Tips to Get Ready for (or Possibly Avoid) Software Audits
Software compliance is a complex and interpretative process that if not done correctly and with forethought can cost organizations millions. Follow these guidelines to ensure the best possible outcome.
Mon, February 10, 2014
CIO — You've gotten your letter from the vendor. The audit is coming and you've got to balance what licenses you have on your systems versus what you're licensing contracts allow. The difference could cost your organization big money so you've got to get it right but systems are so displaced or complex or evolving so fast that it seems like a full time job.
Software compliance audits are always a headache, especially when it comes to time, resources and money. The best way to prepare for an audit, experts agree is to avoid it all together by implementing a software compliance plan.
Software compliance is a complex and interpretative process that if not done correctly and with forethought can cost organizations millions. How much money are we talking about? In a 2013 study performed by KPMG, a contract compliance services company, 52% of companies felt that their losses through unlicensed use of software amounted to more than 10% of their revenue. They can also take a long time. According to Christof Beaupoil, co-founder and president of Aspera Technologies Inc. a provider of software license management solutions, they can take up to 18 months.
In a report from Gartner on software audits, organizations surveyed said that they were audited by at least one vendor in the previous 12 months. This was up over 60 percent from the previous year. Now more than ever software vendors are auditing their clients, so much says the KPMG survey, which it has become part of the sales process. And the larger your organization the more at risk you are. "Why you ask?" Because there is more money on the table for the software vendors. Non-compliance is making them money so you've got to do what you can to limit your risk and that starts with implementing a software compliance program.
What is Software Compliance?
"In its simplest form," says Beaupoi, "compliance is the comparison of a company's software usage to the licenses it owns. If the company uses more software than its licenses cover, it is under-licensed and out of compliance with the licensing contract. If the company owns more licenses than needed to cover its usage, then it is over-licensed and can save millions of dollars, as is the case with global and very large organizations."
Common Mistakes and Non-Compliance Issues
- Many times in the rush to move forward an organization's business objectives, the licensed software and technologies gets used in ways not covered under the current licensing structure resulting in a non-compliance issue. This means that as your systems and the way your technology is being used evolves, so must your licensing structure.
- Depending on your licensing structure you could also have to deal with differentiating between installed software versus purchased software. This is what's known as a bucket level assessment; installed versus entitled.
- "Many times the root cause of non-compliance is administrator rights on local machines. This is something that companies need to take a long hard look at this topic," says Houghton.
- BYOD is another area that can cause companies to be non-compliant. According to Krysten M. McCabe, CISA, Director of ISACA, member of ISACA's Audit Committee and Finance Committee, and senior manager in the Assurance and Advisory Management Program at The Home Depot, BYOD broadens the scope of those who could cause the company to be non-compliant. "Communication with this broader audience is necessary to ensure they are well educated about the need for compliance and the requirements of compliance," says McCabe.