Software Licence Audits. Survive and Take Advantage

Transcription

1 Software Licence Audits Survive and Take Advantage

2 Compliance will be rewarded. Are you ready to comply? For the past two years, I have sensed a gradual change of perception towards Enterprise Software Asset Management (SAM) in the IT community less so the traditional how hard can counting computers and installations be, and more focus placed on keywords such as compliance, contract optimisation and cloud-readiness. Along with the change comes senior management support and investment. Many organisations have now built up dedicated SAM teams, purchased shiny new tool sets or signed up Managed Service Agreements with their LARs or IT Service Providers. So all looks good and promising, except for one small problem I am still seeing major audit exposures and large unbudgeted pay-outs from companies who invested in SAM. Why? Being part of a well established audit firm that has conducted licensing audits for more than 20 years, and having worked with most of the top 10 software vendors' compliance programmes, I believe my answer to this question will be interesting, and more importantly, useful to you and your organisation when your next Audit Notification Letter lands. This will be the first time in the industry that a vendor-appointed audit firm shares audit insights and bullet-dodging techniques. Some of the things you read may be already known, while others will be complete surprises so please buckle up and I hope you enjoy the read. Eric is the Director of Fisher IT Asset Consulting, with a team of 20 enthusiastic and highly experienced licence auditors and consultants. Prior to his current role he managed a similar team at one of the Big Four audit firms and was responsible for the launch of UK compliance programmes for a number of major software vendors.

3 Who we are Fisher IT Asset Consulting (FIAC) are part of HW Fisher & Company, a top 30 UK chartered accountancy firm founded in Collaboratively, our team of 20 contract and licensing experts deliver Licence Compliance, Software Asset Management (SAM) and IT Asset Management (ITAM) services to organisations across all industries globally. At its core, our portfolio of services is designed to assist organisations to: Gain total visibility of their IT asset ownership and liability and understand how the assets are being utilised. Identify and reduce risk of over-deploying software licences to prevent vendor audit exposure and significant penalty payments. Optimise IT contracts and improve asset utilisation to reduce overall cost of IT asset ownership. Eric Chiu, Director Tel: +44 (0) Mob: +44 (0) echiu@hwfisher.co.uk Stuart Burns, Partner Tel: +44 (0) sburns@hwfisher.co.uk Rafi Saville, Partner Tel: +44 (0) rsaville@hwfisher.co.uk 3

4 What will be covered in this Guide The average settlement fee per audit equates to 34% of a company s existing annual contract value with the auditing vendor. Facts Fundamental knowledge of the Licence Audit business Survival What happens in an audit and how to watch your every step Take Advantage Why licence audit can be good for you and how to reap the benefits Free Assessment A high-value, no cost independent check of your readiness 4

5 Facts Fundamental knowledge of the Licence Audit business

6 Fact 1: There is no escape 8 out the top 10, or 13 out of the top 20 software vendors (by revenue) have active Licence Compliance Audit Programmes globally to safeguard licensing revenue A recent IDC survey shows that 63% of the enterprises in North America and Europe were audited by at least one software vendor for licence compliance in the past 12 months. Over one third of the survey respondents said that they paid more than 200,000 for audit settlements and penalties. Adobe, IBM, Microsoft, Oracle, SAP and Symantec are the vendors who initiate the most audits. However, many more software vendors are relying on licence compliance audits today as one of their key revenue contributors under a challenging economy. If your organisation has never been audited before, you probably will receive one of those notorious Audit Notification Letters soon. 6

7 Fact 2: This is not about honesty The average settlement fee per audit equates to 34% of a company s existing annual contract value with the auditing vendor. This is not about whether your users are downloading cracks or keygens from the internet. The traditional whistle-blower-led anti-piracy raids can often be difficult to execute, costly and sometimes political for Software vendors, while generating a limited return. In comparison, checking on paying customers who may have been less than careful in reading contractual terms and obligations, or in controlling the usage of legitimate software, has proven to be a robust and sustainable revenue generating strategy. You might see yourself as an honest customer for spending 1 million a year buying Oracle or IBM licences and support annually. What your supplier sees, however, is a compliance opportunity estimated at 340,000, waiting to be recovered! 7

