Fair Is Fair

Like everyone else, software vendors should be properly compensated for the use of their products. It is the auditor’s duty to ensure the vendor is properly paid for each legal use of its software. While some audits are random, the majority are triggered by a credible report of violation. In such instances, auditors often begin the audit process with a bad taste in their mouth, as they are already suspicious of the licensee’s reporting practices.

There are only two reasons businesses fear an audit:

1. They are in violation and they know it.

2. They are unsure if they have committed a violation or not.

Be Prepared for a Software Audit

Software audits are a fact of life for the modern enterprise. If a company is in violation and knows it, there is nothing to be done except to brace for the consequences and prepare to write a potentially sizable check. However, if you are unsure whether or not you have violated software license agreements, there are several steps involving research, program setup and simple discipline that can help ensure data is fresh and accurate.

Take Control of the Process

Given that knowledge is power and chance favors the prepared, there are six pragmatic projects you can implement to give you the knowledge you need to change the tone of an audit.

1. Create an asset repository: The most critical tool required for effective audit readiness is an asset repository specifically structured to support software licenses, contracts and other reference data. Proper utilization of such a tool will provide a single reference point for everything you need.

2. Know what you have: Understand what software titles and versions you actually own, and in what quantities — and gather the documentation to prove it. This should involve a financial paper trail with evidence of payment for original purchase, upgrades and software assurance contracts. Without the financial receipt, you will be unable to prove ownership to an auditor. Unfortunately, there are no easy answers to this process. You have the data, but it may be buried in your financial system or combined with other purchases or agreements in a form better served for cost accounting than software license management. You need to spend the time, effort, and pain to dig that data out — or simply pay the costs of purchasing the software again.

3. Know your paperwork: Document the usage terms and conditions for each license, and understand that each purchase may have unique elements. Software agreements can vary — especially bulk or enterprise agreements — and you need to know exactly what you are committed to, and how that agreement translates into software usage entitlements. Some agreements permit a title to be installed on several computers, but only consume one entitlement (right to use the software). Capturing that data with each purchased license and storing it in your asset repository will enable you to allocate software from the most efficient license pool to meet the specific need.

4. Know what software you are currently using: Accurately document what software is installed on your computers and virtual machines. Remember that installation constitutes use under the vast majority of licenses; compare the number of discovered instances with owned instances to determine basic compliance. If you are using enterprise agreements, the discovered number is your True-Up number (a process to align your EA with the number of total licenses you’ve added in the previous 12 months). Many organizations forget that software installed on a VM or an inactive computer may still be consuming a license (depending on your specific license terms and conditions). If you track the entitlement in addition to the discovery, you will never be caught by surprise, and you can manage accordingly.

5. Assign ownership: Implement an entitlement program to administratively assign the right to use managed software titles on specific devices. Compare entitlements (right to use) with discovery (fact of use) and police the exceptions. Perform this reconciliation activity on a regular basis and keep records as part of internal audits. Ultimately, this is the most important single project you can implement — and it is also the least commonly implemented program. Most organizations rely on discovery to tell them what they have, but without an administrative entitlement, there is no way to know exactly which installs are rogue, and thus, no way to police the policy exception.

6. Implement a request program: Create a software request program tied to your entitlement program to ensure that you only deploy software that you legally own — and aggressively police exceptions to that program. Make sure your software request and usage policies are documented and acknowledged by your users. People tend to resist a request program at first. However, if you aggressively remove unauthorized installs, they will learn to use a front-door request system very quickly. When authorized requests are handled by a consistent, repeatable process that ensures the repository is updated, identifying and policing rogues becomes easy.

Implementing these six projects provides several key benefits.

First, by breaking the large task into projects, you can enlist the aid of multiple teams with specific and limited responsibilities. Let each team do what it does best, while the software asset manager brings the pieces together, increasing the overall value.

Second, by creating a standards-driven request system fed by (and feeding back to) license, entitlement, and discovery data, data will be consistently fresh. This enables ad-hoc analysis at any time, meaning when an auditor calls, you can provide not only factual data about what you have, where it is installed, and how it resolves against your licenses, but you can also show methodological proof that you will stay compliant in the long term. The final key is to follow through and maintain discipline, otherwise your repository will become stale and you will slowly lose the gains associated with a structured request and entitlement system.

If you proactively implement and maintain these basic processes, you will be able to drive software purchases and maintenance agreements based on justifiable fact, not supposition — and you will have the key facts at hand needed to demonstrate compliance to an auditor.