How to prepare for an IT vendor's software license audit

One of the most frustrating tasks for an IT leader is to prepare for a vendor audit. Here's how to make it more bearable.

In today's environment, it's commonplace for software companies to audit customers' compliance with license contract terms. In a survey that industry analyst firm Gartner conducted, more than 61 percent of the respondents said they experienced at least one software audit in the past 12 months. Constellation Research reported a 32-percentage point gain in software audits since Q1 2008. IT asset managers have to ensure that their organizations are always ready to face an IT vendor's audit. However, one of the most frustrating tasks is to prepare for a vendor audit. Why?

Preparing for a vendor audit is a nightmare

In an ideal world, IT asset managers would prepare for vendor audits by using their IT asset management (ITAM) systems or their IT operations systems (such as Microsoft System Center Configuration Manager or HP Open View). They would run the reports in these systems which detailed every product they licensed and installed. Then, managers would use this data to determine whether they are in compliance, they need to buy additional licenses, or they need to uninstall unused licenses to become compliant. However, things are never that easy. Why? There are two key reasons:

  • Purchased versus installed: If you've been working with a vendor like Adobe, as an example, many of your employees may have purchased the Adobe Creative Suite, Master Suite or Design Suite. Other users may have installed individual products such as Photoshop or Illustrator. This means your ITAM systems and your operational systems are no longer speaking the same language. Your asset management system thinks you have Creative Suite, Master Suite, Design Suite, Photoshop and Illustrator from Adobe, but your operational system can only see Photoshop and Illustrator. So how do you compare what you purchased to what you have installed or are using?
  • Vendor and product discrepancies: Your ITAM system says that you purchased Dreamweaver, made by the vendor MacroMedia (since acquired by Adobe), but your operational system, which extracts much of its information about the software directly from the software's executable files, says that the Dreamweaver product is from Adobe. In addition, your ITAM system tells you that a few Illustrator licenses are from the vendor Adobe, some from the vendor Adobe Inc. and some more from Adobe Corp. Such discrepancy makes it almost impossible to get accurate information from the systems without a lot of manual reconciliation.

Actual cost of true-up

If you determine that you are no longer in compliance, you now have to figure out the lowest cost of true-ups that will ensure compliance while meeting your business requirements. Unfortunately, most companies overpay for true-ups because they are missing the following information:

  • Compatibility information - If you're spending money to acquire new licenses, you might as well make sure the software is forward compatible with your other IT system plans such as Windows 7.
  • Suite information - If the software in question can be purchased as a part of a suite, you want to know which licensing alternatives will achieve compliance at the lowest possible cost.
  • Support information - Why would you spend money trueing-up on a software version that is due to expire soon? Purchase the latest versions instead and budget for that as a part of the true-up plan.

Vendor audit preparation as easy as 1-2-3

The fastest way to prepare for an IT audit is to first prepare your systems to give you the information you need to clearly understand your state of compliance with license contracts. You can't get this information from your systems unless you can address the inconsistency and gaps in the data. For example, your purchasing systems describe an IT asset in one way, planning systems describe the same asset in another way, and IT inventory and configuration management tools in yet another. In addition, these systems don't have external market information such as support lifecycles, vendor information, licensing details, hardware specifications, etc.

In order to solve the problem, the first step you should take is to normalize the data in these systems by using a reference catalog and leveraging it to update and correct vendor names, make product names consistent, and align version information. Then, you can use the same reference catalog to enrich the system data in these systems by adding the missing market data information, including support information, license details, compatibility information, and more.

The result is that the data from your various IT systems now speaks the common language of IT. It now contains a set of correct and complete information, which you can either use as-is or load back into your IT operational or reporting systems. With the data normalized, you can now pull a report that quickly shows how compliant you are with the license contract and if not, determine the least expensive way to become compliant while keeping your business and technical plans in sight. Software audits will no longer be painful; instead you will find yourself ready to engage in a conversation with the vendor on license compliance anywhere, anytime.

Walker White is the chief technology officer of BDNA Corporation, creators of Technopedia, the world's largest IT reference catalog, with more than 450,000 hardware and software products listed from over 11, 000 vendors.

Marco Parillo
Marco Parillo

Of course, you add compliance costs to the TCO for all non-free software, right?


Nice introduction to ITAM from Walker. When preparing for IT Audits it is also important to focus on where your risk is highest not just on what is easiest to inventory and match entitlement too. A company's greatest risk is actually on the server side because the costs of getting it wrong here can be 10s or 100s of times more expensive than for desktop. It is further compounded by the rules around virtualisation that are inconsistent across vendors. You need to have an accurate inventory of what is deployed and on what platforms, only then can you match against what you are entitled to run. My 1-2-3-4 steps would be: 1. What's deployed (inventory) 2. Gather license metrics 3. Match to entitlement 4. Act on the gaps


When it comes to SAM (software asset management) too many vendors haven't cottoned on that they need to be consistent so platforms like Snow, Centennial, Frontrange, Tivoli LCM or what-have-you pick up software consistently and correctly, making the whole process less painful for all concerned. Versioning, vendor naming and component detection really throw out some anomalies that can be difficult to trace. IT managers purchasing SAM solutions frequently think that once it's bought and fed with your licence entitlements a scan or report is all that's needed but the reality is that until the software vendors act more consistently, SAM solutions providers are fighting an uphill battle to make the lives of IT departments easier and audits 100% accurate. It's not all bad though - great leaps forward in this arena have been seen over the last few years. SAM isn't as painful as it was, but it is still more painful than it needs to be.

Editor's Picks