8 Fact 3: Many names for one goal SAM Engagement, True-up, Licence Optimisation, Baseline and many more no matter how the vendors call it, it is always an audit that will cost you money. Licence audit is costly for all software vendors whether they are using an internal team or working with independent audit firms to conduct the exercise. Yet we have never seen any software vendor that had a compliance programme and decided to switch it off every licence compliance programme that we know is selffunded and in most cases, highly profitable. This means that you, the customers, are footing the bill. Some vendors are generous enough to only demand for the licences owed plus back maintenance; others may even ask you to pay for the auditor s fee. 8

9 Fact 4: Can t outsource the challenge Whoever looks after licensing for you, whether it is a LAR, SAM service provider or SAM tool vendor, no one will guarantee your compliance or pay your audit bills As long as you still buy software under your company s name (an exception will be having no IT department and using an external provider to deliver IT as a Service), licence management remains your responsibility. Outside support can help you automate processes and improve the underlying data quality to make calculation of licensing positions easier and more accurate. However, it is ultimately your (the software licensee s) responsibility to make sure that you are consuming software licences in accordance with the agreed terms and levels you have with the software vendor. This is why there are many organisations providing Software Asset Management support and services, yet no one sells software licence compliance insurance. 9

10 Survival What happens in an audit and how to watch your every step

11 Audit Selection What happens Because licence audits are often costly to conduct and sometimes trigger emotional reactions from the customer, the last thing a software vendor wants is an audit that identifies no compliance issues (and subsequently, no revenue). Therefore, very rarely a software vendor will pick its audit targets randomly. To recover the maximum amount of revenue under a set compliance budget every year, most vendors use a combination of indicators to gauge the reward level of an audit candidate and prioritise their selections accordingly. The most common type of such indicators used are: Customer s purchase level with the vendor Organisational structure complexity Level of organisational change such as M&A activities Complexity of licensing model agreed Purchase pattern that does not reflect growth SAM maturity intelligence gathered from account team How to Survive Unfortunately many of the risk indicators used by vendors to select audit targets are often beyond your control. However, there are still two practical tips that can be useful to lower your rank on the target list: Maintain an open and transparent relationship with your account managers. Tell them why you are not renewing or buying licences, and tell them how you control and monitor the use of licences Negotiate yourself out of licensing metrics that are difficult to measure, especially when there is no licence consumption reporting mechanism built-in to the software. 11

12 The Notification Letter What happens You will receive a formal notification from your software vendor or their appointed auditors. This could come in as a letter or an addressing the contract signatory within your organisation, often requesting a kick-off meeting to discuss the audit strategy and expected timeframe of completion. It will often inform you that any additional licences purchased beyond the date of the letter will not be counted towards your licence ownership for the purpose of the audit. How to Survive The first thing you should do is to look for your licence agreements and the audit clause within. You should also notify the relevant stakeholders and assemble a team that can provide both resource and expertise during the audit process. At this point, if you are not confident of your compliance status, you should quickly arrange a mini-audit internally. If this is restricted by in-house expertise or resource level, it will be a good time to seek outside expert assistance. It is vitally important that you have a clear view of your compliance position before the vendor does it. This is not about trying to hide or delete over-used software because, even if you do, most auditors can still find them. However, most vendors are willing to give significant discounts for up-front settlement for the sake of saving their effort and cost of running an audit Ask Yourself Are you aware of all licence restrictions and obligations stated in the EULA? Can you measure software usage that is not licensed on user or install basis? Does your Discovery tool cover non-windows or test/dev servers? Is your compliance calculation based on words or validated facts? 12

13 Kick-off & Scoping What happens This is the initial meeting where you and the auditing software vendor, often with their appointed auditors, sit together and negotiate on the scope, approach and time line for the coming audit. Typically, the audit scope can be geographic, organisational or limited by product families. The auditors will outline the information they will need to gather to conduct the audit, and discuss the methods of collecting such information with you. How to Survive There are a number of important steps to safeguard your interest in the kickoff meeting: Ensure that the agreed scope only includes software licences under your direct ownership and management. Do not include subsidiaries or overseas entities unless they are covered by the same licence agreement that is owned and managed by you. Request for NDA to restrict the use of audit data from other purposes. Ask for a reasonable timeline you are not contractually bound to complete an audit within a set-timeframe, as long as its reasonable, so do ask for extra time if you are under-resourced or migrating your data centre. 13

