Are you a sitting duck? Are you ready to deal with inevitable vendor audits?

It’s tough out there for your software vendors – the cloud wars are heating up with Microsoft, Amazon and IBM (yes IBM – who had the biggest cloud revenue in Q4 2017) in the lead for now but watch out for Oracle (they’ll get IaaS off the ground eventually), Google Cloud Platform (a later arrival gaining momentum), and (of course) SAP, Salesforce, ServiceNow and new players.

It’s a fight to the death where revenue growth is everything and you, the hostage customer must provide it.

There’s always the use of carrot strategies to convince you to make substantial, long term cloud commitments, but it is still proving very effective to spike the carrot with a stick – the ever-trustworthy audit stick.

Software audits will come in many thinly veiled guises – a SAM review, a Software Licence Review, help with Licence Optimisation, presales consultancy, “just having a look to see how we can help….”

But make no mistake, if it looks, smells and sounds like an audit, it’s an audit.

Your software vendors will want predictable things from an audit:

  • Create a substantial (or breath taking) financial case against you
  • Extract a significant one-off payment (new Porsches don’t grow on trees)
  • Lock in ongoing annual revenue
  • Upsell product bundles you probably don’t really need
  • Convert your commitments from on-premises perpetual licences + maintenance to cloud based subscriptions
  • Report you as cloud revenue
  • Seed the perfect conditions for the next audit

At ELS, we typically see three entry points with our customers for audit assistance:

  1. Strategic preparation – this is where customers can lock in the best long-term outcomes before any audit notices from software vendors.
    ELS will:

    1. Review your SAM maturity and entire software spend to provide a 30,000-foot view of your overall compliance risk, audit vulnerability and value realisation
    2. Provide a 3+ year SAM maturity, compliance management and contract renegotiation schedule
    3. Establish an audit management framework – governance, process and communications
  2. After the letter – this is where we become involved after you receive an audit notification letter but before you share any information with the vendor.
    ELS will:

    1. Instigate a rapid response audit management process which includes governance, data verification and negotiation strategy
  3. Saving the furniture – this is where we assist customers in distress – wherein they provide data to the vendor in good faith, outside of a managed process and… the vendor slams them with an eye-watering invoice.
    ELS will:

    1. Typically find that a thorough review of the entitlements, Effective Licence Position and audit report will support a robust challenge to the audit findings
    2. Provide a negotiation strategy, independent review of any vendor offers and management support

The auditing departments of the major software vendors may tell you that they operate entirely independently from sales and are simply ensuring customer compliance with their easily understood licencing rules.

In reality, auditing teams are a wing of the sales organisation.

“Random” software vendor audits are triggered by three greed-powered forces:

  1. The vendor has detected new opportunities to expand their revenue base in your organisation, from:
    1. Mergers and acquisitions
    2. New datacentre and hardware commissioning
    3. Implementation of server, client or application virtualisation
    4. New projects
    5. New C-level executives
  2. The vendor has detected that their current revenue base in your organisation is shrinking, from:
    1. Decommissioning of legacy systems
    2. Reduction in user base or server footprint
    3. Reduction in maintenance payments
    4. Introduction of third party support for legacy software investments
    5. Competitor entry
    6. Future acquisition of licences or implementation projects cancelled
  3. The vendor has detected that their revenue base in your sector is not hitting targets – and you will be required to cough up more, despite still being a good customer.
    This could be caused by:

    1. Global economic conditions – e.g. the Global Financial Crisis
    2. A downturn in your geography
    3. A downturn in your industry

A software compliance audit is no place for excuses.

Some of the potent licencing problems which will be leveraged by your auditor are also the most common – some typical areas are outlined below:

  1. Virtualisation

    – this is a favourite technique to vastly amplify the licenceable estate base for server, client and application footprints.

Oracle and VMware simply do not mix.

Be very careful about even using Oracle’s server virtualisation platform (Oracle Virtual Machine) as it must be configured very specifically.

And while Oracle nominally recognise IBM LPAR partitioning, documentation on what specifically is acceptable is not forthcoming.

IBM will recognise VMware but the rules around Sub Capacity (Virtual Machines licencing) versus Full Capacity (base host licencing) along with the number of hosts to be licenced are complex, tied up with IBM’s Licence Management Tool (ILMT), and are notoriously difficult to interpret.

  1. Multiplexing

    – also known as indirect access, is a favourite feeding ground for SAP and others. This is triggered when a customer is liable for additional licence costs for users or devices who can potentially access upstream systems via third party applications – e.g. users of Salesforce can potentially access data that was originally held in SAP.

