Your licence agreement obligations.

Most if not all licence agreements have a clause concerning the right to audit. It may also include a clause or clauses concerning who picks up the audit costs if the licensee is significantly or wilfully non-compliant. This could be a large figure if the vendor assigns the audit to a third-party such as a Big 4 consultancy, whose fees could be thousands of pounds per week whilst the audit is unresolved.

The risk of non-compliance is rarely litigation, but the sanctions could include back paying licence fees and support, being bounced into a large deal for unrelated services such as cloud or a fine including revocation of licence grants, which could stop parts of your business in its tracks.

Another thing to bear in mind is that the letter from the vendor servicing notice of an audit is generally addressed to senior management and the SAM team will be under immediate pressure to deliver.

Even if your audit results in presenting a complaint position, the cost of being audited can run into tens and even hundreds of thousand of pounds, especially if your IT is outsourced and your suppliers require a request for service and charge handsomely for the privilege.

The best form of defence for a vendor audit is to audit yourselves for the vendor products that you feel may put your organisation at most risk, before they audit you.

How do you do this?

Firstly, get a list of the vendor products installed on your IT estates. I would start with datacentre and public cloud and then desktop and networks, such as endpoint security and virtual desktop.

The next task is to categorise the vendors’ products by risk. High, Medium and Low based on value of the licences, your perceived risk of non-compliance and lastly the likelihood of an external audit. Another thing to bear in mind is that licence compliance is not just about the licence position, but also usage rights. For example, your organisation may have licences that are restricted to a certain application or subsidiary or even geographic territory.

Once you have identified your top five or ten risks, plan how you will audit these products to arrive at a risk position. This will include gathering and tabulating the licence entitlement, collecting inventory or deployment data to measure the licence consumption and reconciling the licence grant against the licence consumption to arrive at a position. To address usage rights such as business unit, application or territory, you should include columns in your spreadsheet for Organisation, Business Unit, Application and even hosting attributes such as on-prem, public cloud, virtualisation and containerisation.

Once you have arrived at a risk position, the likelihood is that your organisation will be over licenced, under licenced or possibly both.

To resolve under-licensing there are two actions you can perform; remediate over deployed licences to get to a complaint position or buy the licenses you require to become compliant. It is better to buy licences in a controlled manner so that you actually get the licences you want rather than being “upsold” into spending orders of magnitude more on services that you don’t need or want.

If the internal audit uncovers over purchasing, you have options including surrendering unused licences to reduce the cost of ongoing support, subject to vendor policies such as repricing or matching support levels.

You can do this even if you do not have SAM or discovery tooling. We have a more detailed paper on vendor audit management, which you can have by emailing info@asset-informatics.com

If your need to address an external vendor audit is more pressing and you think you need help, please contact me immediately.





About the author: Wilson Cooper-Bigg is a software asset management and licencing subject matter expert with over thirty years of software licencing and IT management experience.

He has managed and successfully defended vendor audits and claims ranging from thousands to millions of pounds in value. This includes Government, Public Sector and private companies. Although this has covered many different vendors, Wilson is a specialist in complex Oracle licensing in both datacentre and public cloud.