14 Managing Data Collection What happens The auditors will start the audit by gathering information after the kick-off meeting. The most common types of information gathering exercise include: Interviews: auditors talk to your staff and collect information verbally or through on-screen observations Self-declaration: you will be provided with a guided template to populate software usage information Request existing records: these can be any records that you already own from CMDB reports to HR records In-App reports: the auditors may ask you to generate built-in reports in some applications, such as user or connection reports. Execute scripts / tools: the auditors may ask you to run software they provide to scan your machines How to Survive The data collection process needs to be very carefully managed so that only relevant and requested data is submitted to the auditors. The most important tips on managing data collection include: Have your own project manager who understands the audit scope, to oversee data collection, so your techies won t give away more than necessary. Make sure you understand the rationale behind each data request don t be afraid to ask what do you need this for? or why are you running this script? Be extra-careful with what you declare if you are not sure, spend the time and effort to investigate, instead of giving a half-correct answer that will expose you into deeper scrutiny by the auditors later on. 14

15 Validating Draft Audit Reports What happens After the auditors finish collecting the required audit information, they will prepare a Draft Licence Compliance Report with Effective Licence Positions (ELP) for each software title that you licence and consume. Some will share the same draft with the vendor at the same time, but most will ask for your comment, and if possible, your acceptance of the report s factual accuracy before doing so. How to Survive If you have done something wrong earlier in the process, whether by supplying outdated user information or including decommissioned servers in your self-declaration, this is your last chance to fix the issue. Once you have accepted the report, it will be extremely difficult to reverse what you have said even if what you have said does not reflect the reality. Therefore, it is vitally important that, at this stage, you: Check the entire report thoroughly. Don t just look at the summary ELPs; review the underlying datasets at least for the software titles that are in red identified as underlicensed. Ask for clarification if you do not understand any part of the report entirely. It is the auditors obligation to explain how they arrive at their conclusions. Involve the original person who supplied the auditor with raw data in the review process, to make sure the data has not been manipulated or interpreted incorrectly. Try to remove any assumptions the auditors made in the report due to lack of data from you, as most of these will not be in your favour. Supply them more data where possible. 15

16 Settlement Negotiations What happens Any red or minus lines in the Compliance Reports indicates that you owe the vendor money and you will be asked to pay up. Depending on who the vendors are and the degree of non-compliance, you may be asked to purchase the licences owed at full list price without discount, paying backmaintenance and sometimes even the cost of the audit. You will also be asked to clear the payment within a given timeframe, usually at 4 or less weeks upon audit completion. It is likely that your OPEX budget is not big enough to take the hit, and conversations with CFOs asking for ad-hoc cash are rarely pleasant. How to Survive If you are still on the path of DIY audit defence at this stage, below are some basics that you should know before joining the table alone: Mitigating circumstances: strong and verifiable excuses for accidental usage or mis-deployment may be considered as mitigating circumstances Publisher goodwill: collaborating with the vendor s compliance team, rather than being purposefully obstructive, is more likely to land you goodwill on some liability waivers. Vendor Demand Matrix: like all negotiations this is about give and take. Vendor compliance teams want immediate revenue, increased future revenue and swift payment without upsetting you. Look at what you can afford and choose your tactic accordingly. Mitigating circumstances Immediate revenue Time of payment Future revenue Relationship Publisher s Goodwill 16

17 Take Advantage Why licence audit can be good for you and how to reap the benefits

18 Don t forget the Green lines Most companies do not take action on the green lines in a compliance report these are the over-licensed positions where you are paying more licences than required. You can t really blame the auditors or vendors for not emphasising the over-licensed positions after all, it is not in their interest and no EULA has a refund clause. Sure, there are sometimes good reasons for why you have purchased more licences than needed upcoming projects or buying a bit more for the future and for the discount. However, if these licences became excess due to genuine reduction of requirement, you can save significantly and instantly by switching off their annual support & maintenance payment, usually worth around 20% of the full licence cost. You may also want to explore the used-software market, where there are increasing numbers of brokers paying cash to acquire unwanted perpetual licences from end-user organisations. 18

