Jun 06 2014

How to Prepare for a Software Audit

Taking the right steps beforehand can greatly ease the pain as auditors loom.

A software audit is a daunting situation for any organization – one that creates demands and stress on IT staff and threatens costly penalties for noncompliance with licensing agreements.

The first step to take after being notified of a software audit is to contact the vendor to determine the scope of the audit. Depending on the answer, it may be possible to proactively address any shortfalls and circumvent the audit entirely. For example, the scope of the audit may include only certain products, a subset of users’ computers, defined time periods or specific locations.

Organizations must clearly understand the type of software audit that is being requested, and which organization is conducting the audit — the vendor, a watchdog association or a third party (usually a public accounting firm).

If BSA | The Business Sofware Alliance or Software and Information Industry Association is conducting the proceedings, for example, a formal contractual audit may not be required. The review might instead call for a self-audit, where the software vendor requires the business to create a comprehensive list of the software it uses, along with details about versions, users and hardware. The results of the self-audit determine whether it will be extended into a formal audit.

Once an organization has been contacted about an audit, it should engage an attorney as soon as possible. This should be either an in-house legal team that is well-versed in software compliance or an external firm that specializes in software compliance.

The organization’s IT team or procurement specialists should not handle software audits. An audit is a legal proceeding and should be treated as such. Attorneys with experience in software audits know what to say, as well as what should remain unsaid. What’s more, software licenses are complex and require specialists.

For example, an IT specialist appointed to head a software audit response team may unwittingly divulge information in a misguided attempt to help. But an attorney will know when silence is in the best interest of the organization.

When the going gets tough, software audit attorneys can provide essential help. With their knowledge of software vendors and the intricacies of licensing agreements, they are in the best position to negotiate the most favorable terms or arrange for license true-ups (in which the software vendor agrees to forego fines if the organization purchases an adequate number of software licenses). An attorney also can help if the process moves toward mediation or arbitration instead of litigation.

The Importance of an Internal Audit

It is equally critical to begin an internal software and physical audit as soon as notice arrives of an impending vendor audit. While this should be done routinely, it takes on new significance when an audit is on the horizon.

It should be a combination of manual accounting with representatives from all areas in the company and a reconciliation of the company’s SAM system and IT asset management (ITAM) program. The audit should compare entitlement, deployment and usage data and review license terms, calculation methods and use restrictions. All of this data should be reconciled to confirm compliance or noncompliance.

An internal audit also should include a physical audit of all active, inactive, stored and remote hardware — everything from desktop and notebook PCs to servers, repositories, backup systems and mobile devices. By mapping the hardware to the software in question, the organization will have a much better idea of where it stands.

Next, create an audit response team, with one person appointed as the point of contact for the audit process. The software audit team should include senior management and representatives from the legal, IT and finance departments.

Finally, negotiate the type of audit that the vendor will conduct, if possible:

  • Self-audit: This type of audit is performed by the business itself, as directed by the software vendor or trade association. It is generally considered the most favorable option, because the company controls the process, the timing and the resources involved. Self-audit can be part of the pre-audit negotiation with the software vendor.

  • Formal audit: This can be performed by the software vendor, a trade association or a third-party accounting firm. Sometimes, a formal audit requires that a vendor enter the workplace to access computer systems and verify compliance status. It’s best to avoid this type of formal audit, which can be expensive and time-consuming, and over which the organization has little or no control.

Want to learn more? Check out CDW’s white paper, “How to Survive a Software Audit.”


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.