Are you a sitting duck? Are you ready to deal with inevitable vendor audits?

It’s tough out there for your software vendors – the cloud wars are heating up with Microsoft, Amazon and IBM (yes IBM – who had the biggest cloud revenue in Q4 2017) in the lead for now but watch out for Oracle (they’ll get IaaS off the ground eventually), Google Cloud Platform (a later arrival gaining momentum), and (of course) SAP, Salesforce, ServiceNow and new players.

It’s a fight to the death where revenue growth is everything and you, the hostage customer must provide it. There’s always the use of carrot strategies to convince you to make substantial, long term cloud commitments, but it is still proving very effective to spike the carrot with a stick – the ever-trustworthy audit stick. Software audits will come in many thinly veiled guises – a SAM review, a Software Licence Review, help with Licence Optimisation, presales consultancy, “just having a look to see how we can help….” But make no mistake, if it looks, smells and sounds like and audit, it’s an audit.

Your software vendors will want predictable things from an audit:

  • Create a substantial (or breath taking) financial case against you
  • Extract a significant one-off payment (new Porsches don’t grow on trees)
  • Lock in ongoing annual revenue
  • Upsell product bundles you probably don’t really need
  • Convert your commitments from on-premises perpetual licences + maintenance to cloud based subscriptions
  • Report you as cloud revenue
  • Seed the perfect conditions for the next audit

At ELS, we typically see three entry points with our customers for audit assistance:

  1. Strategic preparation – this is where customers can lock in the best long-term outcomes before any audit notices from software vendors. We:
    1. review your SAM maturity and entire software spend to provide a 30,000-foot view of your overall compliance risk, audit vulnerability and value realisation
    2. provide a 3+ year SAM maturity, compliance management and contract renegotiation schedule
    3. establish an audit management framework – governance, process and communications
  2. After the letter – this is where we can get involved after you have received an audit notification letter but before any information has been shared with the vendor. We
    1. instigate a rapid response audit management process which includes governance, data verification and negotiation strategy
  3. Saving the furniture – this is where we assist customers in distress – wherein they have, in good faith, provided data to the vendor outside of a managed process and… been slammed with an eye-watering invoice. We
    1. typically find that the audit findings can be robustly challenged with a thorough review of the entitlements, Effective Licence Position and audit report
    2. provide a negotiation strategy, independent review of any vendor offers and management support

You may be told that the auditing departments of the major software vendors operate entirely independently from sales and are simply ensuring customer compliance with their easily understood licencing rules. In reality auditing teams are a wing of the sales organisation. “Random” software vendor audits will be triggered by three greed-powered forces:

  1. The vendor has detected new opportunities to expand their revenue base in your organisation
    1. Mergers and acquisitions
    2. New datacentre and hardware commissioning
    3. Implementation of server, client or application virtualisation
    4. New projects
    5. New C-level executives
  2. The vendor has detected that their current revenue base in your organisation is shrinking
    1. Decommissioning of legacy systems
    2. Reduction in user base or server footprint
    3. Reduction in maintenance payments
    4. Introduction of third party support for legacy software investments
    5. Competitor entry
    6. Future acquisition of licences or implementation projects cancelled
  3. The vendor has detected that their revenue base in your sector is not hitting targets – and you will be required to cough up more despite still being a good customer. This could be caused by
    1. Global economic conditions – e.g. the Global Financial Crisis
    2. A downturn in your geography
    3. A downturn in your industry

A software compliance audit is no place for excuses. Some of the potent licencing problems which will be leveraged by your auditor are also the most common – some typical areas are outlined below:

  1. Virtualisation – this is a favourite technique to vastly amplify the licenceable estate base for server, client and application footprints.

Oracle and VMware simply do not mix. Be very careful about even using Oracle’s server virtualisation platform (Oracle Virtual Machine) as it must be configured very specifically. And while Oracle nominally recognise IBM LPAR partitioning, documentation on what specifically is acceptable is not forthcoming.

IBM will recognise VMware but the rules around Sub Capacity (Virtual Machines licencing) versus Full Capacity (base host licencing) along with the number of hosts to be licenced are complex, tied up with IBM’s Licence Management Tool (ILMT) and are notoriously difficult to interpret.

  1. Multiplexing – also know as indirect access is favourite feeding ground for SAP and others. This is triggered when a customer is liable for additional licence costs for users or devices who can potentially access upstream systems via third party applications – e.g. users of salesforce can potentially access data that was originally held in SAP.

