See your organization through the eyes of your publisher
In previous blogs of this series I covered (unintended) license violation and sorting out associated software administration. But there is another way to avoid unexpected penalties or back payments: to ensure the software vendors don’t come knocking on your door for an audit. But for this to happen, it is crucial to see your organization through the eyes of the publisher.
Ideally, you have continuous insight into your software spend. You have overview within your complex landscape of licenses, subscriptions and contracts and know exactly what is used, by whom and how data moves through your organization. Software is ultimately a major capital asset for your organization. In short, if there is an audit, you will be prepared and with nothing to hide. Bring on the audit, right? In all honesty, no. Ideally you just want to avoid the audit. It takes a lot of time (and therefore money), it involves a lot of paperwork, there will be questions from the security department and often all kinds of people walk through your office. A lot of hassle nobody is waiting for.
Also, not the software vendor. Only when there is reasonable doubt about your compliance position and possible license violation, the software vendor will proceed to an audit. Yet it is increasingly common: various studies show that the number of software audits have been increasing for years. With vendors such as Oracle, SAP and Microsoft, it is often just part of the business model and the approach of the sales team: an audit is for them a tool to help sales going and to facilitate new conversations.
The eyes of the software publisher
As SAM manager, you can avoid an audit by determining your own risk profile. See your organization through the eyes of the software publisher and ask yourself: does the publisher have reason to doubt my compliance status? What signals do I send? The bottom line is that you should let the supplier know that with you everything is fine and nothing is to be gained. Organizations that have no idea what signals they put forth are often called a "sitting duck": they wait as it were defenseless until they are suddenly surprised by an audit, often from multiple vendors simultaneously. Without realizing it, they were a sitting duck and vendors had long focused their rifle. The mapping of these signals - the sitting duck analysis - is just as the administrative component, part of your software asset management strategy.
Communication towards software publisher
Communication with the software publisher is perhaps the most important. Whether it is a call from the salesperson or an email to the helpdesk, any form of communication with the publisher puts forth signals. It is important to create the right dialogue. Show that you are in control and be aware which signals can suggest that you are not. Too hard and firm statements, such as a CIO who shamelessly says that everything is under control, is suspicious. It is better to talk in absolute numbers or in not too large margins. It sounds more believable if you indicate that 203 of the 210 servers are fully in control, while working on the last few percent, instead of 'everything'. A proactive stance in the dialogue also helps: you continue to be in control by sending your software administration to the publisher (if it is correct, of course) and sometimes ask for validation.
Purchasing, coverage and external IT specialists
Your purchasing behavior is tracked by your largest software publishers by default and it is an important indicator for a possible audit. There are several red flags that are easy to recognize for a vendor: think of the purchase of products associated with other products, which do not have the same number of licenses (upgrade licenses without basic licenses) or products that require assistive technology for which the license is missing.
The way your organization appears in the media also plays a role. Think of coverage on acquisitions or growth of the company. It can all indicate a decreased compliance position and thereby raise the attention of the publisher. Especially acquisitions are a major trigger, because software licenses usually are not a priority.
Also, be aware of external consultants who run around in your organization on behalf of a software vendor. It's obviously not as if they are a spy, but an informal conversation with a consultant or customer evaluation may contain indications of compliance issues. And this can always reach the audit department, which obviously uses this information. Generally, the analyses determine whether you will appear on the audit list, but your account manager often has a decisive role in the go / no-go decision.
Let them know there is nothing to get
Setting up a software administration and implementing software asset management is a long-term process. Especially if you come from a position where there barely is insight into licenses, agreements and costs, it may take years before you are fully compliant. If you are audited before then, you're still screwed, even though you're on the right track. What a shame! Focus from the beginning not only on the administrative and physical part of license management, but also look at the signals from your organization. Do an analysis and see your organization through the eyes of your publisher. Eventually you want the publisher to think one thing: there is nothing to get here.
This article is also published in Dutch on Computable.nl .