top of page
  • Writer's pictureAzeem Malik

Vendor Software License Audits

Updated: Jun 7

Software vendor audits are not something new, but we can see its rise in the last couple of years or so due to rapid technological evolution such as Cloud, AI, remote working, and global organizational events such as mergers & acquisitions, internal changes in the organizations, reports on the misuse of license or when organization is in the news (usually bad reasons). There could be any reason which may prompt software vendors to kick start the audit. There could be a clause in the agreement which gives the right to vendor to do the audit. For many professional, it seems just an audit on checking systems, applications, and processes but in actual it’s a different ball game. These audits are conducted by software vendors or their designated Third-Party audit companies to compare the number of software licenses your organization has purchased against the number currently installed on your computers. In an ideal situation, these audits should highlight gaps by verifying compliance with the terms and conditions of software license agreements and recommend the improvements but in actual software vendors use these audits to generate profits for their companies, the profits could go in millions of dollars. Many software vendors adapt unethical practices by incorrectly interpreting licensing terms and present exaggerated True-Ups to settle the reported non-compliance issues.


 If the organization is not well prepared to face such audit, then it means huge financial, legal, or reputational risk is knocking at their door. Being on compliance side, I had a chance to face such audits, and luckily, I had great teams on my side, and we defended our position successfully, and thwarted their attempt to have a huge chunk of money from us. Point to be noted here is most of the vendor auditors are actually sales people, who have usually no formal education in audit and compliance, so they are never taught ethics when doing audits, their core objective is just to make profits for their companies, ethically or unethically. 

Some of below areas are truly important to be prepared and face these surprise audits


  1. Never Ignore their emails: Whenever software vendor tries to contact you, we should promptly give reply to their queries. Ignoring their approach might result in formal audit or legal letter which will be painful for the organization.

  2. Determine if Compliance is Necessary: Check the contract if you are legally obligated to adhere to software audit. Sometimes there is an option of internal reviews instead of full software audits, in which you may be allowed to conduct the process internally using your own resources, as opposed to having a third-party auditor conduct the audit. You must not ignore the audit request and respond vendor auditor in a professional manner.

  3. Scope. Audit scope must be clear in way that organization should make sure that vendor clearly identify the software products, legal entities, locations, they are auditing. Audit must be performed in accordance with the scope and procedure of the audit right granted to the auditor under the agreement

  4. Begin Creating Your Own ELP: Having your own Estimated Licensing Position (ELP) ready will give you a strong case to oppose the auditor’s findings, which will most likely have an overly inflated compliance gap. Your Estimated License Position should effectively compare your deployment data with your purchased licenses, within the scope of the audit

  5. Agreement understanding. It is very important that organization is aware of contract terms, conditions, penalties etc. to have an understanding on what license is being bought and how it will be utilized. Lack of understanding of license agreements give edge to the vendor auditors and will give them free hand to attack organization by claiming excessive true-ups and may accuse organization on unauthorized usage of software. Organization must understand licensing models and its utilization strategy. 

  6. Self-audit: Conduct a self-audit to give yourself a heads up on what may be an approximate outcome of the audit. Self-auditing should also be an integral part of any license management program and will do much to maintain compliance on a go-forward basis.

  7. Audit Data: Data collected and provisioned during audit should be based on contractual agreement. Data should be shared with care, any information which does not help the assessment should not be transferred. Sometimes Auditors would like to run scripts in your IT environment, such requests should be aligned with the contractual terms. 

  8. Audit Reports: What I have seen mostly is that audit reports submitted by vendor auditors are not based on facts. Vendor Auditors base their analysis on incorrect interpretation of data and do not consider actual scenarios, the reason I have noted is that most third party auditors hired by vendors lack independence and are under vendor influence to submit non-compliance report, because they are paid by vendors obviously. Organizations need to make sure they have right set of people who could challenge report content. It’s very important to ask for considerable time to review the report and give counter arguments. In my experience I have seen many reports where true-up amount had been claimed in millions but after counter analysis by organization, those claimed amount reduced to under 100k. 

  9. Settlement & Closure: Final stage of these audits conclude with the agreed true-up amount paid by organization. Organization needs to make sure that the amount settles the past dispute and waive all rights, claims, and demands; and also remedy the licensing shortfall for the future. If the Organization has used software without appropriate licenses, the vendor may claim damages but still organization should be able to challenge the extent of claims to be on safer side. 

  10. Organization should prepare a lesson learned document after such audits and make sure they are well prepared for future audits. There should be appropriate policies in place to guide end users on the utilization of licenses, prohibition on installation of unauthorized licenses, regular license audits to find out current posture on the usage of licenses and a centralized inventory of software licenses should be maintained, purchase of software should be centralized with IT involvement and a subject matter expert should review license agreements to understand licensing model and make sure that it fulfils business needs and business understands what is required to comply with the agreement.


1 view0 comments

Recent Posts

See All

Comments


bottom of page