19 Get up from where you fell down Don t throw away your compliance report. It is a perfect baseline for you to accurately manage your licence positions going forward, so harvest it. The compliance reports issued by the auditors and vendors will always have limited scope; nonetheless they are the next best thing you can have without major investment in your Software Asset Management practice. With this validated baseline, as long as you carefully track all new licence purchases and deployment post audit, you will maintain good visibility over your licence position of the given vendor. Of course, such tracking is more difficult to say than do. However, before you get that board approval on investments in SAM, this is still a very good interim practice to keep your head above water. 19

20 Learn from the auditors It takes years of investment for the world s largest audit firms to find efficient methods to measure licence compliance, and this is shared with you during every audit. We are not talking about counting basic software users or installs here, we are talking about understanding PVUs and RVUs for IBM, Core Factors for Oracle or one of the hundred types of users for SAP, plus all restrictions hidden within those 30-page Enterprise Agreements. Measuring the ownership and consumption levels for complex software licences are often challenges to your LARs or even the vendors own sales teams. However, you have been given unique access to the best solution because of the audit. Ask the auditor how they calculate each number, because they will have to explain. Document the process and keep a copy of their data collection instructions. Perform the same process yourself in the future so that your SAM practice will be audit-proof. 20

21 Audit Readiness Assessment A high-value, no cost independent check of your readiness

22 Audit Readiness Assessment What it is A one-day independent assessment of your licence compliance readiness Interviews, on-screen observations plus data and document reviews Focus on what you don t know Same-day presentation of findings, with optional follow-up remote presentations at a later date. Covered by NDA What you get Visibility of licence compliance risks and gaps that were previously unknown Estimated financial exposure and saving opportunities Ammunition for your SAM business case Understanding the limitations of your existing discovery and SAM tools A suggested plan of action, or a highlevel requirement specification, should you wish to seek external support Find out more at or licensing@hwfisher.co.uk to book an appointment. 22

23 HW Fisher & Company Business advisers - A medium-sized firm of chartered accountants based in London and Watford. Related companies and specialist divisions: Fisher Corporate Plc Corporate finance and business strategy FisherE@se Limited Online accounting and back-office services Fisher Forensic Litigation support, forensic accounting, licensing and royalty auditing FIAC (Fisher IT Asset Consulting) Software and Hardware Asset Management, contract and supplier review, licence and audit defence Kingfisher Collections Royalty administration and collections services for IP owners Fisher Partners Business recovery, reconstruction and insolvency Services HW Fisher & Company Limited Advisers to small businesses and start-ups Stackhouse Fisher Limited Specialist insurance services Eos Wealth Management Ltd Intelligent wealth management and financial services VAT Assist Limited UK VAT representative HW Fisher & Company and HW Fisher & Company Limited are registered to carry out audit work in the UK and in Ireland. A list of the names of the partners of HW Fisher & Company is open to inspection at our offices. Fisher Forensic, Fisher Okkersen, Fisher Partners, Fisher IT Asset Consulting, FIAC and Kingfisher Collections are trading names of specialist divisions of HW Fisher & Company, Chartered Accountants. HW Fisher & Company Limited, Fisher Corporate Plc, Fishere@seLimited, Fisher Forensic Limited, VAT Assist Limited, Eos Wealth Management Limited and Stackhouse Fisher Limited, are related companies of HW Fisher & Company, Chartered Accountants. HW Fisher & Company, HW Fisher & Company Limited are not authorised under the Financial Services and Markets Act 2000 but are regulated by the Institute of Chartered Accountants in England and Wales for a range of investment business activities. They can provide these investment services only if they are an incidental part of the professional services they have been engaged to provide. Fisher Corporate Plc is authorised and regulated by the Financial Conduct Authority under reference Eos Wealth Management Ltd is authorised and regulated by the Financial Conduct Authority under reference Stackhouse Fisher Limited is an Appointed Representative of Stackhouse Poland Limited who are authorised and regulated by the Financial Conduct Authority under reference HW Fisher & Company is a member of the Leading Edge Alliance, an alliance of major independently owned accounting and consulting firms that share an entrepreneurial spirit and a drive to be the premier providers of professional services in their chosen markets. If you would like to subscribe / unsubscribe to our publications, please info@hwfisher.co.uk HW Fisher & Company All rights reserved. London office Watford office Acre House Acre House William Road 3-5 Hyde Road London Watford NW1 3ER WD17 4WP United Kingdom United Kingdom T+44 (0) T+44 (0) F+44 (0) F+44 (0) E advice@hwfisher.co.uk

