Is the auditor always right? (Spoiler alert, the answer is no!)
Is the auditor always right? Every larger company working with software from Microsoft, Oracle, IBM etcetera will be subjected to an audit eventually. Once every three years or so is common practice. Even being exposed to multiple audits at the same time is not uncommon.
The process of an audit is straight forward, and such is the defense strategy. You can find such strategies in the documentation of ITAMOrg and the study material offered at Van Haren Learning Solutions. There are however a few key problems I have with Publisher Audits. The key problems I have:
- The auditor should be neutral, but experience makes me doubt that they are
- License metrics are both complex, yet also can often be interpreted in multiple ways
- Publisher tools might have bugs or report false positives
Especially the combination of the points above, can be a huge risk!
My experience is that, in case of doubt, the Auditor will reach out to the Publisher to verify how terms are to be interpreted. Not seldomly this will result in an interpretation that brings the most financial advantage for the publisher. It is, therefore, best to make sure you are aware of the last Terms and Conditions you agreed upon. Metrics and software bundling changes, but it helps a lot if you keep track of what conditions you have accepted and what software belongs to which suite and such. Dig up the last signed Contract and Terms from your Contract Management System and familiarize yourself with the metrics and the original bill of material. Know by heart how the terms apply to your landscape. Find flaws in the terms that work in your advantage!
Be aware of which reporting tools are accepted by the Publisher (usually their own) and what the flaws in their tools are. Reporting tools are to be current, and sometimes a Publisher also demands the tool to be running on a Server with a current operating system. When the Publisher offers add-ons or alternative tools. Consider that, when implementing these add-ons, you cannot play the ‘we did not know’-card anymore.
As mentioned, metrics are complex, and a publisher has a good (financial) reason to keep these complex. Some Publishers have a myriad of different rules which also change on a very regular basis. I therefore recommend making use of a License Management Service Provider (LSP). This is NOT your reseller as they will earn a markup from your non-compliance as well as their consultancy. Though a lot of LSP’s will claim the can help you with a lot of publisher-audits, I do have my favorites per Publisher. Hire them in time however, as auditors usually not only check the current state but will look back for instance eighteen months as well. Coming prepared is better than a reactive response! When the audit-letter is on the doormat, or even worse, the auditor is at the doorstep already, the damage usually is done, and it will be too late to correct or clean up!