By Cyndi Tackett
We’ve all heard the anecdotal stories of disgruntled employees contacting the BSA to report software license compliance violations out of malicious intent, which triggered a software audit. But, many software audits are triggered by your own well-meaning employees trying to get their jobs done and help the business. In the past few weeks, I’ve heard many horror stories from companies about how their own employees unintentionally brought on software audits:
- An IT professional downloaded patches for a product no longer on maintenance. This caused a software audit that resulted in millions of dollars of back maintenance payments.
- An application user contacted vendor support for an edition of a product the company did not have rights to use. The support contact raised suspicion with the vendor resulting in a seven-figure unbudgeted audit expense to pay for the license compliance violations.
- An IT enterprise architect shared an architecture diagram with a vendor depicting more installations of a product than the company had purchased. This triggered a painful software license audit, but as it turned out, the drawing was incorrect. Although this did not result in an audit true-up finding, the company was caught back-footed trying to defend itself and spent precious IT staff time in the process.
Software vendors have visibility into every aspect of their organization to alert them of potential license compliance issues. This includes support interactions, downloads from their websites, and customer engagement with their field personnel. This leaves companies in a very vulnerable position – your employees are engaging with software vendors every day. How can you protect yourself?
Here are 3 ways to help mitigate your software audit risk:
First, know your risk points or areas of potential under-buying. The best defense is a good offense. By knowing your actual license position for these key software vendors, you can proactively remediate potential threats. Have the software asset management (SAM) processes and tools in place to understand your license position at any point in time, with the goal to maintain continuous license compliance.
Second, put stringent vendor engagement policies and processes in place for your employees. Who can contact vendor support? What controls are in place to prevent upgrading or patching applications no longer on maintenance? What visibility do application owners have into the organization’s license position or software maintenance status? When should employees involve vendor management or procurement in conversations with the vendor? What topics are prohibited from discussion without vendor management involvement?
Third, set comprehensive guidelines with your vendors. Your vendors should be very aware that any commercial discussions must include IT procurement and/or vendor management personnel from your organization. Establish clear points of contacts within your company for communication, approvals, and authorization. Establish rules for who within the company should be informed of all interactions with the vendor.
Certainly these shifts in culture are not easy, but can pay off by reducing the risk of accidental audits triggered by your own talented teams.
For more information, please view our on-demand webinar: Top Tips for Surviving a Software Audit.