1. The ITAM Review US Conference 2017
Audit Defense: Plugging The Leaks
Chris Moffett, Global Software Asset Manager
Lisa Hellberg, Sr. Director, Global Supplier
Asset Management
2. The ITAM Review US Conference 2017
Introduction
TOPIC
OF
DISCUSSION:
Many
companies
struggle
with
tools,
"helpful"
employees
and
even
internal
audit
teams
leaking
what
appears
to
be
irrelevant
informaFon
to
outside
auditors.
Unfortunately
the
auditors
and
sales
teams
are
very
adept
at
asking
probing
quesFons
that
are
out
of
scope
and
oIen
lead
to
unintended
audit
complicaFons.
WHAT
YOU
WILL
LEARN:
In
this
session
you
will
discover
how
to
organize
your
company's
audit
response
acFviFes.
Who
can
discuss
what
informaFon,
what
tools
can
be
used
and
how
the
auditors
and
sales
teams
can
interact
with
your
company
while
under
audit.
3. The ITAM Review US Conference 2017
Agenda
• Software Audit Pre-conditions
• What are we trying to avoid
• Prevent leaks
• Before the audit
• At audit commencement
• Upon audit completion
4. The ITAM Review US Conference 2017
Audit Preconditions: Non-Negotiable
• All
communicaFon
regarding
the
ongoing
audit
must
be
directed
to
“Your
Company’s”
audit
response
team
• Publisher/auditor
representaFves
must
not
aWempt
to
discuss
environment,
installaFon
count,
forecast,
growth
expectaFons,
strategic
direcFon
or
any
other
audit
related
data
with
other
“Your
Company”
employees.
5. The ITAM Review US Conference 2017
What Are We Trying To Avoid
• Unauthorized
release
of
confidenFal
informaFon
• Prohibit
gathering
and
communicaFon
that
is
out
of
scope
• InteracFons
between
auditors
and
non
audit
team
members
• Auditor/Company
representaFves
probing
for
addiFonal
informaFon
6. The ITAM Review US Conference 2017
Prevent Leaks Before The Audit
Before
the
audit
begins
• Create
an
internal
audit
team
and
define
their
roles
• Establish
list
of
in
scope
informaFon
• Understand
and
idenFfy
who
your
publisher/auditor
representaFves
are
• Restrict
and
centralize
all
communicaFons
• Train
your
internal
staff
to
redirect
all
communicaFons
related
to
the
audit.
7. The ITAM Review US Conference 2017
Internal Audit Team
• Legal
Council
–
Manage
the
legal
terms
and
condiFons
• Security
–
Help
define
and
enforce
data
elements
that
are
captured
and
communicated
• Procurement
–
Manage
the
pricing
and
seWlement
acFviFes
• ITAM/SAM
–
Manage
the
data
gathering
and
compliance
review
process
8. The ITAM Review US Conference 2017
What is considered in scope information
Only
usage
data
based
on
contractually
agreed
upon
license
metrics
should
be
included
• Confirm
which
specific
agreements
are
under
review
• IdenFfy
what
products
and
use
rights
apply
• Outline
regions
or
locaFons
under
audit
• Agree
on
duraFon
of
product
usage
• Establish
license
usage
calculaFon
methods
• Compile
a
list
of
eligible
.exe
values
and
installaFon
paths
• Determine
what
environments
require
licenses
(i.e.
dev,
test,
prod,
etc)
• Establish
data
gathering
process
and
tools
• Establish
quesFon
and
answer
protocol
9. The ITAM Review US Conference 2017
What should be considered out of scope
Data
to
avoid
• Trial,
evaluaFon
and
free
installaFons
• Customer
idenFfiable
informaFon
• Customer
installed
products
where
licenses
are
not
provided
by
your
company
• Orphaned
.dll
and
other
data
leI
behind
from
uninstalls
• Incomplete
installaFons
• Prior
expired
agreements
• Auditor
access
to
event
viewer
logs
10. The ITAM Review US Conference 2017
Publisher/Audit Company Representatives
Who
should
be
considered
a
company
representaFve
we
would
want
to
avoid?
• Sales
and
Sales
Support
• Tech
Support
Engineers
• Billing
contacts
• Compliance/audit
team
• Industry
event
or
conference
parFcipants
• SoIware
product
reseller
11. The ITAM Review US Conference 2017
Communication Types To Avoid
Below
are
a
few
examples
of
communicaFon
methods
by
the
publisher/auditor
company
that
non
audit
team
employees
may
be
exposed
to
and
should
avoid
• Emails
• Phone
and
text
conversaFons
• Social
Media
interacFons
(i.e.
LinkedIn,
Facebook,
etc.)
• Industry
event
or
conference
parFcipants
• On
site
visits
• Business
Lunches
• Quarterly
Business
Reviews
12. The ITAM Review US Conference 2017
Restrict Internal Staff Communications
Below
are
example
scenarios
of
who
might
unknowingly
communicate
risky
informaFon
• OperaFons/Support
staff
calling
in
for
support
of
the
product
• Product
users
looking
for
product
roadmap
and
other
informaFon
• Accounts
Payable
working
to
pay
an
invoice
• Front
desk/lobby
staff
being
approached
for
onsite
visits
• Engineers
working
to
deploy
the
products
• Individuals
working
with
evaluaFon
and
new
product
tesFng
acFviFes
• MarkeFng
or
channel
sales
collaboraFons/partnerships
• Employees
requesFng
quotes
for
new
product
deployment
13. The ITAM Review US Conference 2017
Prevent Leaks At Audit Commencement
• Enforce
in
scope
agreed
upon
details
• Code
tools
to
only
capture
in
scope
data
elements
• Require
auditors
use
a
company
provided
laptop
with
no
internet
access
and
no
USB
write
capabiliFes
to
review
the
data.
• Reclaim
the
laptop
from
the
auditor
at
the
end
of
each
day
• Do
not
allow
any
data
to
be
taken
off
site
unFl
analysis
is
completed
• Once
analysis
is
completed
only
allow
summary
ELP
level
data
to
be
taken
off
site
for
compliance
posiFon
creaFon
• Require
auditor
quesFons
to
be
answered
offline
• If
auditor
quesFons
require
screen
share
acFviFes,
schedule
the
review
for
the
following
day
and
train
the
impacted
staff
on
how
to
respond
14. The ITAM Review US Conference 2017
Screen Share Best Practices
• Hide
all
informaFon
on
desktop
• Close
all
programs
• Navigate
to
in
scope
locaFons
prior
to
starFng
the
screen
share
• Only
answer
quesFons
with
a
yes
or
a
no
15. The ITAM Review US Conference 2017
Prevent Leaks Upon Audit Completion
• Reclaim
and
reformate
company
provided
laptop
• Confirm
only
summary
ELP
level
data
has
been
provided
to
the
publisher
• Do
not
allow
auditor
to
retain
a
copy
of
the
data
used
for
ELP
creaFon
16. The ITAM Review US Conference 2017
Summary
Remember that all compliance reviews should have
only one goal, determining current compliance
position. With that in mind always:
• Proactively develop your compliance position prior to auditor
engagement
• Establish and enforce the audit scope
• Restrict non audit team communications
• PROTECT YOUR DATA