The Top 7 Challenges in a Software Audit

IT leaders in large organizations are plagued by software audits, and experience at least one every year. Maintaining software compliance is nearly impossible due to the complexity of products and metrics, and the organization’s ever-changing IT environment. To prepare for audits and optimize licensing, you need to understand the challenges and tactics publishers use to consistently drive compliance fees.

ClearEdge’s compliance team – composed of former professional software auditors – has distilled a list of the primary risks exploited by auditors, and how to avoid them. Here are the seven challenges that pose the greatest risk to our clients: (1) virtualization, (2) data collection and analysis errors, (3) environment designations, (4) indirect access and multiplexing, (5) extrapolated finding, (6) convoluted metrics & licensing changes, and (7) pirated licensing.

1. Virtualization

The pros and cons of virtualization are (a) how easy it is to make changes to the environment – virtual machines can easily be created, moved, and resized, and (b) each software supplier has their own set of contractual rules to restrict these changes.

What you can do: Your software asset management (SAM) program must be integral to the daily operations of the virtual environment. Whenever a decision is made about where to place a new virtual machine, or there’s a request for an upgrade to a virtual machine’s processing power, the SAM team must be in the loop to check the licensing implications before any action is taken. We also urge clients to demand clear contract language that covers the use of virtualized machines and how they are licensed. Taking this action will remove ambiguity that can be manipulated by the publisher to maximize audit findings.

2. Data Collection & Analysis Errors

Widespread errors in audits are common, so you cannot assume an audit report is accurate. Mistakes are made due to erroneous assumptions about product rights and deployment, lack of context, and inexperienced auditors. These errors translate to high audit fees and penalties.

What you can do: You need to validate all findings in an audit report. Uncovering errors in audit findings instantly provides leverage over the publisher. Your SAM team must closely scrutinize all licensing gaps identified by the auditor, and if your organization lacks the expertise, we advise bringing in a 3rd party to analyze and challenge audit findings.

3. Environment Designations

Most publishers have different licensing rules for production, development/testing, disaster recovery, and failover environments. Production licenses are typically the most expensive. However, in an audit, it is not always easy to identify the correct environment designation, and auditors often decide that any unclear designation will default to a production license. This creates compliance gaps when the client is not entitled to that designation.

What you can do: Check your contract language to ensure that you have the right to deploy non-production licenses at a lower cost and validate that your usage matches the conditions described in the contract. When your licenses meet the criteria for non-production licenses, you can push back on the publisher/auditor with this evidence. Clients are advised to document any environment designations to clearly identify them to the publisher AND to provide enforcement around usage and tracking for internal purposes.

4. Indirect Access & Multiplexing

This can occur when a system is accessed or queried through a 3rd-party application, interface, gateway, middleware, or automated process (i.e., bot/RPA). In these situations, a single user account in a system could represent hundreds of unseen users that need to be licensed. As a result, enormous compliance fees can be accrued for those that lack a defined process to monitor and limit user access and maintain harmony with license agreements. Further, most SAM tools are unable to track indirect access.

What you can do: Indirect access reviews must be conducted constantly to see how users interact with your solution. If the internal SAM team lacks the expertise, we recommend using a 3rd party service to accurately assess your exposure. After identifying each use-case/point-of-access, you will have to create new processes to minimize any interactions that affect compliance, or consider license model changes to proactively address this risk.

5. Extrapolated Findings

When auditor’s software scans result in low inventory coverage (i.e., less than 95% of active licenses), they sometimes extrapolate: they take the findings from one portion of your environment and assume that it applies to the rest. Results from extrapolation are often inaccurate, oversimplified and inflated. (For many software products, Active Directory is the source of extrapolation problems in an audit.)

What you can do: The auditor can provide you with a detailed list of the servers or licenses for which they were unable to access to check compliance. Ensure that you manually verify if these machines are in use and report your results to the auditor to avoid extrapolation. Without this information, it will be difficult to validate the accuracy of the audit findings. If an auditor does extrapolate, push back on this practice, and identify a portion of your environment that does not match their “findings”. A proven discrepancy can invalidate the audit findings and create leverage over the publisher to reduce compliance fees. We counsel clients to make sure their Active Directory is kept clean and up to date.

6. Convoluted Metris & Licensing Changes

Every publisher has unique licensing rules and metrics, and they are constantly changing. Publishers complicate licensing to confuse customers, obfuscate deals and drive up audit revenue. Your organization is expected to keep track of these rules to ensure compliance.

What you can do: Make sure the SAM team is part of the contract review process and ascertains if the license metric is clearly defined so it can be tracked accurately. A tip to avoid changing license rules is to avoid hyperlink metric definitions in contracts. Publishers use them so they can update the hyperlink unbeknownst to you, rendering you immediately out of compliance.

7. Pirated Licensing

The unauthorized use of software due to duplication, installation, or sharing of license keys onto a device constitutes software piracy and violates copyright law. Pirated keys exist in most environments, sometimes downloaded by mistake by the user. Publishers will use pirated license findings as leverage over the buyer and threaten legal action unless customer complies will audit fees.

What you can do: The best way to combat piracy is to run regular scans of your environment using SAM tools or conducting self-audits. If you find any pirated licensing before an audit is conducted, you can eliminate the license, or purchase more from the publisher without any premiums being assigned. If you are audited and the publisher finds pirated licenses before you do, be sure to communicate to the publisher immediately that your organization takes piracy seriously and will remove any pirated licenses as quickly as possible and implement new processes related to user permissions to prevent future piracy. We advise clients NOT to allow pirated licenses to detract them from validating the accuracy of the rest of the audit.

For more information on this subject, including what events trigger an audit and which suppliers are the most frequent auditors, download our guide titled The Top 7 Challenges in a Software Audit or contact your ClearEdge representative to discuss your organization’s audit readiness.

- This article is based on The Top 7 Challenges in a Software Audit guide, composed by the ClearEdge compliance team.