24 Software Licence Audits Survive and Take Advantage

25 Compliance will be rewarded. Are you ready to comply? For the past two years, I have sensed a gradual change of perception towards Enterprise Software Asset Management (SAM) in the IT community less so the traditional how hard can counting computers and installations be, and more focus placed on keywords such as compliance, contract optimisation and cloud-readiness. Along with the change comes senior management support and investment. Many organisations have now built up dedicated SAM teams, purchased shiny new tool sets or signed up Managed Service Agreements with their LARs or IT Service Providers. So all looks good and promising, except for one small problem I am still seeing major audit exposures and large unbudgeted pay-outs from companies who invested in SAM. Why? Being part of a well established audit firm that has conducted licensing audits for more than 20 years, and having worked with most of the top 10 software vendors' compliance programmes, I believe my answer to this question will be interesting, and more importantly, useful to you and your organisation when your next Audit Notification Letter lands. This will be the first time in the industry that a vendor-appointed audit firm shares audit insights and bullet-dodging techniques. Some of the things you read may be already known, while others will be complete surprises so please buckle up and I hope you enjoy the read. Eric is the Director of Fisher IT Asset Consulting, with a team of 20 enthusiastic and highly experienced licence auditors and consultants. Prior to his current role he managed a similar team at one of the Big Four audit firms and was responsible for the launch of UK compliance programmes for a number of major software vendors.

26 Who we are Fisher IT Asset Consulting (FIAC) are part of HW Fisher & Company, a top 30 UK chartered accountancy firm founded in Collaboratively, our team of 20 contract and licensing experts deliver Licence Compliance, Software Asset Management (SAM) and IT Asset Management (ITAM) services to organisations across all industries globally. At its core, our portfolio of services is designed to assist organisations to: Gain total visibility of their IT asset ownership and liability and understand how the assets are being utilised. Identify and reduce risk of over-deploying software licences to prevent vendor audit exposure and significant penalty payments. Optimise IT contracts and improve asset utilisation to reduce overall cost of IT asset ownership. Eric Chiu, Director Tel: +44 (0) Mob: +44 (0) echiu@hwfisher.co.uk Stuart Burns, Partner Tel: +44 (0) sburns@hwfisher.co.uk Rafi Saville, Partner Tel: +44 (0) rsaville@hwfisher.co.uk 3

27 What will be covered in this Guide The average settlement fee per audit equates to 34% of a company s existing annual contract value with the auditing vendor. Facts Fundamental knowledge of the Licence Audit business Survival What happens in an audit and how to watch your every step Take Advantage Why licence audit can be good for you and how to reap the benefits Free Assessment A high-value, no cost independent check of your readiness 4

28 Facts Fundamental knowledge of the Licence Audit business

29 Fact 1: There is no escape 8 out the top 10, or 13 out of the top 20 software vendors (by revenue) have active Licence Compliance Audit Programmes globally to safeguard licensing revenue A recent IDC survey shows that 63% of the enterprises in North America and Europe were audited by at least one software vendor for licence compliance in the past 12 months. Over one third of the survey respondents said that they paid more than 200,000 for audit settlements and penalties. Adobe, IBM, Microsoft, Oracle, SAP and Symantec are the vendors who initiate the most audits. However, many more software vendors are relying on licence compliance audits today as one of their key revenue contributors under a challenging economy. If your organisation has never been audited before, you probably will receive one of those notorious Audit Notification Letters soon. 6

30 Fact 2: This is not about honesty The average settlement fee per audit equates to 34% of a company s existing annual contract value with the auditing vendor. This is not about whether your users are downloading cracks or keygens from the internet. The traditional whistle-blower-led anti-piracy raids can often be difficult to execute, costly and sometimes political for Software vendors, while generating a limited return. In comparison, checking on paying customers who may have been less than careful in reading contractual terms and obligations, or in controlling the usage of legitimate software, has proven to be a robust and sustainable revenue generating strategy. You might see yourself as an honest customer for spending 1 million a year buying Oracle or IBM licences and support annually. What your supplier sees, however, is a compliance opportunity estimated at 340,000, waiting to be recovered! 7

