If one of your software vendors announced it was conducting an audit of your license usage tomorrow, how confident would you be?
Our experience is that most companies would be at least a little anxious. Software licensing terms are notoriously complex, and areas of potential noncompliance can be cryptic and even counterintuitive. At any given time, numerous employees potentially touch software and may not fully understand the specific entitlements and obligations related to its use. And non-compliance claims are frequently in the tens of millions of dollars or higher, often significantly exceeding the actual value of the purchased software.
Software compliance can be a significant risk area for many companies. And software audits are used as an indirect sales engine to induce companies to purchase more software.
During the first part of 2020, ISG saw software audit activity decrease significantly as software publishers apparently recognized the negative optics of squeezing their customers at a time of COVID-induced distress. However, by the second half of the year, audit activity was ramping back up to pre-COVID levels. We expect this to continue.
Most frequently, audits are initiated when software publishers see a likelihood of uncovering non-compliance with a particular customer and when normal revenue growth appears unlikely with that customer. Audits are most common when a customer:
- Hasn’t acquired new licenses for some time and hasn’t communicated a roadmap for future license growth
- Has a heterogenous and decentralized technology environment
- Is making significant changes in IT operations, such as outsourcing
- Is in the midst of M&A activity
How confident would you be if you were audited?
While some companies still attempt to manage software assets via spreadsheets, many have purchased software audit management (SAM) tools and still find themselves unable to produce an accurate view of utilization vs. entitlements. Even companies that have implemented leading SAM tools like Flexera, SNOW, Aspera, ServiceNow and others still struggle. Often at the heart of this is a lack of strong data governance, improper implementation of auto-discovery or a lack of awareness of critical blind spots that exist in every tool. When we work with an enterprise, we are able to quickly gain a relatively accurate impression of whether or not they have SAM under control. Experienced software publisher’s client account directors can do the same; when they sense that there’s “blood in the water,” they act accordingly.
Data management is key to managing software
SAM data falls into two buckets: entitlement data and utilization data. It is all very well to have great record keeping of your license contracts and purchases, but without a solid understanding of consumption, you may not know whether you are getting value from the software or be prepared to defend against a compliance claim. If you know how all your software is being utilized but don’t keep track of your entitlement data, you likely don’t know whether you are at risk for non-compliance, or, even worse, purchasing more licenses than you need.
Software vendors construct licensing models that are convoluted, complex and change frequently. This is not an accident. While buyers likely want to extract maximum value and utilization from their software, sellers are focused on extracting maximum revenue from license growth. The onus is on the customer to keep SAM tools current with ever-changing license models and manage any custom license models they may have negotiated.
SAM data is great when it shows how many instances of an active or available instance have been discovered in your environment, but data also must be able to accurately link each instance to a specific entitlement, whether it is part of a product bundle, a named user license, a concurrent user license, an active database record license, or a divisional or enterprise metric, such as total revenue or FTE equivalent.
This can become even more challenging when you consider cloud deployments and try to match your entitlements and utilization across multiple SaaS, PaaS and IaaS ecosystems. For example, how does IT know whether it is contractually entitled to redeploy on-premises licenses into a private IaaS cloud? Your software vendor will certainly use any uncertainty in your entitlement data or utilization data as leverage.
SAM needs to be an organizational priority
Too often, organizations fall into the trap of implementing SAM in response to a particularly painful software compliance audit. Plenty of focus and attention is given to SAM for the next year or two, and the organization works hard to update the data and risk controls. After a couple of years, with no further compliance issues and no audit noise, the company loses focus and stops valuing the SAM expertise, dilutes responsibility or accountability for SAM data, and inevitably the SAM function slips quietly into obscurity. It is only a matter of time before a software vendor discovers an organization’s ineffective SAM function, and – when the time is right – triggers a compliance audit.
Note that software vendors communicate with each other. If one software vendor discovers an ineffective SAM function, you can bet other software vendors will know about it in short order.
As counterintuitive as it may be, a top-notch SAM function is largely invisible. There will be no compliance problems, license wastage or value leakage in your software fleet. SAM should be a strategic priority (not a tactical reaction). It should be grounded in a cloud-based SAM tool with rich data structures, reliable functionality and up-to-date license intelligence. It should be supported by robust organizational processes and accountabilities and linked to entitlement and utilization data in near-real time. Whether you operate a centralized or decentralized SAM model, your success will depend on the expertise of the people accountable for the SAM data and their ability to interpret license entitlement models in the context of how the software is utilized.
With an effective SAM function, you should extract maximum value from your software licenses and likely never feel the pain of a software compliance audit. Even if you do, you will be able to take charge and face it with confidence.