How quickly can you respond to an audit request?

Sean Robinson, managing director of License Dashboard, gives some tips on how to deal with the prospect of a software audit

Handling a software audit can be a painful and expensive process, especially if none of the groundwork has been prepared in advance. Sadly however, that is the situation most firms find themselves in. With so many other priorities competing for your attention, ensuring you have a software licence management process in place in anticipation of an audit often never makes it further than the to do list. But it should. 

Being prepared for a software audit is more than just a lesson in pro activity; it will limit the disruption that the audit brings. Just as crucially however, by highlighting inefficiencies and over-spends on an on-going basis, the groundwork ahead of time will save the organisation significant sums on their software licensing all year round. 

With firms now facing a 65% chance of being audited, it really is more a question of when you are audited than if, so burying your head in the sand and assuming all will be fine is not a sensible strategy. But how disruptive can a software audit really be, and how much time does it take?

The simple fact is that responding to a vendor’s audit request causes disruption and expense: IT teams that are diverted away from their day jobs; tools that need to be purchased and/or deployed in a hurry; end users that might be restricted access to IT resources; legal representation that needs to be drafted in to negotiate with vendors… the list goes on. Far better then to address any exposure before an audit is on the horizon.

The knock at the door

When the audit request comes in, the vendor in question will give you a timescale in which to respond, sometimes as little as 30 days. You can often negotiate an extended timescale if you can demonstrate a willingness to be co-operative, but once the date is set, the countdown to judgement day begins.

The software vendor is expecting you to prove your compliance by preparing an Effective Licence Position (ELP). An ELP is produced by reconciling or matching two data sources; an inventory of your organisation’s software entitlements matched against an inventory of software deployments. It effectively matches up what you’re using with what you’re paying for. If you can provide the vendor with an up-to-date, detailed and most of all trustworthy ELP that proves you are 100% compliant, then they should leave you alone. In theory.

There are two issues with this theory, however.  First, no organisation ever has a completely ‘neutral’ licencing situation (i.e. zero under-licencing OR over-licencing) without putting effective SAM processes in place. Second, collating the two data sources and reconciling them is not as simple as it sounds, and the clock is ticking. Firstly you need to compile the data in a format that is usable, and then you need an efficient way of reconciling it.

Compiling licence data

Timescale: One day for the prepared; Four weeks or more for the unprepared.

As is common in most organisations, software is purchased through many routes over many years, so unless it has been centrally recorded, building a single view of exactly what has been purchased can be a real challenge. Compiling a centralised, up-to-date repository of all licences purchased to-date is job number one.

Searching for licences will inevitably involve a degree of manual labour (especially if you’re hunting down receipts); however, with the right tools a good proportion of it can be automated. One of the fastest ways to upload large amounts of data is to directly import what is commonly-referred to as ‘vendor consumption data’ – such as the Microsoft Licensing Statement (MLS). A second option would be the ability to input individual licences, completely with all the appropriate licence metrics, procurement information and links to proofs of purchase. With the appropriate tools, around 80% of the import process can be automated (i.e. by importing the MLS in a matter of minutes). Without automation, this same process can take days or even weeks.

Making sense of the licences

Timescale: A few hours for the prepared, up to four weeks for the unprepared.

The next challenge is understanding what the licences actually mean. It is one thing to know you have a Microsoft Office 2010 licence, but many organisations fail to realise that some licences also include rights to use other products, or come with additional entitlements (such as Client Access Licences). Since licences can vary wildly, it is critically important to understand what the terms of your particular licences mean. This is where specialist licence management tools and consultants come into their own. By combining licensing knowledge with a database that tracks and understands the various metrics that licences are comprised of (users, devices, processor cores, etc.), the right licence management tool can ensure that you form a good understanding of what your entitlements are.

Compiling software usage data

Timescale: One day for the prepared, up to two weeks for the unprepared.

Now that you know what your entitlements are, you need to know how much of these entitlements you are actually using. The most efficient way to achieve this is with software metering. The provision of software metering information is the responsibility of the audit solution. Some audit solutions (such as Microsoft SCCM and others) are able to track how many times applications are accessed. Where it is available, this information should be consulted to identify unused software applications. Where an application has not been used for, say, three months (or 90 days), there can be an argument to remove it from the machine (providing the licence is not one that is permanently tied to the machine and that this does not contravene the vendor’s licensing rules).

Regardless, keeping an eye on usage is good management practice in its own right and will definitely be useful at times where licence re-harvesting can help reduce expenditure on both new licences but also support and maintenance.

One common issue with many inventory / discovery tools is that the nomenclature they use to identify software installed on the network does not match the naming conventions used on licence entitlements. This can be a real headache for even experienced SAM professionals and can seriously delay the process of reconciling entitlements against usage.  To that end, licence management tools are designed to ‘normalise’ the data provided by inventory solutions and transform the technically-correct audit data into information that can be more readily used for the license management process.

Creating the ELP

Timescale: A few hours for the prepared, up to a month for the unprepared

Now comes the really hard part. Now that you know what your entitlements are and what software is being used, the next step is to compare the results of your software audit against the licence entitlements that have been collated. This is where the shortcomings of non-dedicated solutions like a spread sheet or even IT Asset Management solutions become clear.

Put simply, trying to reconcile licences against software usage manually is a mammoth task, likely to take months if not years to achieve. That is because licensing is inherently complex, with different licences having varying usage rights, upgrades and downgrades need to be applied in particular ways for different applications and versions, and some licences can cover more than one application or installation. Trying to juggle all of these different rules and rights is nigh-on impossible. The trick is using a dedicated solution that understands how software licences work so that it can handle these scenarios and apply licences ‘intelligently’.

Better to be prepared

As demonstrated above, there is no substitute for being prepared if you don’t want the next software audit to take over your life. If you try to do everything manually or use technologies like spread sheets that are simply not fit for purpose then you will waste time. For any organization with more than 200 PCs and servers on the network, automated tools are a must. The key to responding quickly to an audit request is to minimise the workload placed on staff or consultants by applying automated intelligence to as much of the process as possible.

What’s more, proactively preparing for an audit will also ensure that your organisation’s software spend is optimised and aligned to your software usage all year round. Our experience has found that organisations over spend on software by an average of 20% because they lose track of what they have already paid for, or fail to retire software when it is no longer used. That objective alone is worth the effort of being audit-ready all of the time.

Sean Robinson is managing director of License Dashboard.

Read more on Software-as-a-Service (SaaS) Applications