Do you know your audit risk?
Author: Paul Stevens-Craig, Head of Audit Practice, Livingstone Group
When it comes to software audits, organisations typically keep a keen eye on the vendors that they spend the most money with. After all, if they’re audited by a tier one provider, the financial ramifications could be significant. Focusing on the bigger providers also makes a great deal of practical sense – SAM teams within organisations tend to be pretty lean, so it’s just not feasible for them to stay on top of all vendor relationships.
As logical as this approach sounds, it is leaving organisations exposed to a number of audit-related risks.
Here are some other factors to watch out for:
Big doesn’t always mean bad
The tier one vendors – IBM, Microsoft, Oracle and SAP – all have a pretty well-known modus operandi when it comes to auditing their customers’ software estates. It pays to be familiar with what they are – then you are in a better position to assess the likelihood of an audit.
For example, Microsoft is relatively relaxed about its customer deployments, so even if you’ve invested heavily in its applications, it might not be knocking on your door quite as vigorously as some of the others.
Other vendors – a good example here is Oracle – are hot on some applications, but less so on others. You can learn more about Oracle’s approach here.
Smaller vendors can pose greater risks
While companies might spend less with the smaller vendors, in some instances at least, the risk of an audit – and the associated penalties and back maintenance charges that come with them – can be much greater. Indeed, some mid-sized vendors are nothing short of aggressive when it comes to pursuing their audit strategies. They are known to tweak their T&Cs, making audits more likely, more complicated and – most importantly still – more expensive.
Each tier two vendor’s approach does of course depend on its business culture, but we have noticed a general trend; legacy deployments are more likely to come under scrutiny. Again, it pays to be up-to-speed on their individual policies and behaviour. That way you can get on the front foot.
It’s also important to check whether the software being used within your company is from vendors included on your approved list. Lines of business – marketing, finance, HR, or any other department – can go ‘rogue’, purchasing and using applications without the blessing of IT.
This leaves you at risk of being completely blindsided by an audit.
Triggers that make audits more likely
There are also a number of common triggers that could spur any vendor to ask to audit your estate.
One of the most common triggers is when an organisation terminates a maintenance agreement. Likewise, companies that simply renew a longstanding contract, with no tangible change to the number or composition of licenses, are increasingly attracting attention. It’s a similar story for companies undertaking digital transformation programmes. Whether they are virtualising their legacy solutions or migrating to the cloud, there’s always a possibility that they might have the wrong type of licenses in place.
Quite recently, we’ve spotted that companies which are investing in professional services from their software vendor could also be at a heightened risk. While the information these consultants gather should be kept confidential, there’s a suspicion that it’s seeping back to their colleagues in compliance.
Some of the more hostile vendors even offer the support team bounties if they can correctly identify a customer ripe for audit. There is also the possibility that the software will ‘phone home,’ alerting the vendor of any suspicious installs or activity. A breakdown in the working relationship between vendor and client can be another flash point. Perhaps an upgrade or cloud migration didn’t go as planned, or maybe the client was making unreasonable demands. Either way, an audit could soon follow.
Macro-economic factors are also at play. After the 2008 financial crisis, we saw publishers increase their focus on audits as a way to protect their revenue streams. We can probably expect history to repeat itself later this year, particularly as companies have been rapidly deploying software in order to keep operating during the lockdown. You can read more on that on my recent blog.
How to mitigate the risk
As I’ve set out, audits happen for many reasons, so it’s vital that businesses get proactive and recognise it’s not a case of if they’ll be audited, but when.
Look out for my upcoming blog covering the steps companies can take to achieve a perpetual state of ‘audit-readiness’, so when that letter does arrive, there’s no need to panic.
Alternatively, please listen to our recent webinar to hear more about these risks, as well as how to proactively prepare for an audit.
First Posted: June 9th, 2020 - Livingstone Group Blog