Three ways your organisation can reduce software compliance risks

Three ways your organisation can reduce software compliance risks

by -
0 1684

Many firms fail to comply with their software agreements and as a result pay unbudgeted audit fees. We look at what steps you can take to be proactive.

Cloud, social and mobile mean that today’s enterprise applications are being implemented and used in ways beyond those anticipated by legacy license agreements. Datacentre consolidation, shared services and international expansion could break restricted use rights.

Outsourcing can also exceed limitations on third party use. Extranets, portals, and integrated applications architectures makes the division between direct and indirect users harder to define. Virtualisation, multiple core processors and multiple threads complicate CPU and server-based license schemes.

The drop in new license revenues has also led software companies to make more repeated audits. Often, these audits would only happen when someone blew the whistle on suspicious licensing practices, whereas nowadays software vendors tend to audit as part of standard business practices.

Indeed, businesses can be audited many times a year across their portfolio of software. And it’s possible each audit could result in liabilities running into the millions. But organisations can take steps to mitigate this risk throughout license acquisition, during the software asset management process (SAM), and in response to a provider audit.

1 – Focus on the license agreement

Risks during auditing can be decreased by targeting important areas of the license agreement. If different licensing models are available, the business should choose a arrangement that — outside of offering a cost-effective solution — permits confidence in compliance. A per-user or per-device licensing system may not be suitable for an environment with inadequate desktop configuration and asset management.

Organisations should apply license agreements as flexibly and wide-ranging as possible to avoid separate pools of licenses and using approaches like “exchange rights” where unused licenses of one product can be exchanged for licenses required for another piece of software.

There should also be reasonable limitations on audit rights to prevent the audit being too intrusive and offer even-handed resolutions for inadvertent non-compliance. Organisations need to have adequate notice and be able to delay audits for mitigating situations.

Organisations should be able to review software asset management processes with their software provider. Establishing that SAM practices are vigorous should mean that an auditor may not have to perform an intrusive, time-consuming audit.

2 – Shift to ongoing compliance

Once an organisation has demonstrated an agreement that avoids infringement and protects the business for the worst excesses of an audit, the focus can move onto ongoing operational compliance applying a full-bodied approach to SAM. A best practice is creating license compliance and centralised tracking as a fundamental competence within IT.

The compliance team should be included in any license purchasing and involved in the enterprise change management process to detect any unexpected licensing effects. The team should also carry out recurring data verification audits to corroborate the output of any automated discovery tools and confirm enterprise license entitlements.

Most organisations now understand that Excel and manual methods are no longer adequate. SAM is presently perceived as a required core function in IT service management, and it’s offered as a component in the vast majority of the ITSM toolsets. There are additionally standalone SAM tools, some of which are acknowledged by large software vendors as alternatives to their own license management software.

 3 – Manage the audit and define processes

When an organisation is audited, a common error its to accept the process and results. Rather, the business ought to plan effectively for the audit, stay engaged with the audit and prepare to discuss the outcome.

When notified, the business should look again at the license agreement to comprehend   the premise under which the audit was demanded. Older agreements may not have anticipated audits or may considerably constrain the audit scope and/or resolutions for non-compliance.

The business should coordinate with the auditor to comprehend the planned range and method, as well as verifying the license agreements and entitlements that will be used as the basis for the audit.

The auditor may base their investigation on standard licensing terms (rather than any negotiated agreement) or be ignorant of particular entitlements, such as those allocated after an acquisition.

Having comprehended the planned audit method, the organisation should self-audit to assess compliance and isolate risks. Entitlement information may be amassed from consolidated databases, purchase orders, license keys or certificates, or invoices.

Once the audit has commenced, the business and auditor should both define the audit process. Audits should promptly end if non-compliance is not shown within a certain timeframe.

There should be a single point of contact during the audit process to address internal problem resolution and allow for suitable responses.

The business should also insist on a draft report from the auditor to tackle inconsistencies in data. This needs to be done before costs are examined.

An initial settlement demand is a starting point for negotiations, especially when non-compliance was unintentional. Counter-offers may be based on maintaining future compliance rather than backdated compensation.

If your business can argue a fair position, the software vendor may consider the offer so as to meet personal bonus deadlines of reporting of revenue. Many enterprises are now engaging the assistance of expert SAM Consulting partners to allow them to implement the above type of activities as they either do not have the expertise available within their own team or what expertise they have is unable to scale to the requirements. If in doubt, find a SAM expert to help, youll almost certainly save many times the cost in better optimisation of your software assets and the mitigation of liability that would otherwise be uncovered by a publisher audit.

The unavoidable

Organisations can no longer avoid audits if they have a large portfolio of software on their estates. But by arranging licensing agreements correctly, reducing compliance doubt through strong SAM procedures, and actively involving the vendor during software audits, businesses can mitigate the risks and subsequent possible costs from these measures.

Phil is the Products & Services Director at Crayon and has been an integral part of the Senior Management team for over 10 years, having joined the business in 2005. With over 20 years of ITAM experience, Phil is credited with being the original architect of the Crayon SAM-iQ platform.