31 Fact 3: Many names for one goal SAM Engagement, True-up, Licence Optimisation, Baseline and many more no matter how the vendors call it, it is always an audit that will cost you money. Licence audit is costly for all software vendors whether they are using an internal team or working with independent audit firms to conduct the exercise. Yet we have never seen any software vendor that had a compliance programme and decided to switch it off every licence compliance programme that we know is selffunded and in most cases, highly profitable. This means that you, the customers, are footing the bill. Some vendors are generous enough to only demand for the licences owed plus back maintenance; others may even ask you to pay for the auditor s fee. 8

32 Fact 4: Can t outsource the challenge Whoever looks after licensing for you, whether it is a LAR, SAM service provider or SAM tool vendor, no one will guarantee your compliance or pay your audit bills As long as you still buy software under your company s name (an exception will be having no IT department and using an external provider to deliver IT as a Service), licence management remains your responsibility. Outside support can help you automate processes and improve the underlying data quality to make calculation of licensing positions easier and more accurate. However, it is ultimately your (the software licensee s) responsibility to make sure that you are consuming software licences in accordance with the agreed terms and levels you have with the software vendor. This is why there are many organisations providing Software Asset Management support and services, yet no one sells software licence compliance insurance. 9

33 Survival What happens in an audit and how to watch your every step

34 Audit Selection What happens Because licence audits are often costly to conduct and sometimes trigger emotional reactions from the customer, the last thing a software vendor wants is an audit that identifies no compliance issues (and subsequently, no revenue). Therefore, very rarely a software vendor will pick its audit targets randomly. To recover the maximum amount of revenue under a set compliance budget every year, most vendors use a combination of indicators to gauge the reward level of an audit candidate and prioritise their selections accordingly. The most common type of such indicators used are: Customer s purchase level with the vendor Organisational structure complexity Level of organisational change such as M&A activities Complexity of licensing model agreed Purchase pattern that does not reflect growth SAM maturity intelligence gathered from account team How to Survive Unfortunately many of the risk indicators used by vendors to select audit targets are often beyond your control. However, there are still two practical tips that can be useful to lower your rank on the target list: Maintain an open and transparent relationship with your account managers. Tell them why you are not renewing or buying licences, and tell them how you control and monitor the use of licences Negotiate yourself out of licensing metrics that are difficult to measure, especially when there is no licence consumption reporting mechanism built-in to the software. 11

35 The Notification Letter What happens You will receive a formal notification from your software vendor or their appointed auditors. This could come in as a letter or an addressing the contract signatory within your organisation, often requesting a kick-off meeting to discuss the audit strategy and expected timeframe of completion. It will often inform you that any additional licences purchased beyond the date of the letter will not be counted towards your licence ownership for the purpose of the audit. How to Survive The first thing you should do is to look for your licence agreements and the audit clause within. You should also notify the relevant stakeholders and assemble a team that can provide both resource and expertise during the audit process. At this point, if you are not confident of your compliance status, you should quickly arrange a mini-audit internally. If this is restricted by in-house expertise or resource level, it will be a good time to seek outside expert assistance. It is vitally important that you have a clear view of your compliance position before the vendor does it. This is not about trying to hide or delete over-used software because, even if you do, most auditors can still find them. However, most vendors are willing to give significant discounts for up-front settlement for the sake of saving their effort and cost of running an audit Ask Yourself Are you aware of all licence restrictions and obligations stated in the EULA? Can you measure software usage that is not licensed on user or install basis? Does your Discovery tool cover non-windows or test/dev servers? Is your compliance calculation based on words or validated facts? 12

36 Kick-off & Scoping What happens This is the initial meeting where you and the auditing software vendor, often with their appointed auditors, sit together and negotiate on the scope, approach and time line for the coming audit. Typically, the audit scope can be geographic, organisational or limited by product families. The auditors will outline the information they will need to gather to conduct the audit, and discuss the methods of collecting such information with you. How to Survive There are a number of important steps to safeguard your interest in the kickoff meeting: Ensure that the agreed scope only includes software licences under your direct ownership and management. Do not include subsidiaries or overseas entities unless they are covered by the same licence agreement that is owned and managed by you. Request for NDA to restrict the use of audit data from other purposes. Ask for a reasonable timeline you are not contractually bound to complete an audit within a set-timeframe, as long as its reasonable, so do ask for extra time if you are under-resourced or migrating your data centre. 13