Third party access claims range from the reasonable (20 users access a data entry screen using a common login via a custom web page – the 20 users should all have the appropriate level of licence) to the preposterous (every user or device that can potentially access a quantum of data that was once held in an upstream system must have a full licence).

  1. Editions and access levels – has the correct edition been deployed (or activated) and/or have users been given (or are using) the correct access levels?

Edition greyness can be exacerbated by confusing media availability (a single media bundle is provided for all editions) and feature activation (a higher edition could be activated by a seemingly benign system administration feature).

In many cases, the difference between different user levels is very poorly defined with a requirement for a higher-level user account triggered by users themselves inadvertently accessing specific functionality.

  1. Non-production licencing – are you really correctly licenced for your dev/test, pre-prod, failover and DR environments?

Are you clear on what licences are required for these scenarios? What happens if a test environment is used de facto for production in some circumstances? What happens if DR is activated… for a short or longer period of time? The answers are nuanced and very different between vendors e.g. Oracle database versus Microsoft SQL Server.

  1. Runtime licences – are you compliant with the usage rules for bundled technology licences?

A typical example in this space is the use of a runtime Oracle licence with SAP ECC – wherein the customer pays an additional levy on top of the software acquisition and maintenance price in order to have the right to run an unlimited number of Oracle database servers to underpin ECC application instances. All good – until the runtime restrictions are breached, in which case the customer can be presented with a bill from Oracle for every core which can potentially access Oracle RDBMS software. This can be very expen$ive.

A framework audit management process is outlined below which will co-ordinate your resources, manage your risk and take control from your software vendor.

  1. Respond to any audit notification in a timely manner. Be respectful, formal and clear.

This should be an acknowledgement and initial engagement – do not start sharing any data yet!

  1. Mobilise your team and get governance in place.

Engage and inform Your key business stakeholders and customers, procurement professionals, IT operations, Project Management Office, IT security, legal and communications.

Appoint an overall co-ordinator, a business owner and single points of contact between your organisation and the vendor audit team.

Freeze any new investments in software products from the auditing vendor.

  1. Verify your contracts and audit rights.

Gather all your past and current contracts and associated documents with the vendor. Get very clear about your contractual rights and audit obligations.

  1. Get an NDA in place with the vendor and any organisation assisting them with the audit.

This will protect your organisation from potential further exposure from additional risks – e.g. potential exposure from other software vendors. Be very insistent on this – the audit will not proceed until this in place.

  1. Clarify the scope and approach with the vendor.

The scope should encompass vendors, organisations, products, geographies, environments, etc.

The approach should detail what data sets are being requested and how they will be extracted – e.g. passive dumps from existing repositories or active execution of vendor scripts.

  1. Verify your entitlements.

Demand a full entitlements statement from the vendor. Correlate this with your internal records (Proofs of Entitlements, procurement, contracts, etc.) and assertively deal with any discrepancies that are not in your interests.

  1. Verify your inventory data and estimate your ELP and compliance

Undertake an internal exercise to extract the requested data. Understand any gaps and anomalies and calculate an Effective Licence Position (ELP) and review any compliance risks.

  1. Understand your level of value realisation for your current spend and decide what you may require in the future.

This will be very useful in the negotiation stage – what if you could viably walk away from your current maintenance or subscription payments at the next contract renewal? What if you are very clear on how your future requirements can be fulfilled by a competitor?

  1. Provide [the bare minimum] data to the vendor.

Once steps 1 to 8 above are complete to your satisfaction, provide the inventory data that has been requested.

Expect your vendor to come back with an aggressive claim. Make no mistake, that was the agenda from day one. You are in a strong position to deal with this bad cop because you have done your homework – so be prepared to stand your ground.

Also expect the good cop to make an appearance – offering to dull the pain if you sign up for a new long-term commitment. Examine these proposals carefully in light of what you have established in step 8. Be prepared to counter offer and hold your ground.

Ensure you get the artefacts you need with the contractual finalisation. Are the contracts and new bills of material clear? Are you being set up for the next audit? Insist on a clear statement of entitlements and a Deed of Settlement.

  1. Transition the changes and lessons learned.

This is so often forgotten. New entitlements should be configured into SAM and configuration management systems. Lessons learned should be built into core ITSM and ITAM processes – you don’t want to get pulled up on the same issues again do you?

ELS lives and breathes this stuff – contact us today for an initial, no obligations discussion.

Email:        Phone: +61 407 728 623

Categories: Audit, Microsoft, Oracle, Vendors