software licence audits - facts survival benefits

23
Software Licence Audits Survive and Take Advantage

Upload: eric-chiu

Post on 16-Aug-2015

446 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Software Licence Audits - Facts Survival Benefits

Software Licence AuditsSurvive and Take Advantage

Page 2: Software Licence Audits - Facts Survival Benefits

For the past two years, I have sensed a gradual change of perception towards Enterprise Software Asset Management

(SAM) in the IT community – less so the traditional ‘how hard can counting computers and installations be’, and more

focus placed on keywords such as ‘compliance’, ‘licence optimisation’ and ‘cloud-readiness’.

Along with the change comes senior management support and investment. Many organisations have now built up

dedicated SAM teams, purchased shiny new tool sets or signed up Managed Service Agreements with their LARs or IT

Service Providers.

So all looks good and promising, except for one small problem – I am still seeing major audit exposures and largeunbudgeted pay-outs from companies who invested in SAM. Why?

Being part of a well established audit firm that has conducted licensing audits for more than 20 years, and having

worked with most of the top 10 software vendors' compliance programmes, I believe my answer to this question will be

interesting, and more importantly, useful to you and your organisation when your next “Audit Notification Letter” lands.

This will be the first time in the industry that a vendor-appointed audit firm shares audit insights and bullet-dodging

techniques. Some of the things you read may be already known, while others will be complete surprises – so please

buckle up and I hope enjoy the read.

Compliance will be rewarded.

Are you ready to comply?

Eric is the Director of Fisher IT Asset Consulting, with a team of 20 enthusiastic and highly experienced licence auditors andconsultants. Prior to his current role he managed a similar team at one of the “Big Four” audit firms and was responsible for thelaunch of UK compliance programmes for a number of major software vendors.

Page 3: Software Licence Audits - Facts Survival Benefits

Who we are

3

Fisher IT Asset Consulting (FIAC) are part of HW Fisher & Company, a top 30 UK professional services firm founded in 1933. Collaboratively, our team of 20 contract and licensing experts deliver Licence Compliance, Software Asset Management (SAM) and IT Asset Management (ITAM) services to organisations across all industries globally.

At its core, our portfolio of services is designed to assist organisations to:

Gain total visibility of their IT asset ownership and liability and understand how the assets are being utilised.

Identify and reduce risk of over-deploying software licences to prevent vendor audit exposure and significant penalty payments.

Optimise IT contracts and improve asset utilisation to reduce overall cost of IT asset ownership.

Eric Chiu, Director

• Tel: +44 (0) 20 7554 3014

• Mob: +44 (0) 754 0123 970

[email protected]

Stuart Burns, Partner

• Tel: +44 (0)20 7380 4964

[email protected]

Rafi Saville

• Tel: +44 (0)20 7874 7967

[email protected]

Page 4: Software Licence Audits - Facts Survival Benefits

What will be covered in this Guide

The average settlement fee per auditequates to 34% of a company’sexisting annual contract value with theauditing vendor.

4

Facts

•Fundamental knowledge of the Licence Audit business

Facts

•Fundamental knowledge of the Licence Audit business

Survival

•What happens in an audit and how to watch your every step

Survival

•What happens in an audit and how to watch your every step

Take Advantage

•Why licence audit can be good for you and how to reap the benefits

Take Advantage

•Why licence audit can be good for you and how to reap the benefits

Free Assessment

•A high-value, no cost independent check of your readiness

Free Assessment

•A high-value, no cost independent check of your readiness

Page 5: Software Licence Audits - Facts Survival Benefits

FactsFundamental knowledge of the Licence Audit business

Page 6: Software Licence Audits - Facts Survival Benefits

Fact 1: There is no escape

8 out the top 10, or 13 out of the top 20 software vendors (by revenue) have active Licence Compliance Audit Programmes globally to safeguard licensing revenue

A recent IDC survey shows that 63% of the enterprises in North America and Europe were audited by at least one software vendor for “licence compliance” in the past 12 months. Over one third of the survey respondents said that they paid more than £200,000 for audit settlements and penalties.

Adobe, IBM, Microsoft, Oracle, SAP and Symantec are the vendors who initiate the most audits. However, many more software vendors are relying on licence compliance audits today as one of their key revenue contributors under a challenging economy.

If your organisation has never been audited before, you probably will receive one of those notorious ‘Audit Notification Letters’ soon.

