This post originally appeared on TxMQ.com
I shall assume those reading this are either really bored and in need of something to read, or people that are closely associated with software compliance. Thus most of you, dear readers, have likely been through a software audit.
I’m sorry for you.
Whether you are a compliance practitioner, a software vendor, or a company IT employee, no one enjoys software audits.
My company and I have helped many companies through this process. They are not painless. They are not easy. They are far from fun.
Yet, with good planning, they can be managed and handled far more simply than you might expect.
Part of my mission in my professional life is to help companies make this process as easy, simple, and painless as possible.
Lets’ look at tax authority audits, as a fairly valid analog to a software audit. While unavoidable at times, solid best practices and excellent documentation can dramatically minimize the pain.
To continue the audit theme, there are things we all know to do in our lives to ensure we comply with tax laws, including the preservation of documentation we will need in the event we are so audited.
With most licensed commercial software agreements, companies are usually required to generate and maintain regular (sometimes monthly, sometimes quarterly) reports of their software usage and deployment. Too often, we see companies unaware of this requirement. Simply keeping up with these reports themselves forces upon companies a level of detail and tracking that will, contribute to a smoother software audit.
When one receives an audit letter, nothing will make one feel better than knowing the necessary documentation is well in hand, and knowing the software deployment is within the legally licensed entitlement.
Business disruption
Easily, the most significant impact a software audit will have on a business is the disruption to the daily routine of all those dragged into the process. Our company is in the midst of helping a customer through one such audit now and, in addition to our weekly calls with more than a dozen participants, there are countless other conferences and work efforts to gather information, review server logs, reconcile data from disparate tools (most of the major software companies contract with third party audit firms who have their own tool they like to use, in some cases doubling the work effort required to reconcile deployed vs. entitled software) and generally just adding to everyone’s already overburdened workload.
Tax Returns
I know I do tend to keep coming back to this, but I trust by now you realize the relevance of this analogy. When we make a major purchase for our homes, receive a statement from an investment or bank, donate to charity, or any of countless other activities likely to have a tax impact, we have trained ourselves to log these things (or file them in a shoebox) so they are ready to provide to an accountant, or to reference as we file our own taxes each year. Software usage is no different.
Complications arise when there are lose controls in an organization around software use and deployment. At no time should individuals in a company be able to just pull down software to use without appropriately documented (and approved) requests. This is especially true in mid market companies where formal tooling that may exist in larger firms to manage software usage might not be in place.
Commercial software deployments in companies tend to grow like a weed if left unchecked. Someone must be given ownership of this and understand the implications of unauthorized software usage.
KNOW the software usage lifecycle…Plan for software acquisition and usage, Acquire needed software, include contract negotiations, Deploy software, Manage your deployment and usage, and ultimately, retire software that is no longer needed.
Some basic software compliance rules:
KNOW your software contracts, and if you don’t already, NEGOTIATE at the time of purchase. You will never have more power over your partners and vendors than when they are trying to get you to make a purchase.
READ all the fine print. When in doubt, ask questions. An increasing amount of software today carries various types of licenses…usage based cloud based, and the like, all increase the complexity of managing software deployments
Would you go into a tax authority audit without representation? I certainly hope not! So to, do NOT go into a software audit without having your own partner representing your interest. That’s the role companies like TxMQ play.
Make sure the auditor KNOWS you have such representation. Nothing will make an auditor feel more confident than knowing you have a business partner/solution provider under contract to help ensure compliance, and a smooth audit process.
Software audits are inevitable. You will be audited. Only the timing is in question, and it will fall during a time most inconvenient for you.
If you are found to be out of compliance and a penalty purchase of additional licenses is required, NEGOTIATE. Never settle for the amount you are at first told you owe. All of the major software companies will negotiate settlements, especially if you lay out plans to ensure future best practice adoption.
Software compliance and best practices should be undertaken with the same rigor as security best practices. They can have similar implications for a company should they not be followed.
Recognize that a good software asset compliance practice can help ENSURE your software usage is RIGHT sized. Often times, TxMQ finds software that is NO LONGER used or needed, and can negotiate it’s removal from the catalog of licensed products, resulting in real dollar savings.
Consider a Software Asset Management managed service, like one offered by my company. The cost is reasonable, and the payoff is the peace of mind in knowing trained professionals are ensuring compliance with your software contracts.
Chuck Fried is the President of TxMQ, Inc. An IT solutions provider with an ITSM practice that includes software asset management, and audit support for mid market and enterprise companies. Visit them at www.txmq.com or write chuck at chuck@txmq.com.