When I served in the Royal Air Force in the 90's, every so often we would have to undertake NBC (Nuclear, Biological and Chemical) training, the purpose of which was to ensure that we would be able to continue to operate in full NBC gear, in case one of our country's enemies should launch such an attack. One of the drills we were taught was the respirator "sniff test". Now that was a long time ago, and the memory fades with time, but the basic premise was that you had to be able to assess whether there were still chemical or biological agents present, by gently breaking the seal on your respirator and inhaling - the sniff test.
A fellow consultant asked some time ago how I would conduct an "audit smell test", hence the story above. Her question, essentially, was how do you check that an auditor's findings are correct? If you have read my earlier posts in this series on handling audits, you'll recall I said that the audit team should always have a licence consultant in it; whether that person is an internal resource or a 3rd party specialist is another matter but this stage of the audit is where that person is key.
The first step, clearly, is to focus only on the products where the auditor has found a deficit. If they conclude that you are fully licensed for a product, the vendor will not question it; at least, not in my experience. To test an auditor's position, where there they believe there is a shortfall, there are three important elements:
Any effective licence position worth it's weight should always include the background data used to inform that position. If it does not, the auditor should be challenged to provide it. Once you have it, check the data they've used matches what you supplied and their interpretation of it matches your own. If either of these checks highlight a difference, then you need to feed that back to the auditor and challenge them to justify the gaps.
Assuming the background data checks out, or any differences have been resolved satisfactorily, the next step is to check that the ELP matches the one you did earlier, in best Blue Peter fashion; the one you did before you supplied the auditor with any data. If the auditor's conclusions do not match yours, insist they supply you with details of the contractual clauses upon which their conclusions were based. You'd be amazed at how often you get pointed to incorrect contracts, incorrect interpretations of a contractual clause, or, worst of all, a vendor's data sheet on the product concerned - I have experienced all of these in different audit defences.
The third step is to ensure the auditor used all of the available licences that could be used, and applied them in the most optimal manner. Again, you'd be amazed at how often auditors misapply licences to deployments or ignore swathes of licences that can be used to cover a given deployment or usage of the software. Lastly, make sure you can point to evidence that supports your belief that the auditor has made mistakes and don't back down when challenged. In the case of a 3rd party audit, the auditor will not always accept your view, despite evidence, and leave it to the vendor to make a call on it. If you can point to a correct interpretation of the correct contract then you will generally be in a good place.
Once these steps have all been taken, and you've agreed a draft position with the auditor insofar as possible, the ELP will generally be sent back to the vendor for their consideration. Once this is done, it is unlikely that you will be able to get any further changes made to it, so it really is critical that you do everything to check you are happy with the position. You will then be in a better position to face the commercial negotiation with the vendor and come to a settlement that is amenable to both sides. Obviously the best outcome for you is that you have no deficit at all but that rarely happens.
If you are about to be audited or are in the process, and require support from a company that has your best interests at heart, then contact us for help.