37 Managing Data Collection What happens The auditors will start the audit by gathering information after the kick-off meeting. The most common types of information gathering exercise include: Interviews: auditors talk to your staff and collect information verbally or through on-screen observations Self-declaration: you will be provided with a guided template to populate software usage information Request existing records: these can be any records that you already own from CMDB reports to HR records In-App reports: the auditors may ask you to generate built-in reports in some applications, such as user or connection reports. Execute scripts / tools: the auditors may ask you to run software they provide to scan your machines How to Survive The data collection process needs to be very carefully managed so that only relevant and requested data is submitted to the auditors. The most important tips on managing data collection include: Have your own project manager who understands the audit scope, to oversee data collection, so your techies won t give away more than necessary. Make sure you understand the rationale behind each data request don t be afraid to ask what do you need this for? or why are you running this script? Be extra-careful with what you declare if you are not sure, spend the time and effort to investigate, instead of giving a half-correct answer that will expose you into deeper scrutiny by the auditors later on. 14

38 Validating Draft Audit Reports What happens After the auditors finish collecting the required audit information, they will prepare a Draft Licence Compliance Report with Effective Licence Positions (ELP) for each software title that you licence and consume. Some will share the same draft with the vendor at the same time, but most will ask for your comment, and if possible, your acceptance of the report s factual accuracy before doing so. How to Survive If you have done something wrong earlier in the process, whether by supplying outdated user information or including decommissioned servers in your self-declaration, this is your last chance to fix the issue. Once you have accepted the report, it will be extremely difficult to reverse what you have said even if what you have said does not reflect the reality. Therefore, it is vitally important that, at this stage, you: Check the entire report thoroughly. Don t just look at the summary ELPs; review the underlying datasets at least for the software titles that are in red identified as underlicensed. Ask for clarification if you do not understand any part of the report entirely. It is the auditors obligation to explain how they arrive at their conclusions. Involve the original person who supplied the auditor with raw data in the review process, to make sure the data has not been manipulated or interpreted incorrectly. Try to remove any assumptions the auditors made in the report due to lack of data from you, as most of these will not be in your favour. Supply them more data where possible. 15

39 Settlement Negotiations What happens Any red or minus lines in the Compliance Reports indicates that you owe the vendor money and you will be asked to pay up. Depending on who the vendors are and the degree of non-compliance, you may be asked to purchase the licences owed at full list price without discount, paying backmaintenance and sometimes even the cost of the audit. You will also be asked to clear the payment within a given timeframe, usually at 4 or less weeks upon audit completion. It is likely that your OPEX budget is not big enough to take the hit, and conversations with CFOs asking for ad-hoc cash are rarely pleasant. How to Survive If you are still on the path of DIY audit defence at this stage, below are some basics that you should know before joining the table alone: Mitigating circumstances: strong and verifiable excuses for accidental usage or mis-deployment may be considered as mitigating circumstances Publisher goodwill: collaborating with the vendor s compliance team, rather than being purposefully obstructive, is more likely to land you goodwill on some liability waivers. Vendor Demand Matrix: like all negotiations this is about give and take. Vendor compliance teams want immediate revenue, increased future revenue and swift payment without upsetting you. Look at what you can afford and choose your tactic accordingly. Mitigating circumstances Immediate revenue Time of payment Future revenue Relationship Publisher s Goodwill 16

40 Take Advantage Why licence audit can be good for you and how to reap the benefits

41 Don t forget the Green lines Most companies do not take action on the green lines in a compliance report these are the over-licensed positions where you are paying more licences than required. You can t really blame the auditors or vendors for not emphasising the over-licensed positions after all, it is not in their interest and no EULA has a refund clause. Sure, there are sometimes good reasons for why you have purchased more licences than needed upcoming projects or buying a bit more for the future and for the discount. However, if these licences became excess due to genuine reduction of requirement, you can save significantly and instantly by switching off their annual support & maintenance payment, usually worth around 20% of the full licence cost. You may also want to explore the used-software market, where there are increasing numbers of brokers paying cash to acquire unwanted perpetual licences from end-user organisations. 18

