I received an email the other day that caused me to wince. Here is a portion of that email. As it happens, they (an end-user organization) have an Adobe Renewal/True Up coming up. Executive Management thinks that they will count titles, and then write a small check. No muss, no fuss. The field manager of the environment thinks the exposure could be 6 or 7 figures.
Does this sound familiar to you? Are organizations stashing money into software vendor audit accounts versus implementing ITAM that will reduce costs and risk associated with these audits?
I have two primary thoughts about vendor audits. As I’ve previously written, I used to manage software vendor audit programs (and work with BSA member vendors), so I have some definitive thoughts.
- Yes, you do need to have a process for responding to software vendor audits – However, that process needs to be different from the one that I increasingly see within organizations. Over the years, I have seen more organizations ‘stash-away’ dollars for when the vendor comes knocking on their door. Some of these organizations find it easier to pay the vendor to go away. While it is hard to argue wanting to get them to leave, is the money you are spending in this way getting you any real value in return? When the vendor leaves with your six or seven-figure check, don’t you think they are simply going to come back again for more? This isn’t the homeless puppy coming to you for food – this is a pit bull that is going to eat far more – and perhaps tell his friends that the pickings are good. For those organizations that only want to pay for what they are using, the best process is defensive. Once the audit letter arrives, the organization should have a process for reacting to, and responding to that request. For instance, who internally needs to be notified of the audit? Who is authorized to respond to the vendor and ensure internal alignment on how and when (and with what) to respond? Who determines and agrees to the scope of the audit? Who is authorized to share information with the vendor – and what information? Who is authorized to resolve the claim – and negotiate a close to the audit?
- No, you should not simply write a check to make the vendor go away. Gartner recently published data that showed among other things, that 75% of all vendor audit reports contained some kind of error. Since it is the vendor who is preparing those reports and is in the business of selling licenses, one has to presume the error is going to be in the interest of the vendor. Now, I am not saying that vendors intentionally introduce these errors, however, given that 68% of all organizations are expected to receive at least one audit request this year, the benefits will accrue to the vendor. I can’t imagine any finance chief, or CEO wanting to pay more for something than they should. Let me cite two examples I recently came across when working with a company undergoing a vendor audit. I will leave the names out for now:
- The company being audited has acquired several smaller entities over the past several years. The vendor supplies entitlement information to the organization. Later on, it finds additional entitlement information for those smaller entities and sends that to the organization via email.
- Once the final audit report is received, the additional entitlement information for those smaller entities is missing from the final report.
Was this a simple mistake by the vendor, or should the organization verified the additional entitlement records were in fact included in the final report? While the responsibility should be on both, with the absence of that data, it clearly benefits the vendor.
What is the moral of this story? Yes, every organization needs to have a process for responding back to vendor audit inquiries. However, at the same time, they also need to have a robust process for ensuring they are getting maximum value from their existing IT assets while minimizing risks. Yes, this means implementing processes, but only those processes that will ensure your software estate is efficient, legal, and meets the needs of the business.
1E has a host of solutions to help any organization get more value from existing IT assets and help you reduce risk. To learn more, please visit us at https://www.1e.com.