I wasn't really planning to write anything about software licence audits but it occurred to me, as it does from time to time, that vendor audits are probably one of the biggest concerns for your average software asset manager, particularly in the data centre. And given that one of the services Cortex Consulting offers is audit defence, potential clients have every right to see what they'd get for their money, right? As far as the contents of this series of posts go, I'm not going to talk about the causes of audits, at least not yet, nor how to use effective SAM to be prepared for them. I'm just going to assume that an audit letter has dropped on to the doormat and you're not ready for it.
A typical audit letter, depending on the vendor in question, will run along the following lines.
Dear (insert random name the vendor has on their records somewhere),
We have selected your organisation for a licence review, in accordance with the terms of contract reference XXXXX. We have chosen (insert name of "independent" 3rd party here) to conduct the audit on our behalf.
They will then, generally, either reproduce or draw your attention to the contractual clause which governs their right to audit, give a brief overview of the audit steps and try to tie you down to a kick off call with the vendor and auditor at some point in the next couple of weeks. So what should be your initial response? Well...nothing. At least, not until you have done the following things:
- Assemble your audit team - hopefully, you've got a process. If not, put one together today. Your audit project team should include representatives of the following areas - legal, procurement / commercial, IT asset management, technical delivery, architecture, a link to senior management, a link to the business (especially if they might have to pay the bill), a project manager (if it's a big enough audit to require managing as a project) and someone who understands the technology and contracts against which you are being audited, i.e. a licensing specialist. This latter can be an internal person or perhaps an external consultant.
- Designate one person from that team to be the point of contact with the auditor so there is no communication with them about which you are unaware. This can be anyone, though it will usually be someone with a commercial or asset management background, as long as it is agreed that everything goes through them.
- Understand the audit scope - there are lots of important questions to be answered here. To which contracts did the letter refer? What products are covered by those contracts? Does the contract have an audit clause? What business units are involved?
Once you've completed these steps, you can respond to the letter. The key point to remember here is that you should not allow the timelines or scope to be driven by the vendor or auditor.
- Clarify the scope - if you're not sure, based on the contents of the audit letter, ask. Not all audit letters are clear on the contracts the vendor intends to conduct it against and very few are clear on the organisation they are actually addressing. Make sure you get the answers you want.
- Ask for proof - something that is often overlooked. It is not unreasonable to ask the vendor to supply contractual evidence of their right to audit, if they haven't already done so in the letter.
- Insist on a non-disclosure agreement - many vendors will try to rely on the standard confidentiality clauses you will generally find in a master business agreement. Don't allow them to - insist on an NDA that is specific to the audit process and make sure your legal team have approved it. You should also ensure you have one in place with the auditor, if the vendor is going to use one.
- If you have a business reason for delaying the audit, use it - most vendor audit clauses will include some version of the phrase "the audit shall not unreasonably interfere with customer's business operations". A retailer I supported successfully delayed audit data collection during a Christmas change freeze. December was, far and away, their busiest month with more revenue generated that month than the other 11 combined. The vendor, grudgingly, accepted the delay. I say "grudgingly" because it had taken them the previous 5 months or so to get through my stonewalling on the contract and NDA.
Make sure that you get an acceptable response from the vendor before you agree to the kick off call. Nothing that you are asking for above would be considered unreasonable and it's important that you show that you are in charge of the process, rather than the vendor. In the next post in this series, I'll look at the kick off call and getting what you want before the audit commences. In the meantime, if your organisation is subject to a software licence audit, please do get in touch so we can support you through it.