The majority of us involved with Software Asset Management will have experienced a license audit at some point in our careers. Read this article to find out what you can be doing to ensure you are 'audit ready' and why it is so important.
Jump to a specific section:
- How to be prepared for a license audit
- Why you need to read through contracts
- Check how many licenses you are entitled to
- Do your vendors require additional reports?
- Education, education, education
How to be prepared for a license audit
Software vendors can initiate an audit at any time (it is always good to check that your contract has a clause which gives the vendor the right to audit so that this can be clarified early if required), however, there are certain times when it is more likely that an audit notification letter is received, for example, if you have a renewal coming up in a years' time or you have made any major changes in the quantities of licenses you have just renewed.
Let's discuss why it is so important to ensure you are 'audit ready'.
Audits can be very resource intensive if you are not organised and do not have data readily available to share.
Audits can also cause disruption to IT projects and planned work, along with the general day-to-day work of people involved, if a large amount of data needs to be collected and time needs to be spent investigating to ensure any questions the auditor asks are answered accurately.
This increases costs as the resources involved must spend a lot of time and effort on the exercise when if proper planning takes place in advance, this can be cut down significantly. If you have a renewal due and the audit activities take longer than expected, you will also have less time and resource to focus on the renewal conversations.
Why you need to read through contracts
Even though effective software asset management is key to making sure you are ready for an audit (discussed in more detail below), in my opinion it is equally important to understand what the audit conditions are for each of your contracts with the software vendors. Reading through the contracts carefully and understanding the full implications of non-compliance is critical as it allows you to plan and budget for unexpected costs.
For example, some vendors will include terms that state not only must you make additional purchases and cover back maintenance, but if non-compliance has been identified over a certain threshold, you must also cover all the costs of the audit. This can become expensive very quickly, especially if the vendor is using a third-party auditor with high rates.
Note that any resolution of over deployment identified in an audit scenario is usually at list price with no discount applied and this also leads to costs being higher than a standard purchase.
It is often useful to go back to previous audits and examine what went well and what could have been improved on. By learning from previous experiences, it can make it easier for you to manage future audits as you know what to expect and how to properly plan the activities.
Check how many licenses you are entitled to
Two of the most important aspects of ensuring you are prepared in the event of an audit are knowing how many licenses you are entitled to and what you are currently using or have deployed. In order to effectively achieve this, it is key to keep a centralised register of software license entitlements that covers the whole company, but also, an organised repository of current contracts and terms and how these map to the entitlements held.
Software license agreements can be complex and also vary significantly across vendors, products and customers which means it can be difficult to understand the impact of certain terms/rules.
It is also crucial that you aim to produce an accurate and complete report or 'Effective License Position' for all of your software assets on a regular basis. These reports should be produced to an audit standard (based on audit methodology) to minimise risk and include a careful review of license terms to highlight if there are any special terms or potential grey areas that your team depends upon.
For example, are you familiar with the terms relating to standby (Disaster Recovery) licensing for the particular vendor or product? Is your definition of a Non-Production instance the same as the particular vendors definition?
The reports should include as much detail as possible, including specific versions of software installed and any assumptions or key context of note should be clearly documented.
Do your vendors require additional reports?
Certain vendors may have additional requirements of their customers, for example, IBM require customers to retain a minimum of 2 years ILMT reports (contiguous quarterly audit snapshots) or similar reports from an approved sub-capacity tool and as of the new Passport Advantage terms released in February 2023, to also produce an annual baseline report of all IBM software deployment, which should be available upon request.
Not only do the ILMT reports need to be retained, but they also need to be validated to ensure they are accurate. It is important to have a good understanding of specific vendor requirements such as these so that you can ensure you have the correct data to hand.
By completing the above actions, you have a very good chance of highlighting any potential non-compliance early on and can start to investigate the cause. Based on my personal experience, it is very rare that any non-compliance found is deliberate and it is much more likely that it was an accidental over deployment of licenses which is either not required and can be removed or is identified to be for real business need and the licenses can then be procured.
Outside of an audit scenario, any additional licenses that are required can be built into existing negotiations with the vendor based on the type of contract you have with them. Another aspect to consider when it comes to accidental over deployments is training/knowledge sharing.
Education, education, education
If you proactively educate your employees/colleagues on the importance of software license compliance and effective management, there is less chance of over deployments occurring as people will be aware of the impact of their actions and perform the relevant due diligence before installing a new piece of software on a machine or granting access to additional users.
With the complexity of software license agreements and ever-changing licensing rules, it is always useful to have experts to turn to for advice and support. Here at Livingstone, we have many years of audit support experience where we have assisted our existing clients in navigating license audits and offering advice on the best way to handle any outcome.
About the author:
Alicia Ijaz
Managing Consultant
Alicia has been at Livingstone for over 3 years and her experience is mainly specific to IBM licensing. She also has knowledge of other vendors including Red Hat and VMware. Before Livingstone, she worked for Deloitte where she became the UK lead for IBM audits.