Software audits are like security incidents: they happen to everyone at some point. No one likes it. Colleagues have to prepare for an audit that requires a lot of effort under intense time pressure. And it is not uncommon for false or incorrect licenses to generate significant additional payments. Worse still: a failed software audit damages IT’s reputation, as it can be interpreted as a sign of mismanagement.??
When an external auditor from a software manufacturer announces an audit, panic is not unusual! Are we license compliant? Do we have all the necessary evidence in relation to our license inventory? Are our license balance and processes correct? External auditors often demand that we are ready to provide comprehensive information within 30 days. Based on interviews with companies that have been audited several times, the following procedures have proven effective in the event that a notification letter is received: ??
- ?Establish an Audit Response Team: Companies that run the risk of being audited on a regular basis should define processes and responsibilities that stipulate precisely how to proceed after an audit notification. To this end, it is worth establishing an audit response team that acts as a single point of contact with the software vendor's external auditor.??
- Establish a strategy: This begins with what is probably the most important question: Should the audit be prevented? Or should one pursue a more cooperative strategy to get it over with as quickly as possible? Alternatively, you can agree in advance on a tailored contract with the manufacturer that defines how software audits will be carried out. The latter is particularly useful if you want to spend more time preparing for the audit.????
- Create an overview of contracts and obligations: What was signed and under what conditions? Does the manufacturer have specific audit clauses? Which general and enforceable terms and conditions were included? Was a framework agreement with individual clauses completed? Or are contractual penalties for breach of contract already fixed in writing? It must be clear within the company what one is obligated to do and what rights one has. Audit clauses contained in a GTC are only permissible if they comply with copyright law and also take into account data and secrecy protection. ?
- Check the audit letter word for word - it's worth it!?In general, you are well advised to take a close look at the audit letter - word for word. Who is the sender? What exactly does he want to audit? If there is talk of contractual rights, you should have them explained to you in writing. Often, the letter only mentions consulting services, which can be rejected initially to gain more time.?
If you are forced to act under time pressure in a software audit, you will usually not achieve optimal results. It’s preferable to use software asset management to simply pull all data, processes, and contracts out of the drawer ready to use. The critical aspects of a software audit are usually grouped around three topics: ??
- Lack of license management processes ??
- Lack of centralized, structured knowledge about software assets, license models, and actual software usage ??
- Complexity of licensing requirements ??
In order to avoid getting stressed, the recommended approach is to introduce company-wide process-oriented Software Asset Management in 5 steps. ?
- Define goals: Do I “only” want to be reactively license-compliant, or do I want to proactively shape my software portfolio? With a reactive approach, everything basically remains the same; for each audit, the cleaning up and counting starts all over again.??
- Define and set up relevant SAM processes. This includes a complete record of the license inventory, the definition of the license management process, and the integration into a change management process. The latter in particular is crucial to clarify who is actually allowed to select and order software, and approve the costs it incurs. This procedure is the basis for standardized workflows.???
- Implement a software asset management tool. This project phase includes establishing connections to all the relevant technical databases such as inventory, CMDB, and license metrics, as well as setting up mechanisms to ensure data quality. ??
- License management via an opening balance sheet: This includes evaluating existing contracts and license terms, setting up software-supported workflows for automatic comparison and for license consolidation (reconciliation) to a specific product or vendor.
- Ongoing operations: This final project stage will serve as a starting point for continuous service improvement as recommended by the ITIL framework, as well as for extending the new process and workflows to additional software products and software vendors. ??
In any case, for successful implementation it’s essential to see this change as a corporate task and to ensure sustainability. Otherwise, the project will get stuck or "peter out" at some point. Use your accounting system as a guide. Central accounting for legally binding reporting to investors and the tax office is, after all, taken very seriously. License management is basically no different. It’s accounting for IT.?
