately analyze functionality usage, license type usage, which subscriptions are idle, seasonal/ peak usage, etc.
To avoid overspending and overbuying, enterprises need to conduct regular self-audits of cloud usage with key vendors.
To avoid overspending and overbuying in the cloud, companies should self-audit cloud usage with key vendors and take the following steps: