Audits - And What To Look Out For

IT SEEMS AUDIT SEASON HAS STARTED EARLY ...

Revenue outlook must be a concern for a number of large, global corporates going by the number of audits we're aware of already this year - typically they seem to favour the mid to late part of the calendar.

And lets face it, an audit is the last thing you need when you're just getting back to those major initiatives that need focus. Of course often its that very focus that leads to compliance issues - lacking the necessary oversight and controls in your IT landscape its not uncommon for BAU changes to cause a world of difficulty - a simple server refresh that introduces more cores, a change in access permissions that broadens the user base, or perhaps just plain old virtualisation. ​

So what might target your organisation for attention by those loathed 'License Review Teams' waiting out there?

Well the answer is, more than you might think.

Typically something has got you to the top of the list. It can of course be within a common cycle such as at a contract renewal period, or an untimely prompt by one of those independent organisations whose entire income is through specialised and aggressive audits, but if not, what might cause it - and how might you prevent it?

First, consider the common triggers:

1. The innocuous supply of current state to the vendor (or partner) to scope and price a new project or programme of work;
2. A Vendor (or partner) who has been involved in one of your projects with access to your systems identifying  and reporting a non-compliant situation;
3. An aggrieved employee aware of compliance issues who has recently left the organisation with a grudge to bare;
4. Failing to submit a required usage report;
5. An unfortunate listing with the BSA as a result of failing another recent audit;
6. ​Or perhaps just a naive and blissfully unaware employee contacting a vendor to ask for your own contracts or license information because "we don't have a copy".

If any of the above have you a little worried look for the most telling signal from your vendors of an impending audit - the unexpected communication that your "account team is going through some changes", which is simply a calculated, preemptive move to extricate any history and/or advocacy you might otherwise have had - prepare and get ready! 

all of those "but" arguments will get you nowhere - "but we had an agreement",
"the account have known it was like this for years",
​"it was the licensing sold to us", etc etc.

Alternatively, if you're feeling comfortable that you're not under any imminent threat its still a good idea to take stock and review your position against the common triggers. The best defense is without doubt a robust and competent software licensing function within your organisation that maintains the necessary level of control (and has the added benefit of warding off those vendors who would rather take on an easier, less capable target).

When it comes to licensing and compliance its good practice to not treat your vendors like 'trusted partners' - keep in mind who they're actually working for, and who's paying their salaries.

So - what to do:

• Be cautious and restrict the information you provide to your vendors (and partners) - vet it carefully before releasing data that might expose you to further scrutiny;
• Similarly, if you're letting the vendor gain access to your estate make sure they're only going to get what they need, and even go as far as to add contractual terms that ensure they only use the information they gain for a specific, permitted purpose, not to go back to the office and gleefully expose any failings they may have found;
• If you have an employee leave on disagreeable terms it would be prudent to delve into their area of ownership and review your license position - resolve any compliance issues as a priority, just in case;
• Always keep on top of your reporting obligations and ensure usage reports are delivered in full, and on time;
• And lastly, remind your teams that interaction with your vendors is not something that just happens, nor is it a mandate or the responsibility of all. Instead, it is a specific role for those who are appropriately experienced and are vendor savvy. All communication should traverse this one path to be vetted accordingly, and lets just say that any unauthorised 'open invite to audit' emails to a vendor should be subject to appropriate  'education'  (and repeat offenders - reprimands).

Concerns? if you need any help, we're just a phone call away.