In the first post in this series, we considered the dreaded audit letter and how you should respond to it.  To recap, the main points of the audit process covered so far were assembling your audit team, designating a contact point and understanding the scope of the audit the vendor wishes to undertake.  In the response letter, you should request proof of the right to audit, if not already given, insist on a non-disclosure agreement and, if you have one, use a business reason to delay the audit until a time it suits you better.  Remember, most vendor audit clauses will include "not unnecessarily impacting on your business".

In the audit letter, the vendor will generally try to tie you to a kick off meeting or call, along with their chosen audit partner (if they have one), to talk through the process of the audit - i.e. what data they want to collect, how they want to collect it, the timeline they want to work to and what they expect you to do.  Bear in mind that, even in the case of a formal licence review, they will most likely come across as your friendly uncle trying to offer you some advice on life.

If, as I would hope, you have used the tips we have included so far, then you should be in a pretty good place come the kick off call.  If you haven't yet got all of the answers you wanted when you responded to the audit letter, this is the time to get them.  Remember that the vendor (and, to a certain extent, the audit partner) is probably counting on you being cowed by the whole process and that you need to show them who is in charge - yes, they may well have a legal right to audit your usage of their software, per the contract you agreed to, but the audit clause certainly won't have too much detail beyond that.  Will it compel you to use certain tools to provide data outputs?  No.  Will it compel you to give them any data they ask for?  No.  Will it compel you to provide that data to a certain timeline?  No.  These are the sorts of questions to bear in mind during the kick off meeting.

A few pointers:

1. Ask for, and ensure you receive before the audit commences, a copy of the licence entitlement that the vendor plans to audit you against.  This is a perfectly reasonable request, though you do occasionally find some vendors are reluctant to comply.  Stick to your guns; if the vendor wants to audit you, what they are auditing should be clearly understood by both parties.
2. Be very clear about what tools you have available and agree tool sets to provide data for each product in the scope of the audit.  For example, if you have a user metric on a product, and you restrict access to it via Active Directory, you could use an AD report to evidence the number of users who have access.
3. Agree what data you will supply in advance and stick to it.  You will often find that, in the case of an audit partner, you will be sent a spreadsheet to complete.  These are, typically, fishing expeditions for the vendor to glean as much info as possible about your IT environment, which they could well use for their own sales and marketing practices.
4. Agree a reasonable project timeline and don't let the vendor / audit partner push you into something that isn't going to work for you.  Don't be pushed into an audit process that either doesn't give you time to validate your data or drags on far longer than is necessary.  Timelines obviously depend on scope so understanding that is key.
5. If you're feeling a bit cheeky, question the independence of the 3rd party conducting the audit.  If, as is often the case, it is one of the big four, do you know all of their business interests?  Can you be certain there is no conflict?  The other point to bear in mind is that auditors are paid to conduct these reviews, so it is in their interests to find some revenue for their client.

These should all set you in good stead to comply with the audit and start working with auditor.  In the next post in this series, we will look at the audit process itself, some of the things to look out for while it is ongoing, and some of the things not to do.  In the meantime, if you require any support with a software vendor audit, please contact us for a free consultation.