In2SAM Audit Defence, ITAM Review Audit Defence Workshop, Amsterdam 12th April 2016

1. Nico Blokland & Sean van Koutrik
In2SAM
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

2. Who are we?
Nico Blokland Sean van Koutrik
• IT&SAM:-Evangelist,
-expert, -coach, -mentor,
-trainer, -consultant,…
• Dutch representative at the
WG21 for ISO 19770-x
• Husband and father
• Co-owner at In2SAM
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
• IT&SAM: -Evangelist,
-expert, -mentor, -trainer,
-consultant,…
• Agile coach and practitioner
• Husband and pilot
• Co-owner at In2SAM

3. What’s In2SAM ?
Our name says it all: We Are In2SAM
Ø Based in the Netherlands – acting globally
Ø Distinction:
§ Independent from vendors
§ Includes Legal and Agile approaches
§ ISO 19770-x
Ø We bring solid and future ready solutions to our customers.
More than a century of IT&SAM experience.
• Four pillars:
• Processes
• Standards
• Contracts
• Agility
• Best in Class Tooling partners
SERVICE PORTFOLIO
• Audit support
• Contract analysis service
• Pre audit assessment
• SAM maturity assessment
• SAM transition projects
• SAM or LM service
• IT&SAM Consultancy
• In2SAM Academy
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Get your voucher for the Audit Monitor
certification course at In2SAM

4. What’s up?
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
• How to prepare for an audit
• Who to prepare
• Your goals
• The vendors audit goals

5. Who is acting?
An Audit Protocol should be in place
to guard your organizations procedures and rights
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Level 1
Level 2
Level 3
Audit Monitor
Legal
IT
System managers,
Network managers
Application
owners, Database
administrators
Architects
Procurement
Contract manager,
Buyer
Administrator
The different levels that (should) act during an audit
Appointed by
senior management
Appointed by
Audit Monitor
Appointed by
Team managers

6. Level 1
• Audit Monitor
– Appointed by Senior
management
– Sufficient mandate – derived
from Audit Protocol
• Audit Monitor’s goal:
– Protect the organizations rights
– Monitor audit process
– Protect the organizations interest
– Use organizations potential.
Attention for: Data and Privacy, Security, Commercial, Data protection
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
• Legal
– Mandate derived from role
• Legal’s goal:
– Protect the organizations rights
– Monitor legislation
– Protect the organizations interest
– make use of the organizations
potential.
Software Auditor’s goal: Disrupt your audit protocol, ‘ignore’ laws and regulation,
protect software creators interest
Solution: Ensure the Audit Monitor is in charge (planning and communication)

7. Level 2
• Who: IT management, team leaders, application owners, contract/vendor- managers
and architects
• Goal: Deliver resources for providing required data and information
• Monitors’ goal:
– Not all data is ad hoc available
– not all data can be made available to the auditor due to legal restrictions.
– Check legality, accuracy and availability
• Software Auditor’s goal: get in direct contact with this group, push on planning &
delivery, ‘legal or not’
Solution: All requests via a single point of contact (Audit Monitor).
Never ever, ever ever, ever ever ever allow direct communication with the auditor (unless
supervised by the audit Monitor)
Attention for: data and Privacy, Security, Commercial, data protection
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

8. Level 3
• Who: system/network managers/operators, purchasers/buyers, administrators,
database administrators (DBA’s)
• Goal: Actual delivery of required data from systems using discovery, scripts,
descriptions, drawings.
• Audit Monitor’s goal: Prevent producing data without a legal basis, gather only
effective, checked and accurate data. Put it on a secure network excluded
environment
• Software Auditor’s goal: Get as much data and extra information to get the best
license proposition towards you – from their perspective and interest !!
Solution: Communicate the protocol, ensure all communication and any data is delivered
via the SPoC – Audit Monitor
Attention for: data and Privacy, Security, Commercial, data protection

9. The Audit Monitor
• Single point of Contact between Auditor and organization;
• Can be delegated in large organisations;
• Controls, informs and manages and all internal involved employees;
• Informs and discusses organizations’ attitude towards the auditor with management
and legal department;
• Final check on delivering requested data;
• Supervision on all software auditor meetings (preferably in a dedicated ‘green room’);
• Checks with Legal department on legality of the data requests;
• Checks auditors scripts with security officer and system manager(s);
• Checks the auditors references/credibility;
• Arranges, meetings, admittance, technique (availability).
The Audit Monitor cannot be responsible for the actual outcome of the audit
Make sure the protocol is followed

10. Recap
Get all internal actors in line with the company goals;
Clearly communicate the audit protocol to the auditor and the
software creator/publisher/vendor;
Don’t be pressured in time by the auditor, your organizations
schedule sets the speed;
Keep distance, be formal (no first name basis);
Communicate that your local laws apply in all cases;
Analyse your (software)contracts (effectiveness/harmfulness);
When in Europe: look at the second hand market to “pré-repair”
breaches.
Most important: Prevent audits by having a solid License
administration / SAM process (internal or external)

11. Questions?
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

12. What’s done?
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
• Are you prepared for an audit
• Who to prepare
• Your goals clear?
• The vendors audit goals gone?

13. ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
P.S. for your helicopter pilot license, contact:

14. ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

15. how to effectively react to an audit announcement
Workshop Audit Defense:
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

16. Workshop Audit monitor
• Introduction
• Starting point
• Case: audit anouncement/warning
– Work out: (15 minutes)
• Meeh’s Response to auditor DuL / software creator Microsoft (in bullets)
• Internal organization
• Desired outcome
– Gathering data: How and when is it accurate (15-20 minutes) (Belarc)
• Software
• Entitlement
– Discuss some outcomes (10-15 minutes)
Remember: Laws & legislation, data issues, communication, organization
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

17. ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

18. ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

19. Tips
• Check and follow your internal audit protocol
• Install an audit monitor
• Communicate your audit protocol and SPOC to the Software Creator or Auditor
• Check:
– Data protection
– Privacy Laws
– Security
– Commercial data
• NDA with auditor
• Check and install SAM process.
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

20. Tips
• Check and follow your internal audit protocol
• Install an audit monitor
• Communicate your audit protocol and SPOC to the Software Creator or Auditor
• Check:
– Data protection
– Privacy Laws
– Security
– Commercial data
• NDA with auditor
• Check and install SAM process.
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

21. ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

22. ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016

23. Audit Protocol
Example Content of an audit protocol:
1. Authority mapping of the organization (sr management, legal, etc.)
2. NDA, certification levels of auditor(s)
3. Security rules
4. Admittance rules to high security environments
5. Applicable laws
6. Commercial protection
7. Data protection
8. Data/processflow of anouncement untill closure of an audit
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016