Updated: Aug 17, 2020
In a recent ClearEdge survey, 56% of our clients received three or more software audit requests within the past year, and 24% reported two or more requests for the same timeframe. Unless there’s a big spend event on the horizon, your supplier is highly motivated (and entitled) to audit you.
Based on my experience as a former software auditor, I can personally guarantee that you will be found out of compliance during an audit, for a whole host of reasons. This means you’re almost certainly guaranteed unbudgeted spending in audit and legal fees, an angry boss, bad PR and sleepless nights, not necessarily in that order.
Why is effective software asset management so challenging? Because there are many so pieces to the SAM puzzle: tools, governance, personnel, processes, policies, budget, executive support, and technology that is becoming ever more complex to track. Some people think of SAM tools as the “easy button” to maintain compliance, but they’re mistaken. People fail audits all the time with SAM tools in place, because the other pieces of the puzzle are not in place. Let’s look at the people, processes and technology involved in a good SAM program.
1. Best practices start with a trained eye on the software contracts and agreements. These have become a nightmare for SAM professionals in the advent of cloud computing, with suppliers selling solutions directly into the business units, bypassing IT and procurement. But the contracts must be inspected, especially these clauses:
Audit terms – what are the obligations, risks, fines, pricing and timelines?
Change in control – what happens if you’re acquired or divested?
Cloud – if you move to the cloud, can you take these licenses with us?
Commitments – are there commitments to growth, or restrictions?
Embedded URLs – what happens when the reference terms change?
Flexibility – if the product fails, or you downsize, can you revisit these terms and commitments?
Geographic restrictions – what are the ramifications if the data center is moved? Or offshore resources are using workstations?
License changes - what happens if the supplier or product is acquired?
Practicality – what are you required to track and report on? Who’s responsible for what?
2. Metering tools provide the ability to track the daily use of what you’re using versus what you’ve purchased. They collect information on who’s logging in, what’s in use, and what’s not in use. This is useful to know when you’re doing true-ups or renewals, but it’s important to remember that auditors do not care what’s being used. You are responsible for the number of licenses deployed, not just those being used.
3. Consistent processes and controls are key for buying, deploying, using, tracking, maintaining and retiring software. This means, for example, software should not be purchased with a credit card by someone in a business unit -- these licenses will not be tracked properly and will put your company at risk.
4. Identify the areas or gaps that your SAM tools don’t measure and supplement them. SAM tools cannot count everything because the metrics used by suppliers are constantly evolving and there is no foolproof way to keep up. Further, the tools are simply not designed to count direct vs. indirect usage, and lot of other data such as number of terabytes, sockets, accounts, unique users, page views, concurrent users, days in use, country of use, environment (test, development, production), and so on. You must manually supplement these categories with other tools and processes to protect the organization.
5. Cloud computing means lower costs up front and easier deployment, but that’s just the tip of the iceberg. What lies beneath the surface of this purchasing model are many of the same compliance issues that come with purchased on-premise software AND the additional need to understand who’s responsible for tracking licenses, consumption, upgrades, security, decommissioning, and a dozen other tasks – you or the cloud provider?
We recommend that SAM practitioners establish an audit response plan to define who in the organization is going to do what when an audit occurs. This plan will include the SAM team, the IT team, the legal team, and purchasing. We also recommend that once an audit is completed, you scrutinize and validate the audit reports for accuracy. In many cases, the findings and charges are incorrect – they include assumptions, interpretations and just plain calculation mistakes.
Other best practices include KPIs, scoping (tier 1, tier 2, tier 3), a complete SAM toolset (to handle entitlements, contracts, discovery, reconciliation, etc.), conducting a mock audit, hardware asset management (to cross-check estate completeness, decommissioning, etc.), centralized purchasing, a routine for checking license availability.
To be sure, this is a tall order, and many SAM programs are woefully underfunded. It’s difficult to prove savings achieved and demonstrate ROI, but equally difficult to overstate their importance. To help clients address compliance challenges, assess their organization’s audit readiness, and mitigate the financial risks involved here, we’ve come up with a SAM Maturity Model.
Jared Frehner is a Manager of Compliance Services at ClearEdge, and a former KPMG manager, where he served as primary leader on IBM software audits.
This blog post was inspired by the SAM Best Practices webinar. You can access the full recording to this webinar below. For a deeper dive, we urge you to sign up for our online certification program or contact a ClearEdge representative.