Recently, we've witnessed a marked up-tick in the number of audit letters and new audit requests being sent out to our clients. Our conservative estimate is that requests are up by 40 percent when compared to pre-pandemic levels and they aren't lowering any time soon.
The overlapping reasons why we're seeing an increase in audit activity
Why audit requests are spiking
The pandemic tipped global markets into recession and the aftermath of this is still sending shockwaves across the globe. Software and cloud service providers will be thinking long and hard about how to protect their revenue streams. Audit penalties, together with back payments for unlicensed usage, are proven ways to bolster their balance sheets.
To drive customers to the cloud
Many of the traditional vendors, which made their names developing on-premise software, are still grappling with ways to migrate their customers to the cloud. This is necessary if they are to stave off competition from the new generation of cloud-based service providers and remain viable in what’s become a cloud-first industry. An increasingly common tactic during audits is for vendors to (at least, in part) overlook non-compliance if the customer commits to new cloud contracts. The sooner the vendor can get customers to shift from on-prem to the cloud, the better it is for their revenue flows.
The likelihood of non-compliance is high
There’s also a suspicion that vendors are seeking to audit companies now because they know there’s a high likelihood that they are not compliant. When workplaces shut their doors last March, businesses were forced to deploy new services and technologies, often lured by free offers and without the involvement of IT or procurement. In the rush, there is a very real risk that contracts were not adequately reviewed and that usage does not match entitlement.
Vendor nuances at play
While the increase in audit activity has been across the board, there are of course differences between how each vendor or service provider is currently tackling inspections. Here are some of the most noteworthy changes in behavior:
Oracle using third parties to widen audit reach
Oracle has always placed great focus on audits, but it has doubled down on this activity over the last few months. In particular, Oracle has increased its use of Oracle Partners to perform audits of its behalf, targeting small to medium companies, presumably to help scale its efforts. Oracle does not pay these partners to conduct this activity. Instead, partners can generate revenues by reselling licenses to the end user organization to resolve non-compliance once the audit is complete. This creates a conflict of interest that is not likely to sit well with businesses.
Micro Focus contracts require close scrutiny
Another provider which has upped the ante is Micro Focus, which is taking a much more active approach to auditing its customers. Like Oracle, it is making use of external auditors to help with the process, but unlike Oracle, these external auditors are typically the ‘Big Four’, most frequently PwC. The good news is that its model is unlikely to create the same type of conflict of interest as seen with Oracle (unless, of course, the same company acts as your financial auditors, when things do become complicated).
Micro Focus is, however, using changes in its contracting terms to its advantage with reference to acquisitions. An organization which may have legacy contacts with HPE, might have been asked to agree to updated T&Cs with Micro Focus. These T&Cs can be long and complex, yet the process of agreeing to them requires little more than a click of the mouse, so it is important that no corners are cut when reviewing the paperwork. Standard Micro Focus contracts allow third parties to undertake audits and can even provide the vendor with audit rights that were never included in the original contracts.
IBM focusing on IBM Authorised SAM Provider (IASP)
IBM is continuing its audit activity and we are seeing more activity in smaller customers than before. Audits are still being performed by KPMG and Deloitte. We are still seeing significant issues with sub capacity conditions not being met, and IBM are responding by pushing larger customers into the IASP program. We are expecting to see higher non-compliance on sub capacity as Windows Server 2008, vSphere 6.0, Oracle Linux 6 and other technologies become ineligible.
SAP following the enhanced audits route
Another change of note is from SAP. It seems to be broadening its focus by undertaking more and more enhanced audits, scrutinizing deployments of its growing stable of cloud-based solutions, including SuccessFactors, Business Objects and HANA, not forgetting Indirect Access, which is a key focal point during the enhanced audit.
Five ways to ready your organization for increased audit activity
It’s a reasonable expectation that vendors will become even more focused on audits in the forthcoming months. As such, it is important that organizations understand how to prepare for this frenzy. Here are five ways to get ready:
Ask for a deferral.Even Oracle, which has the strongest track record of sending out audit letters, will consider a deferral. It is perfectly reasonable to ask for a delay if your organization has other mission-critical or time-sensitive priorities making it difficult to free resources in order to manage complex audit procedures. The important thing is to follow an audit timeframe that suits your business, not the vendor.
Go direct.Ask your vendor to conduct the audit itself, rather than appoint a third party. This solves issues associated with conflicts of interest and tends to make the process both smoother and simpler. Even if your contract dictates a third-party auditor can be used, vendors can be swayed, particularly if the customer is large or planning to expand usage.
Know your audit scope.With plenty of M&A activity in the software and cloud industry, it is imperative that you are fully up-to-speed on any changes to your contract terms as what you signed up for originally may no longer stand. Furthermore, understanding the scope will help you identify when a vendor is trying to overstep the mark, by asking to investigate deployments outside of the contract.
- Develop a strategy.
Create and introduce a repeatable process that you can follow each and every time you receive an audit request, something that you can expect with increased frequency from here forward. You can read more about developing a proactive strategy in order to achieve a permanent state of audit readiness here.
- Do not be lured by the cloud.
Most businesses now recognize there are advantages to moving from on-prem to cloud-based solutions, but don’t be rushed into the decision by a vendor which is using your state of non-compliance as a means to win more business. Assess your cloud needs on your own terms and then, and only then, engage with the vendor about a new licensing agreement.
For more detail on how to prepare yourself for a Software Vendor Audit, as well as understanding the best practices for how to respond to an audit letter, click below to access our eGuide for Software Vendor Audits.
More from Livingstone