Software audits are like tax audits. They can make even honest people sweat. And like tax audits, the software variety are being done more often.
A flat economy and slow sales are driving software companies to squeeze extra revenue from their customers by increasing the frequency with which they request audits. As recent coverage on the Wall Street Journal's website reports, Microsoft "has been checking up on its customers' software usage more vigorously than ever." The same article stated that customers of Oracle and SAP were feeling the same squeeze.
IT analyst firm Gartner concurs. According to a 2010 survey, software audits are on the rise. Six of every 10 respondents said their companies had been audited by at least one vendor in the past 12 months, up from 54 percent in 2009 and 30 to 35 percent in the prior three years. The top four audit-happy vendors were IBM (41%), Adobe (40%), Microsoft (35%), and Oracle (19%). Word on Forbes' blog is that this is a smart way for software companies to seek out new business opportunities.
But it isn't only savvy software companies spurring the flurry of audits. Unhappy employees lured by the prospect of earning a major monetary reward or a whistle-blowing fee paid out by organizations such as the Business Software Alliance may be turning their employers in for sloppy and haphazard recordkeeping. After all, the BSA considers use of software that can't be directly tied to a specific license to be a form of corporate piracy.
Media coverage of a major "bust" can lead to a company's loss of reputation, major operational disruption around the audit period, and unfavorable client-vendor relationships. Plus, if your company can't manage basic software licensing in the relatively straightforward world of client/server environments, what are the chances it'll be able to keep up with the even more complex structure of licensing in a cloud-based world?
The Five Stages of SAM
The antidote to these corporate irritants is to put in place a strategy for software asset management (SAM), in order to bring your software licensing into compliance. Achieving SAM is dependent on smart management decisions and getting teams spanning your organisation involved.
In this article we lay out the five essential factors required by SAM.
1. Assign a corporate executive to sponsor the work and set clear responsibility and accountability for SAM.
Ensure all activities have an owner who will ensure its activities are actually carried out. There's no bigger waste of time and effort than trying to run SAM in silos without a corporate sponsor. SAM involves procurement - contract management, service management, and IT Infrastructure teams. We recommend that each team focus on one element of the process: capturing entitlements, performing cost center allocations, and handling installations. To ensure clear communication across divisions, each team needs a process owner who can participate in development of efficient policies and procedures.
2. Identify your software entitlement.
Cull through all enterprise contracts and agreements to calculate the number of licenses you're entitled to as well as associated upgrade and downgrade rights for your applications. Likewise, prepare to do a comprehensive inventory of software orders, maintenance contracts, boxed software, and license keys. After all, there's nothing worse than going through a frantic audit and finding out afterwards that you had the licenses required and really didn't need to pay a "true-up" fee to the software company. (We've never heard of post-audit refunds.) Once the SAM structure is in place, all licensing-related information henceforth needs to filter through the change control process. That means declaring that no procurement of new licenses will occur without prior consultation of the entitlement levels.
3. Start counting up your software deployments.
Deploy a discovery toolset to ferret out the number of application installations in your organisation. This process will help you uncover license shortfalls by comparing the number of installations to your entitlement. Most discovery toolsets on the market offer add-on benefits, such as identification of PCs out of compliance with corporate computing policies and logs of software usage that can help you identify what applications actually are being used and which ones aren't. Also, the software companies providing these toolsets offer licensing helpdesk and advisory services at a relatively low cost that can help buffer your company against audits.
I have a couple of caveats. First, one regarding whose audit tools you use. As an attorney who specializes in intellectual property recently pointed out, audit tools owned and made available by the company requesting the audit can "sometimes present an inaccurate picture of a company's actual...product deployments." The example provided: a CAD program that indicates "numerous installations" of an expensive application, whereas in reality the programs in use are free viewers that are irrelevant to the outcome of the audit.
Also, if your company runs virtualization software, make sure your toolset can accurately measure application utilization and put in place checkpoints to prevent over-use.
4. Ensure correct usage of your licenses.
Make sure that your deployed applications are used within the terms and conditions set by the vendor and easily retrievable from vendor websites. Ideally, you might consider collating those into a user guide for the "owners" of your SAM strategy and for your knowledge manager. They in turn may diffuse it to individuals, such as the IT personnel handling application virtualization, as needed.
5. Schedule regular internal audits and reconciliations.
There's nothing more effective than a looming quarterly audit report for the CIO to ensure that license compliance initiatives make progress. In the largest organizations, license "mop-up" activities usually happen in one go and irregularly at that. Internal audits should, of course, examine progress made against last quarter in terms of license compliance. The same reporting activity should also gauge progress of processes put in place to ensure that entitlement is known, license installation processes are secured, and licenses are being harvested on asset returns.
At the beginning of a SAM initiative, you'll uncover many gaps. By articulating a prioritisation strategy over the riskiest areas (such as software from the vendors listed above) using key performance indicators, soon enough, you'll have SAM in check. Examples of KPIs include:
- The percentage of software accounted for in order to measure progress made in the management of software;
- the percentage of software changes approved by the change advisory board in order to measure progress made in controlling new software deployments; and
- The percentage of unauthorised software identified and uninstalled within a set deadline in order to measure progress made in enforcing software security policies.
The Look of Success
You'll know your organization has achieved steady state with software compliance when software specialists from various software vendors discontinue their requests for regular compliance reviews. That's no time to relax, however. Compliance "bliss" takes ongoing effort. The goal should be to embed SAM into your organisation for good by adopting security policies and educating users at all levels on compliance.
When you've moved beyond SAM fire-fighting mode, then you can look at gaining understanding of vendors' audit processes and consider sending SAM owners to certification courses based on the recently released ISO/IEC 19770-1 SAM Standard. Those efforts gain you points with vendors and can go far in encouraging them to look elsewhere for software audit revenues.