In the IT Asset Management (ITAM), Software Asset Management (SAM), and Software Licensing industries, vendor audits will always be a significant challenge. The phrase “audit ready” gets thrown around a lot when discussing how to prepare for and manage these audits. But what does it really mean to be ready for a vendor audit?
One effective way to identify risks before the vendor does is by conducting an internal audit or review. This practice, which I believe more organizations should adopt, helps manage and address the biggest compliance and financial risks.
Why Conduct an Internal Review?
Some organizations might feel confident that their processes are solid and don’t see the need for an internal review or audit. If that’s the case—great! An internal review of your compliance, usage, and risks should then be quick and easy.
However, regularly reviewing your position internally ensures that your organization stays in control of its assets, usage, and potential risks, giving you peace of mind when facing an external audit.
What Is an Internal Review?
An internal review or audit is an assessment of the risks, compliance, and spending associated with a specific software vendor. This process, usually carried out by the SAM or Licensing teams, helps the organization gain full visibility into what software is being used, where, and how. It also flags any potential risks related to the vendor.
Additionally, an internal review can help the SAM team generate an updated and optimized Effective License Position (ELP).
Some organizations even conduct these internal audits with the same rigor and processes an external auditor would use. There’s nothing wrong with that approach, and some businesses even involve their internal audit teams to strengthen the review process.
Where Should You Start?
Begin by using your SAM solution or inventory tool to identify the vendor with the most significant risks. These risks could be compliance-related or financial. Alternatively, it might be that your company-wide agreement with the vendor is up for renewal soon.
Prioritizing risks is key. For example, conducting an internal review of WinZip won’t have the same impact as a review of SQL Server, since WinZip is highly unlikely to audit customers.
It’s wise to focus on Tier 1 vendors like IBM, Oracle, SAP, Microsoft, and Adobe, as these are often the software products in which the organization has invested the most. Vendors like Attachmate, Autodesk, EMC, and HP should also be considered, though slightly lower in priority.
Steps to Kick Off the Review Process
Once you’ve identified the vendors or applications you want to review, you can begin the internal review process. The first rule: you need to trust your data. Poor or inaccurate data will lead to poor results, wasting your organization’s time and resources.
Here’s a high-level overview of the process:
- Identify software installations: Use your SAM or inventory tool to locate the installs, users, or servers where the software is installed.
- Gather license documentation: Collect the complete license, contract, and terms of use documentation for the software. Ensure you have the entire license history, including relevant upgrade licenses and a clear upgrade path.
- Remove unused licenses: For any instances with little or no usage, remove the license and software from the relevant devices. Think of software assets like elastic—if they’re not in use, they should snap right back to the SAM team.
- Verify sporadic users: Identify users with periodic or infrequent usage. You can either contact them directly to check if they still need the software or ask their manager or budget holder if the application is still necessary.
- Track changes and compliance: Whether you use a software solution or spreadsheets, record the changes in compliance and cost avoidance throughout the internal review. Keeping a record is also essential for governance.
- Purchase additional licenses if needed: If you find a compliance gap, contact the vendor or License Account Reseller (LAR) to purchase more licenses. If you’ve created a “license pool,” you’ll be able to proactively handle future software requests.
- Compile a report: At the end of the review, prepare a report detailing the findings, lessons learned, and the process followed. This documentation is valuable for highlighting the importance of SAM and serves as a benchmark for future internal reviews.
Regular Reviews Help Your Bottom Line
By conducting regular internal reviews and maintaining a clear view of your license position, you’ll save money and avoid unnecessary expenses. You’ll also be well-prepared for vendor audits, meaning no more panic buying, resource drains, or large fines when an audit letter arrives.
Additionally, by reclaiming unused software licenses, you can create a license pool to quickly respond to future software requests. This not only supports end-users more efficiently but also demonstrates that SAM is a business enabler, helping the organization run smoothly and efficiently.