When is an audit not an audit ?

Photo by João Silas on Unsplash

So, you’ve received your “invitation” to take part in a software audit. What lies ahead ? If you were asked to describe what you thought would happen during the process of an audit what would be your response ?

Which one do you think is closest to how some enterprise software vendors run their audits?

If I told you it wasn’t the first two options, would you be surprised ?

The “audit” practices of some of the enterprise software vendors is little short of sharp practice.

A lot of audits happen without an auditor coming into contact with any of your systems, they don’t need to, they get you to do all the running. A little like the game of Hangman.

Armed with the information you supply in a self-assessment document, where you list the devices, the software running on there and the roles they perform; the auditor will ask you to run some scripts on some of the more interesting devices and roles (the ones that are known to be complex, problematic from a licensing perspective, or even, perhaps the most lucrative?) and then return the output of those scripts to them for assessment. Once the data has been returned and an analysis commenced you may be asked to run further scripts or to answer what appear to be oblique questions with little or no rationale to the logic behind the questions.

Then the day comes when the auditor arranges to visit you and “discuss” the findings.

The auditor will come armed with a final-draft of the report and walk you through the findings. There will be no commercial or pricing information supplied in this document, it is simply a statement of findings which you are asked to agree with.

Once you agree with the findings then a final version of the document will be issued and then you will be handed over to the “commercial resolution” team.

Because you have already agreed to the report findings and it is considered final, there is no room for manoeuvre on the items which require licensing (your chance to do that was during the presentation of the draft findings). The only negotiation opportunities you have now is the commercial ones, and you will be negotiating from a poor position because the vendor holds all the cards now.

Welcome to the commercial resolution zone..

The commercial resolution is likely to follow a process similar to this

So, how did that feel to you ? Fair ? Equitable ? Was it the ideal customer experience ?

Do you feel the audit process was designed to benefit you or the vendor ?

What about if I told you that the number you agreed in the commercial negotiation was more than likely pre-defined by a regional sales manager who identified that your organisation hadn’t bought enough software last year or had reduced expected spend in the last few quarters ?

Remember, we all have KPI’s and targets to achieve, software vendors are no different. If your organisation is on a sales region list and there is a number next to your name for “expected revenue” and you aren’t looking like buying… what would you do ? call in the auditors to shake the money tree perhaps ?

So, when is an audit not an audit ? When it’s a charade with a pre-ordained outcome that benefits only one party and delivers no value whatsoever to the “valued” customer.

How do I know these activities are charades, well, try asking for a certificate of completion or compliance after the audit resolution process has occurred. You will be waiting for a very, very long time.

One last thing..

In the majority of situations, at any time in the audit process you can make it all go away by offering to move straight to commercial resolution. It will, more often than not, be accepted. That’s how important the empirical answer is to these organisations. You won’t get a certificate of compliance (but then when do you anyway?) but you will save yourself a lot of pain and effort to get to the same endpoint where you pay money for something you don’t need or want !

Head of SAM Practice at Version 1. I used to be technical, now I spend my time navigating the backwaters of EULAs and vendor contracts..