42 Get up from where you fell down Don t throw away your compliance report. It is a perfect baseline for you to accurately manage your licence positions going forward, so harvest it. The compliance reports issued by the auditors and vendors will always have limited scope; nonetheless they are the next best thing you can have without major investment in your Software Asset Management practice. With this validated baseline, as long as you carefully track all new licence purchases and deployment post audit, you will maintain good visibility over your licence position of the given vendor. Of course, such tracking is more difficult to say than do. However, before you get that board approval on investments in SAM, this is still a very good interim practice to keep your head above water. 19

43 Learn from the auditors It takes years of investment for the world s largest audit firms to find efficient methods to measure licence compliance, and this is shared with you during every audit. We are not talking about counting basic software users or installs here, we are talking about understanding PVUs and RVUs for IBM, Core Factors for Oracle or one of the hundred types of users for SAP, plus all restrictions hidden within those 30-page Enterprise Agreements. Measuring the ownership and consumption levels for complex software licences are often challenges to your LARs or even the vendors own sales teams. However, you have been given unique access to the best solution because of the audit. Ask the auditor how they calculate each number, because they will have to explain. Document the process and keep a copy of their data collection instructions. Perform the same process yourself in the future so that your SAM practice will be audit-proof. 20

44 Audit Readiness Assessment A high-value, no cost independent check of your readiness

45 Audit Readiness Assessment What it is A one-day independent assessment of your licence compliance readiness Interviews, on-screen observations plus data and document reviews Focus on what you don t know Same-day presentation of findings, with optional follow-up remote presentations at a later date. Covered by NDA What you get Visibility of licence compliance risks and gaps that were previously unknown Estimated financial exposure and saving opportunities Ammunition for your SAM business case Understanding the limitations of your existing discovery and SAM tools A suggested plan of action, or a highlevel requirement specification, should you wish to seek external support Find out more at or licensing@hwfisher.co.uk to book an appointment. 22

46 HW Fisher & Company Business advisers - A medium-sized firm of chartered accountants based in London and Watford. Related companies and specialist divisions: Fisher Corporate Plc Corporate finance and business strategy FisherE@se Limited Online accounting and back-office services Fisher Forensic Litigation support, forensic accounting, licensing and royalty auditing FIAC (Fisher IT Asset Consulting) Software and Hardware Asset Management, contract and supplier review, licence and audit defence Kingfisher Collections Royalty administration and collections services for IP owners Fisher Partners Business recovery, reconstruction and insolvency Services HW Fisher & Company Limited Advisers to small businesses and start-ups Stackhouse Fisher Limited Specialist insurance services Eos Wealth Management Ltd Intelligent wealth management and financial services VAT Assist Limited UK VAT representative HW Fisher & Company and HW Fisher & Company Limited are registered to carry out audit work in the UK and in Ireland. A list of the names of the partners of HW Fisher & Company is open to inspection at our offices. Fisher Forensic, Fisher Okkersen, Fisher Partners, Fisher IT Asset Consulting, FIAC and Kingfisher Collections are trading names of specialist divisions of HW Fisher & Company, Chartered Accountants. HW Fisher & Company Limited, Fisher Corporate Plc, Fishere@seLimited, Fisher Forensic Limited, VAT Assist Limited, Eos Wealth Management Limited and Stackhouse Fisher Limited, are related companies of HW Fisher & Company, Chartered Accountants. HW Fisher & Company, HW Fisher & Company Limited are not authorised under the Financial Services and Markets Act 2000 but are regulated by the Institute of Chartered Accountants in England and Wales for a range of investment business activities. They can provide these investment services only if they are an incidental part of the professional services they have been engaged to provide. Fisher Corporate Plc is authorised and regulated by the Financial Conduct Authority under reference Eos Wealth Management Ltd is authorised and regulated by the Financial Conduct Authority under reference Stackhouse Fisher Limited is an Appointed Representative of Stackhouse Poland Limited who are authorised and regulated by the Financial Conduct Authority under reference HW Fisher & Company is a member of the Leading Edge Alliance, an alliance of major independently owned accounting and consulting firms that share an entrepreneurial spirit and a drive to be the premier providers of professional services in their chosen markets. If you would like to subscribe / unsubscribe to our publications, please info@hwfisher.co.uk HW Fisher & Company All rights reserved. London office Watford office Acre House Acre House William Road 3-5 Hyde Road London Watford NW1 3ER WD17 4WP United Kingdom United Kingdom T+44 (0) T+44 (0) F+44 (0) F+44 (0) E advice@hwfisher.co.uk