Software vendor audits can be just like a good old hangover for many users. With more than a decade of SAM consulting experience, we can say that the psychology of the vendor audits is similar to the effect of the hot pepper in the broth. First comes denial: ?It?s not that hot?? than the attenuative dips with no solution, finally the audio version of all the Kurosawa samurai films.
For obvious reasons, the right to review the legality of a given software is stipulated in the end-user and volume license agreements of all software vendors; the software is a strictly licensed intellectual property and can easily be exceeded without proper control.
Although all contracts contain a review clause, receiving an audit notice can be a shocking experience, since any review by an external organization is a process difficult to capacity plan, and can take several months and grave risks. Mature SAM management is needed in a company to minimize the financial, legal and reputational threat posed by the audit. In addition, software legality reviews are – according to vendors? admissions – a form of penalty, which is primarily to address deficiencies identified by the audit. If the audit reveals a defect, as a “penalty” the user is required to purchase the defective license or equivalent. It is unnecessary to discuss the effect of mandatory purchase on instant sales and unexpected expenses. At the same time, the conditions for this purchase can differ a lot. Users will also have to take into account the following “punishment” items:
- List price purchase (Microsoft, IBM)
- Charged maintenance fee and maintenance recovery fee (Oracle, IBM)
- Cost of the audit (In case of a shortfall of more than 5% at Microsoft)
- Define shortages based on full-capacity values ??and withdraw the discount of sub-capacity licensing (IBM).
The most active auditing vendors are Autodesk, IBM, Microsoft, MicroFocus, Oracle and SAP. There are several types of audits for each vendor, which are more or less comparable to the following three levels:
- Self-declaration (mainly for SME clients)
- Review by a SAM partner
- Review by a vendor or a third-party independent organization
The most extensive ? month taking – data collection and on-the-spot inspection is the type 3 audit conducted by Autodesk, Oracle and SAP with their own audit team, other vendors work with independent third parties.
Special attention should be paid to audits carried out by the vendor’s partner, not the vendor. The Microsoft palette has long featured this type of review, which can extend to both SMEs and large companies. The legal basis for the audit in this form of review is not the audit clause of the vendor’s volume licensing agreement, but the contract between the vendor’s partner and the user, typically combining service and supply contract elements.
In our opinion, reviews by vendor partners considered professional if the partner has the appropriate SAM competence is unbiased towards the user, and the review methodology is defined to collect and evaluate usage information only to the extent necessary to determine legitimate use of the software.
For example, it is difficult to fit into this framework if a vendor requests an audit partner who is also interested in previous end-user software purchases ? now, at the expense of the end-user ?, conducting an information security review with obtaining confidential information to determine the legitimate use of the software, while that information is not essential for the assessment and also the business secret of the end-user.
The ITAM Review reported that IBM introduced a largely similar audit to Microsoft partner audits in August 2019; the IASP (IBM Authorized SAM Partner Offering) program is a multi-year engagement with an audit firm that otherwise conducts level 3 IBM audits. During the contract, the partner assists the client in achieving and maintaining a compliant status, “in return” the user does not have to fear level 3 audit and can buy any deficiencies discovered at a discounted rate without charging or applying other “punitive items”.
However, the extent to which these benefits are commensurate with the fee payable to the partner, and the liability of the partner for the risk of under- or over-licensed position resulting from its unprofessional conduct is another issue. The IBM IASP program particularly targets users with large and rapidly changing IBM environments and operates on an “invite” basis. In the Hungarian market, companies with a multinational parent company are expected to be affected. The question of whether it is worth it is not expected to be decided at the level of the Hungarian member company, the day-to-day tasks of cooperating with the IASP may become more tangible at the lower levels.