We’ve identified the five steps to examining your SAM program to determine its strength against auditors. Here they are:
1. Inspect Coverage.
If you are not covering the full environment, then you are likely exposed in some areas. For example, if you have your SAM tool deployed on only 70% of your environment, the other 30% of the population is putting you at risk. You must have accurate and comprehensive data that shows what you've deployed to reduce your financial risk, and much of that data comes from your SAM tool.
Understanding your inventory coverage is key to gathering quality data. To that end, ask yourself these questions:
How many machines do we have deployed in our environment?
Which operating system(s) does the tool cover?
Does it cover our Windows environment? Our Unix environment? Our Mac deployments?
Are the SAM tool endpoints reporting properly?
How can we validate our coverage?
What entitlement information can I gather from my supplier without signaling that you may be out of compliance?
We urge clients to look for other data points to identify the population. Maybe you can pull all your PC objects from Active Directory or some other directory service, and cross-reference it against your tool coverage to get a better understanding of your coverage.
2. Start Small.
Managing your software assets can sometimes feel overwhelming. Many SAM programs lose traction because of the vast amount of software in an organization, where there may be thousands of software titles, each with their own complexities and challenges.
We recommend that clients start by establishing a top ten list and address the major software spends in their environment. This will give you a good idea of where the biggest risks lie. After identifying your top 10 vendors, you need to build your SAM program with a focus on these 10 to start. You can start by answering the following questions:
What software titles are included in this vendor list?
Are they currently reported in our SAM tool?
Do we know the key internal contacts and stakeholders for these top ten vendors, so we can make sure we are covered?
Do we understand any contract overrides or commitments that the SAM tool is not going to report?
Can we accurately count and reconcile entitlements vs. deployments for these vendors?
The biggest area of weakness in a SAM program is user reporting, so it’s critical to become adept at this process. So, when clients get comfortable with the top ten list of vendors, they can expand the program to include their next biggest five or ten software suppliers and reduce as much risk as possible without becoming overwhelmed by the task.
3. Analyze Gaps.
Armed with the information gathered in the first two steps, it’s time to identify the SAM tool’s weaknesses and prevent the organization from taking the same risks repeatedly. The questions to ask your team are:
What metrics does the tool not collect? (E.g., maybe you need processors, or user counts, and these data points are not reporting into our tool.)
Do we need to supplement with other data sources?
Can our team fill in the gaps with other contextual information that might affect licensing?
This is where clients face the most significant challenges: discovering the missing or incomplete contract, entitlement data or purchasing records. In other words, understanding exactly where the landmines are. If you don’t attack these gaps in your SAM program, you forfeit the opportunity to improve the process and build a successful SAM program.
4. Deploy Adequate Resources.
As discussed, SAM tools do not count everything, and this results in millions of dollars in findings during an audit. To fully mitigate this risk, people and processes are essential, as illustrated in the following graphic.
Managing software compliance is a massive and unwieldy job, and it’s getting more difficult all the time. To meet this challenge you need people with highly specialized skill sets. Do they understand the current environment? How does the transition to the cloud to consider: how does that affect our tool’s ability to report? Does it track our cloud-based licenses? Just because much of your workload may be in the cloud does not mean you’re off the hook.
5. Practice Self-Audits to Test Your SAM Program.
We counsel clients to perform periodic self-audits on the top supplier software to prevent finding out for the first time that you’re out of compliance during a real audit. This practice will allow you to identify and address risk areas proactively. It can help you decide to purchase additional licenses ahead of time, so that when an auditor comes in, you’ve got your house in order. If you don’t have the internal resources to do this, you would do well to consider bringing in outside expertise, like a member of the ClearEdge compliance team.
If you start by taking these five steps, you'll be on your way to reducing as much risk as possible in your software estate and you can expand and get comfortable with your other vendors. For more information about SAM programs, please download this webinar, visit our website to see our robust content about common compliance “gotchas!” and audit defense, or contact your ClearEdge representative.
Rob Murphy is Manager of SAM and Compliance Services at ClearEdge Partners.