ISAM Blog | Expert Insights & Tips on Software Asset Management

Effective Software Audit Response:  The Plan

Written by Alan Bain | Aug 15, 2023 7:20:20 PM

 

The communication plan, the sitting audit response team, and leadership support.

The software license community continues to reel from vendor audits that are at once punitive and out of control. Unfortunately, it is within the software vendors’ right to audit a client’s use of their software. That sounds like a defeatist attitude. Are there things that clients can do to fight back, short of not returning the call? The Software Asset Management community too often has focused on things like Effective License Positions(ELP), discovery tools, and license optimization when it comes to audit response. But we are finding more and more that there is a single thing that can be done to improve your chances of minimizing audit findings: have a well-documented audit response policy. That plan should include a communication plan, a sitting audit response team, and leadership support to enforce the plan. What does that look like practically?

The Plan

A communication plan includes multiple levels of communication and starts with the contract. Contracts of any sort include documentation of notices, that is who should get the notice from a vendor or from a client. In the case of a software contract, this becomes even more important as this is the destination of the audit request. We have found a best practice is to note that communication goes to an email address that is actually a distribution list that includes procurement, IT, legal council, and management. These are easy to set up and could include one for your entire company or unique addresses depending on the software vendor. For instance, an address of IBM_Audit@newco.com might be a good address for IBM to send any kind of contractual notices to New Co.

The communication plan will also include what to do with that notice. A best practice is for the initial communication to be sent by legal counsel as soon as practical. It should be a simple communication that acknowledges receipt of the notice, a timeline that the vendor can expect the response, and the internal action items as a result. When the vendor gets a detailed communication, it answers their initial questions and provides the best next steps.

Finally, the communication plan should also specify what should stop, namely any kind of communication to the vendor, other than from the audit response team. We have seen many examples where a notice was received and sent not to an audit response team, but instead to the technician or software user who would provide the response anyway. But the result was that a non-vetted response was sent to the vendor resulting in needless confusion and added expense. Stopping vendor communication includes any talk of future sales. Nothing threatens a sales executive like a potential for a commission to be stopped.

The Team

In addition to a good and thorough communication plan, the audit response plan will include the policies and procedures for an audit response team. This team should be a permanent fixture with regular meetings, agendas, and responsibilities. First, the team should consist of those who can make decisions or provide needed information quickly. For most companies, this will include a team leader from the SAM team. Additionally, legal counsel must be included. This attorney must be well versed in software contracts, and the steps of a vendor audit. A procurement analyst who is familiar with the contracts and can identify the entitlement for the software vendor. Finally, an executive sponsor or champion should be included on the team. While they may not have much practical knowledge, they can represent the rest of the organization and provide a communication conduit. Others can join depending on the audit at hand or other responsibilities.

The audit response team can have other responsibilities aside from acting in the event of an actual audit. The team could test the accuracy of ELPs by reviewing each ELP, quarterly, against what is actually installed or running. The team could also run audit response drills by simulating what would happen in the event of an audit letter. The approach could be as elaborate as needed by the organization and could include real scripts and reviews. Finally, the team will ensure education and awareness about audits within the entire organization and will keep the audit on your schedule, not the vendor's.

Leadership Support

An executive sponsor or champion on the audit response team is a great start to gain leadership support. Further support is required for enforcement of the plan. For example, if vendor request does not follow the prescribed, contracted channels, who will communicate with the vendor that their request is not warranted. Leadership can also provide for discipline if the plan and SAM procedures are not followed. An executive sponsor may be one of the most important components of the audit response team.

Software vendor audits are a foregone conclusion. Everyone will be audited by multiple vendors annually. But ensuring a timely and valid response is now becoming more important because of the potential findings if an audit isn’t defended and executed correctly. Having an audit response team in place at all times is the best defense and a great way to get the audit off on the right foot with the vendor and with the selected auditor. A strong Audit Response Policy will do just that. The policy as outlined will combine a good communication plan along with staffing of an audit response team to ensure that the audit is addressed in a timely manner, by the correct people. An executive sponsor or champion will round out the policy and ensure its enforceability within the organization. It is within a vendor’s contracted rights to audit the use of its software licenses. But those rights don’t preclude the rights of the organization for a thorough and timely defense. The Audit Response Policy will ensure both by creating the organization and plan around addressing software vendor audits.