6

Page 7: Software Licence Audits - Facts Survival Benefits

Fact 2:This is not about honesty

The average settlement fee per audit equates to 34% of a company’s existing annual contract value with the auditing vendor.

7

This is not about whether your users are downloading cracks or ‘keygens’ from the internet.

The traditional whistle-blower-led anti-piracy raids can often be difficult to execute, costly and sometimes political for Software vendors, while generating a limited return.

In comparison, checking on paying customers who may have been less than careful in reading contractual terms and obligations, or in controlling the usage of legitimate software, has proven to be a robust and sustainable revenue generating strategy.

You might see yourself as an honest customer for spending £1 million a year buying Oracle or IBM licences and support annually. What your supplier sees, however, is a compliance opportunity estimated at £340,000, waiting to be ‘recovered’!

Page 8: Software Licence Audits - Facts Survival Benefits

Fact 3: Many names for one goal

‘SAM Engagement’, ‘True-up’, ‘Licence Optimisation’, ‘Baseline’ and many more … no matter how the vendors call it, it is always an audit that will cost you money.

8

Licence audit is costly for all software vendors whether they are using an internal team or working with independent audit firms to conduct the exercise.

Yet we have never seen any software vendor that had a compliance programme and decided to ‘switch it off’ – every licence compliance programme that we know is ‘self-funded’ and in most cases, highly profitable.

This means that you, the customers, are footing the bill. Some vendors are generous enough to only demand for the licences owed plus back maintenance; others may even ask you to pay for the auditor’s fee.

Page 9: Software Licence Audits - Facts Survival Benefits

Fact 4: Can’t outsource the challenge

Whoever ‘looks after’ licensing for you, whether it is a LAR, SAM service provider or SAM tool vendor, no one will guaranteeyour compliance or pay your audit bills

9

As long as you still buy software under your company’s name (an exception will be having no IT department and using an external provider to deliver IT as a Service), licence management remains your responsibility.

Outside support can help you automate processes and improve the underlying data quality to make calculation of licensing positions easier and more accurate. However, it is ultimately your (the software licensee’s) responsibility to make sure that you are consuming software licences in accordance with the agreed terms and levels you have with the software vendor.

This is why there are many organisations providing Software Asset Management support and services, yet no one sells ‘software licence compliance insurance’.

Page 10: Software Licence Audits - Facts Survival Benefits

SurvivalWhat happens in an audit and how to watch your every step

Page 11: Software Licence Audits - Facts Survival Benefits

Audit Selection

11

What happens

Because licence audits are often costly to conduct and sometimes triggeremotional reactions from the customer, the last thing a software vendorwants is an audit that identifies no compliance issues (and subsequently,no revenue).

Therefore, very rarely a software vendor will pick its audit targets randomly.To ‘recover’ the maximum amount of revenue under a set compliancebudget every year, most vendors use a combination of indicators togauge the ‘reward level’ of an audit candidate and prioritise theirselections accordingly. The most common type of such indicators usedare:

How to Survive

Unfortunately many of the ‘risk indicators’used by vendors to select audit targets areoften beyond your control. However, thereare still two practical tips that can be usefulto lower your rank on the target list:

Maintain an open and transparentrelationship with your account managers. Tellthem why you are not renewing or buyinglicences, and tell them how you control andmonitor the use of licences

Negotiate yourself out of licensing metricsthat are difficult to measure, especially whenthere is no licence consumption reportingmechanism built-in to the software.

Customer’s

purchase level

with the

vendor

Organisational

structure

complexity

Level of

organisational

change such as

M&A activities

Complexity of

licensing

model agreed

Purchase

pattern that

does not

reflect growth

SAM maturity

intelligence

gathered from

account team

Page 12: Software Licence Audits - Facts Survival Benefits

The Notification Letter

12

How to SurviveThe first thing you should do is to look for your licence agreements and the auditclause within. You should also notify the relevant stakeholders and assemble ateam that can provide both resource and expertise during the audit process.

At this point, if you are not confident of your compliance status, you shouldquickly arrange a mini-audit internally. If this is restricted by in-house expertise orresource level, it will be a good time to seek outside expert assistance.

It is vitally important that you have a clear view of your compliance positionbefore the vendor does it. This is not about trying to hide or delete over-usedsoftware – because, even if you do, most auditors can still find them.

