How to prepare for (and avoid) a software audit

IT departments across the world are plagued by the looming threat of costly and time-consuming software audits. Clocking in at an average of 194.15 working hours (over a duration of 7.13 months) to resolve, it's no wonder that IT managers live in fear of a first notice.

Software audits can be launched by the software vendor itself, a watchdog organisation or a third party such as a public accounting firm and will examine whether the company is using the software within all of the stated compliance regulation.

If the company is found to be non-compliant with any one of the licensing agreements, they can face prohibitive fines, leading some to suggest that these are predominantly initiated by software vendors seeking extra sources of remuneration beyond the point of sale.

The exact nature of the proposed audit will vary depending upon which organisation launches it and what the scope of the audit is. For example, some audits may only target certain products, certain computers or specific time periods or locations.

In some cases, it may be possible to dodge the requirement for a full-scale formal audit, if the company can show that it is proactively addressing any issues and taking the required measures to ensure full compliance.

It may even be possible to avoid an audit altogether by implementing a strict and well-circulated software compliance plan. Even if that fails, doing so will lay the foundations for a relatively stress-free audit.

Here are CIO UK's tips for surviving a software audit, as well as minimising the chance that they will be initiated at all.

Read next: How to respond to ransomware threats

Additional reporting by Chloe Dobinson

Preparation
iStock

Preparation

Preparation really is everything when it comes to anticipating a software audit. Make sure all of the relevant staff in the organisation have an understanding of all the regulatory compliance issues and the associated risks.

This can be demanding for employees, but collaboration with external counsels, advisory committees and in-house or external legal departments can increase understanding of any risks the business may face.

Circulating important documents such as the licencer's right to audit, regulatory restrictions and those concerning how confidentiality works will ensure the company does not unnecessarily expose any confidential information.

See also: 7 of the best security tools for your home office

Liaise with legal

Liaise with legal

It's important to involve either in-house legal departments or external lawyers from the outset whenever the possibility of a software audit arises. If you do not have an in-house legal team or your legal team is not well-versed in software audits, your business must employ an external team with expertise in software compliance.

Don't think about leaving the audit solely in the hands of the IT department; a software audit is a legal process and should be recognised as such. Given this, attorneys should direct the process and be left to handle communication with the third party initiator of the audit.

This has the added benefit of circumventing the possibility of over-sharing confidential information with the investigators, which is a risk if the issue is left in less experienced hands.

Perform regular internal audits
iStock

Perform regular internal audits

Internal audits should ideally be conducted regularly, to ensure that a company is fully prepared in the case of a formal audit. This will raise any issues that may be problematic in terms of regulatory compliance or security, as well as helping to ensure that the organisation is familiar with auditing procedure.

An internal audit will take the form of a company-wide collaborative approach involving manual accounting and drawing on the SAM (System for accountability and management) and the ITAM (IT Asset management) programme. Along with reviewing the licence terms and agreements, and the use restrictions, the internal audit should also compare comprehensive usage data from the enterprise. Together, this will provide an answer on whether the company is compliant or not.

In some cases, the software audit will end up solely being a self-audit. This is the most favourable outcome because it means that the company manages the process and makes important decisions about the timeframe and resources involved.

Form a response team
iStock

Form a response team

There should be a response team already formed and ready to be mobilised in the case of an audit. This team should be formed of one member of each of the stakeholder groups involved in a software audit.

Apart from members of senior management, this team should also include representatives from legal, finance and IT.

Having the right people in charge can help reduce the risk carried by audits, as well as ensuring the investigation runs as quickly and as smoothly as possible.

See also: 7 ways to motivate your team after a setback

Negotiate

Negotiate

Throughout the auditing process, negotiation is critical at every stage, as executed through the mediation of the legal team. To begin, a non-disclosure agreement must be secured that clearly outlines which information is necessary to the auditing process and which is not. This avoids the company disclosing any confidential information to the auditing body that is not strictly necessary.

Once the outcomes of the audit have been proposed by the third party, negotiation is also essential. Work with legal to try to push through more favourable outcomes, in agreement with the software company. For example, altering aspects like true-up costs, fines or perhaps simply general contract terms.

Review previous audits
iStock

Review previous audits

Any risk assessment should begin with a review of previous internal or formal audits.

Reviewing previous reports, data and statistics can help demonstrate the strengths and weaknesses of the findings. This can help you gain a better understanding of risk compliance and how it can be used for further assessments.

Throughout audits, everything should be recorded for posterity, meaning it can be used to inform the next audit and provide vital information like the time frame, costs, how effective the negotiating procedure was and so on.

Raise organisational awareness
iStock

Raise organisational awareness

Businesses should raise awareness through the use of workshops and training to provide information on what the auditing process is and how to ensure it all runs smoothly.

A programme that consists of onboarding, programme governance and risk assessments will educate individuals on the importance of compliance.  This can help get team members involved boost collaboration, increase communication and reduce overall costs.

Monitor devices
iStock

Monitor devices

Mobile devices should be monitored as a way to mitigate potential fallout from a software audit.

Mobile devices such as laptops, PCs and smartphones allow users to access business information openly without a secure connection.

There are a number of tools that can increase the security of the information exchanged between devices. This can help alert businesses to any security holes or weaknesses on staff devices, while also improving overall accountability.

Read next: 8 steps for implementing a successful security plan

Copyright © 2018 IDG Communications, Inc.

Related Slideshows