IT SEEMS AUDIT SEASON HAS STARTED EARLY ...
- The innocuous supply of current state to the vendor (or partner) to scope and price a new project or programme of work;
- A Vendor (or partner) who has been involved in one of your projects with access to your systems identifying and reporting a non-compliant situation;
- An aggrieved employee aware of compliance issues who has recently left the organisation with a grudge to bare;
- Failing to submit a required usage report;
- An unfortunate listing with the BSA as a result of failing another recent audit;
- Or perhaps just a naive and blissfully unaware employee contacting a vendor to ask for your own contracts or license information because "we don't have a copy".
"the account have known it was like this for years",
"it was the licensing sold to us", etc etc.
So - what to do:
- Be cautious and restrict the information you provide to your vendors (and partners) - vet it carefully before releasing data that might expose you to further scrutiny;
- Similarly, if you're letting the vendor gain access to your estate make sure they're only going to get what they need, and even go as far as to add contractual terms that ensure they only use the information they gain for a specific, permitted purpose, not to go back to the office and gleefully expose any failings they may have found;
- If you have an employee leave on disagreeable terms it would be prudent to delve into their area of ownership and review your license position - resolve any compliance issues as a priority, just in case;
- Always keep on top of your reporting obligations and ensure usage reports are delivered in full, and on time;
- And lastly, remind your teams that interaction with your vendors is not something that just happens, nor is it a mandate or the responsibility of all. Instead, it is a specific role for those who are appropriately experienced and are vendor savvy. All communication should traverse this one path to be vetted accordingly, and lets just say that any unauthorised 'open invite to audit' emails to a vendor should be subject to appropriate 'education' (and repeat offenders - reprimands).