One of the best articles I have read on misconceptions end-users have on vendor audits. As the author says – The results of this survey may surprise you.
Four Misconceptions About Software Audits
by Debra Brandt
(link to original article at the end of the post, published here through WordPress Share)
Software audits are a fact of life. Even companies with their software licensing well in hand will likely undergo an audit at some point. It’s a stressful-and often anxiety-inducing aspect of doing business. The not-so-good news is that according to our 2013 Software Audit Industry Report, companies of just about every size are vulnerable to the dreaded software audit. After all, licensing terms change, new versions of software are released, technology platforms evolve; and let’s not forget the proliferation of mobile devices used in the business environment. Which of these factors play into the potential for a software audit? We’ve discovered some common misconceptions companies have about the probability of being audited and which vendors are doing the auditing. The results may surprise you.
Misconception 1: Only the Really Big Companies get Audited
It’s easy to see why this is a commonly held belief. It seems logical – big companies have more licenses to keep track of, and the revenue potential for ISVs is greater. Our findings show that yes, in 2013, companies with 25,000 or more employees were targeted at a much higher rate than companies of a smaller size. But the truth is, it’s not just the big companies that are fiercely targeted. Among companies audited in the past two years, most reported that they were audited within the last 12 months. This is particularly true among organizations with between 500 and 4,999 employees and among those with more than 25,000 employees, suggesting that companies falling within these size ranges were targeted at a much higher rate in 2013 than in 2012.
Misconception 2: My Company Will Probably Only Get Audited by Microsoft
While it’s true that more respondents said they had been audited by Microsoft than any other ISV, there’s one company whose audit risk was significantly underestimated: Autodesk. Among companies that were audited, nearly thirty percent were audited by Autodesk, yet only three percent of companies that hadn’t been audited believed Autodesk represented a risk. And another vendor, Attachmate, which reportedly audited seven percent of respondents, wasn’t even on the radar.
On the flip side, respondents largely over-estimated the probability of being audited by VMware. Only five percent of companies experienced an audit from the company within the last two years, while 18 percent of those surveyed expect that VMware would audit them.
Misconception 3: Understanding License Agreements Means it’s Easy to Maintain Compliance
Our findings indicate that an overwhelming number of respondents rate their own understanding of their organizations’ license agreements as “decent” or “very strong.” However, survey participants stated the most significant challenge related to maintaining compliance is understanding license agreements. In considering this, it’s clear that IT professionals aren’t burying their head in the sand; they know compliance is challenging, and are making a valiant effort to get their arms around the nuances and complexities of software licensing. But simply understanding license agreements isn’t enough.
The biggest barriers to compliance, among companies whether they’d been audited or not, are the complexity of IT environments and difficulty reconciling what’s installed with what’s used. While IT environments aren’t likely to become less complex, it would seem that if companies could close the gap between what’s installed and what’s being used, the compliance puzzle would be significantly easier to solve.
Additionally, our data suggests those who work at companies that haven’t been audited identify company-issued mobile devices, employee-owned mobile devices, and a mixed desktop environment make license compliance challenging. Yet those who work at companies that have been audited don’t rank those nearly as high on the “challenging” scale, suggesting that ISVs may not (yet) place a significant emphasis on these factors when performing audits.
Misconception 4: It’s Just a Matter of Time Before Our Company is Audited
Respondents at companies that have not been audited overwhelmingly believe that an audit is inevitable. While anecdotal data from ISVs suggests this may be true, data from our survey suggests that things can be done to minimize one’s risk. While the reasons for being targeted for an audit are, in some cases, anyone’s guess, the top reason respondents believe they were audited was because their license contracts were outdated. This would suggest that if companies remain diligent about evaluating and updating their license agreements with their top vendors on an annual basis, it would stand to reason that their audit risk would diminish somewhat.
Secondly, companies that had implemented software asset management tools were 32 percent less likely to be audited. While it would be foolish to assume there’s a cause-effect relationship between the presence of a tool and the likelihood of an audit, it stands to reason that 1) if your vendor is aware you’re making a good-faith effort to be compliant, they’re less likely to audit you, and 2) if you can produce a report showing a favorable license position upon receipt of an initial audit letter or inquiry, you may be able to stave off a full-blown audit. Remember: software vendors audit customers for one reason: to generate revenue. If they suspect you’re not likely to have a significant license shortfall, they may very well focus their efforts elsewhere.
What do you think about these misconceptions?