Third party access claims range from the reasonable (20 users access a data entry screen using a common login via a custom web page – the 20 users should all have the appropriate level of licence) to the preposterous (every user or device that can potentially access a quantum of data that was once held in an upstream system must have a full licence).

  1. Editions and access levels

    – has the correct edition been deployed (or activated) and/or have users been given (or are using) the correct access levels?

Edition greyness can be exacerbated by confusing media availability (a single media bundle is provided for all editions) and feature activation (a higher edition could be activated by a seemingly benign system administration feature).

In many cases, the difference between different user levels is very poorly defined with a requirement for a higher-level user account triggered by users themselves inadvertently accessing specific functionality.

  1. Non-production licencing

    – are you really correctly licenced for your dev/test, pre-prod, fail-over and DR environments?

Are you clear on what licences these scenarios require?

What happens if you use a test environment de facto for production in some circumstances?

What happens if you activate DR… for a short or longer period of time?

The answers are nuanced and very different between vendors e.g. Oracle database versus Microsoft SQL Server.

  1. Runtime licences

    – are you compliant with the usage rules for bundled technology licences?

A typical example in this space is the use of a runtime Oracle licence with SAP ECC – wherein the customer pays an additional levy on top of the software acquisition and maintenance price, in order to have the right to run an unlimited number of Oracle database servers to underpin ECC application instances.

All good – until someone breaches the runtime restrictions, in which case Oracle may present the customer with a bill for every core which can potentially access Oracle RDBMS software. This can be very expen$ive.

The following framework audit management process will co-ordinate your resources, manage your risk and take control from your software vendor.

  1. Respond to any audit notification in a timely manner.

    Be respectful, formal and clear.

This should be an acknowledgement and initial engagement – do not start sharing any data yet!

  1. Mobilise your team and get governance in place.

Engage and inform your key business stakeholders and customers, procurement professionals, IT operations, Project Management Office, IT security, legal and communications.

Appoint an overall co-ordinator, a business owner and single points of contact between your organisation and the vendor audit team.

Freeze any new investments in software products from the auditing vendor.

  1. Verify your contracts and audit rights.

Gather all your past and current contracts and associated documents with the vendor.

Get very clear about your contractual rights and audit obligations.

  1. Get an NDA in place with the vendor and any organisation assisting them with the audit.

This will protect your organisation from potential further exposure from additional risks – e.g. potential exposure from other software vendors.

Be very insistent on this – the audit will not proceed until this is in place.

  1. Clarify the scope and approach with the vendor.

The scope should encompass vendors, organisations, products, geographies, environments, etc.

The approach should detail what data sets the vendor requests and the extraction method – e.g. passive dumps from existing repositories or active execution of vendor scripts.

  1. Verify your entitlements.

Demand a full entitlements statement from the vendor.

Correlate this with your internal records (Proofs of Entitlements, procurement, contracts, etc.) and assertively deal with any discrepancies that are not in your interests.

  1. Verify your inventory data and estimate your ELP and compliance.

Undertake an internal exercise to extract the requested data.

Understand any gaps and anomalies and calculate an Effective Licence Position (ELP) and review any compliance risks.

  1. Understand your level of value realisation for your current spend and decide what you may require in the future.

This will be very useful in the negotiation stage – what if you could viably walk away from your current maintenance or subscription payments at the next contract renewal?

What if you are very clear on how a competitor can fulfill your future requirements?

  1. Provide [the bare minimum] data to the vendor.

After you complete steps 1 to 8 above to your satisfaction, provide the requested inventory data.

Expect your vendor to come back with an aggressive claim.

Make no mistake, that was the agenda from day one.

You are in a strong position to deal with this bad cop because you have done your homework.

Also expect the good cop to make an appearance – offering to dull the pain if you sign up for a new long-term commitment.

Examine these proposals carefully, in light of what you have established in step 8.

Be ready to counter offer and hold your ground.

Ensure you get the artefacts you need with the contractual finalisation.

Are the contracts and new bills of material clear?

Is this a set up for the next audit?

Insist on a clear statement of entitlements and a Deed of Settlement.

  1. Transition the changes and lessons learned.

Don’t forget this step.

Configure new entitlements into SAM and configuration management systems.

Build the lessons learned into core ITSM and ITAM processes – you don’t want the same issues to pull you up again do you?

ELS lives and breathes this stuff – contact us today for an initial, no obligations discussion.

Email:        Phone: +61 407 728 623