How to Mitigate Software Compliance RisksBy Guest Author | Posted 2015-07-14 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Audits used to be done because of whistleblowers or suspicious licensing behaviors. Now, most software providers do audits as part of their business practices.
Managing the Audit
In the almost-inevitable case that the enterprise is audited, a common mistake is to passively accept the audit process and simply wait for the results. Instead, the enterprise should prepare actively for the audit, remain engaged during the process and be prepared to negotiate the outcome.
Upon notification, the enterprise should refamiliarize itself with the agreement to understand the basis under which the audit was requested. Older agreements, if not superseded, may not contemplate audits or may dramatically limit the audit scope and/or remedies for noncompliance.
The organization should coordinate with the auditor to understand the intended scope and approach, as well as confirming the license agreements and entitlements that will be used as the baseline for the audit. The auditor may be basing its plans on standard licensing terms (rather than any negotiated agreement) or be unaware of certain entitlements, such as those assigned following an acquisition.
Other frequent sources of error include product name changes, software functionality repackaging or license updates provided as part of annual maintenance.
Having understood the proposed audit approach, the enterprise should self-audit to evaluate compliance and identify risks. Entitlement data may be collected from centralized databases, purchase orders, license certificates and keys, or invoices—even emails.
Deployment and usage data should be collected so that actual software utilization is understood, and the data reconciled to confirm compliance—or otherwise. Depending on the result of the internal audit, proactive notification to the provider and remediation under enterprise purchasing terms and discounts may be appropriate.
Define Audit Procedures
When the audit starts, the enterprise should work with the auditor to define audit procedures. Audit duration should be established up front, with the audit ending if noncompliance is not demonstrated within that timeframe.
In addition, communication channels should be instituted, with a single point of contact appointed for the audit process. This contact person acts as the gatekeeper between the auditor and the enterprise, and manages communications and messaging, coordinates internal issue resolution and enables timely responses.
The enterprise also should make clear that it requires a draft of the auditors’ report to address data discrepancies. It is imperative to address potential issues before cost implications are discussed.
The company should closely review the auditor’s findings. Since the audit team may not be familiar with the enterprise environment or custom licensing terms, it is possible that there will be errors or incorrect assumptions. The enterprise must provide clear feedback to the auditor and ensure that the feedback is addressed in subsequent report iterations.
The enterprise should treat the initial settlement demand as a negotiation starting point. If noncompliance was inadvertent and reasonable, a possible counteroffer might be based on achieving and maintaining future compliance rather than backdated compensation, retributory list pricing or other punitive costs.
If the enterprise can establish a reasonable and fair position and demonstrate the adverse relationship implications for any larger resolution, it may lead the software provider to consider the value of a “bird in the hand” in order to, for example, meet revenue reporting or personal bonus deadlines.
For enterprises with a substantial software portfolio, software audits are now practically unavoidable. However, by actively structuring licensing agreements appropriately, minimizing compliance uncertainty through robust SAM processes, and vigorously engaging with the provider during software audits, enterprises can mitigate the risks and resultant potential costs from these events.
Jonathan Shaw, Ph.D., is a principal of Pace Harmon, an optimization and outsourcing advisory firm. He has more than 12 years of experience negotiating and implementing outsourced IT and telecommunications services.