However, most vendors are willing to give significant discounts for up-frontsettlement for the sake of saving their effort and cost of running an audit

What happens

You will receive a formal notificationfrom your software vendor or theirappointed auditors.

This could come in as a letter or ane-mail addressing the contractsignatory within your organisation,often requesting a ‘kick-off’ meetingto discuss the audit strategy andexpected timeframe of completion.

It will often inform you that anyadditional licences purchasedbeyond the date of the letter will notbe counted towards your licenceownership for the purpose of theaudit. Ask

Yourself

Are you aware of all licence restrictions and obligations stated in the EULA?

Can you measure software usage that is not licensed on user or install basis?

Does your Discovery tool cover non-Windows or test/dev servers?

Is your compliance calculation based on words or validated facts?

Page 13: Software Licence Audits - Facts Survival Benefits

Kick-off & Scoping

13

How to Survive

There are a number of important steps to safeguard your interest in the kick-off meeting:

Ensure that the agreed scope only includes software licences under your direct ownership and management. Do not include subsidiaries or overseas entities unless they are covered by the same licence agreement that is owned and managed by you.

Request for NDA to restrict the use of audit data from other purposes.

Ask for a reasonable timeline – you are not contractually bound to complete an audit within a set-timeframe, as long as its ‘reasonable’, so do ask for extra time if you are under-resourced or migrating your data centre.

What happens

This is the initial meeting where you andthe auditing software vendor, often withtheir appointed auditors, sit togetherand negotiate on the scope, approachand time line for the coming audit.

Typically, the audit scope can begeographic, organisational or limited byproduct families.

The auditors will outline the informationthey will need to gather to conduct theaudit, and discuss the methods ofcollecting such information with you.

Page 14: Software Licence Audits - Facts Survival Benefits

Managing Data Collection

14

How to Survive

The data collection process needs to be very carefully managed so that only relevant and requested data is submitted to the auditors. The most important tips on managing data collection include:

Have your own project manager who understands the audit scope, to oversee data collection, so your ‘techies’ won’t give away more than necessary.

Make sure you understand the rationale behind each data request – don’t be afraid to ask ‘what do you need this for?’ or ‘why are you running this script?’

Be extra-careful with what you declare – if you are not sure, spend the time and effort to investigate, instead of giving a ‘half-correct’ answer that will expose you into deeper scrutiny by the auditors later on.

What happens

The auditors will start the audit by gathering information after the kick-off meeting. The most common types of information gathering exercise include:

Interviews: auditors talk to your staff and collect information verbally or through on-screen observations

Self-declaration: you will be provided with a guided template to populate software usage information

Request existing records: these can be any records that you already own from CMDB reports to HR records

In-App reports: the auditors may ask you to generate built-in reports in some applications, such as user or connection reports.

Execute scripts / tools: the auditors may ask you to run software they provide to scan your machines

Page 15: Software Licence Audits - Facts Survival Benefits

Validating Draft Audit Reports

15

How to Survive

If you have done something wrong earlier in the process, whether by supplying outdated user information or including decommissioned servers in your self-declaration, this is your last chance to fix the issue. Once you have ‘accepted’ the report, it will be extremely difficult to reverse what you have said – even if what you have said does not reflect the reality. Therefore, it is vitally important that, at this stage, you:

Check the entire report thoroughly. Don’t just look at the summary ELPs; review the underlying datasets at least for the software titles that are in ‘red’ – identified as under-licensed.

Ask for clarification if you do not understand any part of the report entirely. It is the auditors obligation to explain how they arrive at their conclusions.

Involve the original person who supplied the auditor with raw data in the review process, to make sure the data has not been manipulated or interpreted incorrectly.

Try to remove any ‘assumptions’ the auditors made in the report due to lack of data from you, as most of these will not be in your favour. Supply them more data where possible.

What happens

After the auditors finish collecting the required audit information, they will prepare a Draft Licence Compliance Report with Effective Licence Positions (ELP) for each software title that you licence and consume.

Some will share the same draft with the vendor at the same time, but most will ask for your comment, and if possible, your acceptance of the report’s ‘factual accuracy’ before doing so.

Page 16: Software Licence Audits - Facts Survival Benefits

Settlement Negotiations

16

How to Survive

If you are still on the path of DIY audit defence at this stage, below are some basics that you should know before joining the table alone:

Mitigating circumstances: strong and verifiable ‘excuses’ for accidental usage or mis-deployment may be considered as mitigating circumstances

Publisher goodwill: collaborating with the vendor’s compliance team, rather than being purposefully obstructive, is more likely to land you goodwill on some liability waivers.

Vendor Demand Matrix: like all negotiations this is about give and take. Vendor compliance teams want immediate revenue, increased future revenue and swift payment without upsetting you. Look at what you can afford and choose your tactic accordingly.

What happens

Any red or minus lines in the Compliance Reports indicates that you owe the vendor money and you will be asked to pay up.

Depending on who the vendors are and the degree of non-compliance, you may be asked to purchase the licences owed at full list price without discount, paying back-maintenance and sometimes even the cost of the audit.

You will also be asked to clear the payment within a given timeframe, usually at 4 or less weeks upon audit completion. It is likely that your OPEX budget is not big enough to ‘take the hit’, and conversations with CFOs asking for ad-hoc cash are rarely pleasant.

Immediate revenue

Immediate revenue

Future revenueFuture

revenue

Time of paymentTime of

paymentRelationshipRelationship

Mitigating circumstancesMitigating circumstances

Publisher’s GoodwillPublisher’s Goodwill

Page 17: Software Licence Audits - Facts Survival Benefits

Take AdvantageWhy licence audit can be good for you and how to reap the benefits

Page 18: Software Licence Audits - Facts Survival Benefits

Don’t forget the Green lines

Most companies do not take action on thegreen lines in a compliance report – theseare the over-licensed positions where youare paying more licences than required.

You can’t really blame the auditors or vendors for not emphasising the ‘over-licensed’ positions – after all, it is not in their interest and no EULA has a ‘refund’ clause. Sure, there are sometimes good reasons for why you have purchased more licences than needed – up-coming projects or buying a bit more for the future and for the discount.

However, if these licences became excess due to genuine reduction of requirement, you can save significantly and instantly by switching off their annual support & maintenance payment, usually worth around 20% of the full licence cost.

You may also want to explore the used-software market, where there are increasing numbers of brokers paying cash to acquire unwanted perpetual licences from end-user organisations. 18

Page 19: Software Licence Audits - Facts Survival Benefits

Get up from where you fell down

Don’t throw away your compliance report.It is a perfect baseline for you to accuratelymanage your licence positions goingforward, so harvest it.

19

The compliance reports issued by the auditors and vendors will always have limited scope; nonetheless they are the next best thing you can have without major investment in your Software Asset Management practice.

With this validated baseline, as long as you carefully track all new licence purchases and deployment post audit, you will maintain good visibility over your licence position of the given vendor.

Of course, such tracking is more difficult to say then do. However, before you get that board approval on investments in SAM, this is still a very good ‘interim’ practice to keep your head above water.

Page 20: Software Licence Audits - Facts Survival Benefits

Learn from the auditors

It takes years of investment for the world’slargest audit firms to find efficient methodsto measure licence compliance, and this isshared with you during every audit.

20

We are not talking about counting basic software users or installs here, we are talking about understanding PVUs and RVUs for IBM, Core Factors for Oracle or one of the hundred types of users for SAP, plus all restrictions hidden within those 30-page Enterprise Agreements.

Measuring the ownership and consumption levels for complex software licences are often challenges to your LARs or even the vendors’ own sales teams. However, you have been given unique access to the best solution because of the audit.

Ask the auditor how they calculate each number, because they will have to explain. Document the process and keep a copy of their data collection instructions. Perform the same process yourself in the future so that your SAM practice will be audit-proof.

Page 21: Software Licence Audits - Facts Survival Benefits

Audit Readiness AssessmentA high-value, no cost independent check of your readiness

Page 22: Software Licence Audits - Facts Survival Benefits

Audit Readiness Assessment

22

What it is

A one-day independent assessment of your licence compliance readiness

Interviews, on-screen observations plus data and document reviews

Focus on ‘what you don’t know’

Same-day presentation of findings, with optional follow-up remote presentations at a later date.

Covered by NDA

What you get

Visibility of licence compliance risks and gaps that were previously unknown

Estimated financial exposure and saving opportunities

Ammunition for your SAM business case

Understanding the limitations of your existing discovery and SAM tools

A suggested plan of action, or a high-level requirement specification, should you wish to seek external support

Find out more at www.hwfisher.co.uk/fiac or e-mail [email protected] to book an appointment.

Page 23: Software Licence Audits - Facts Survival Benefits