The document discusses software license audits from the perspective of an audit firm. It provides insights into how software vendors select audit targets and conduct audits. Key points include: - Vendors prioritize audits of customers with indicators of high "reward", such as inconsistent purchasing patterns or organizational changes. - Customers receive a notification letter requesting a kick-off meeting to discuss the audit strategy and timeframe. - It is important for customers to understand their license agreements, assemble an audit team, and conduct an internal mini-audit to understand compliance status before the vendor audit.

1. Software
Licence Audits
Survive and Take
Advantage

2. For the past two years, I have sensed a gradual change of perception towards Enterprise Software Asset Management
(SAM) in the IT community – less so the traditional ‘how hard can counting computers and installations be’, and more
focus placed on keywords such as ‘compliance’, ‘licence optimisation’ and ‘cloud-readiness’.
Along with the change comes senior management support and investment. Many organisations have now built up
dedicated SAM teams, purchased shiny new tool sets or signed up Managed Service Agreements with their LARs or IT
Service Providers.
So all looks good and promising, except for one small problem – I am still seeing major audit exposures and large
unbudgeted pay-outs from companies who invested in SAM. Why?
Being part of a well established audit firm that has conducted licensing audits for more than 20 years, and having
worked with most of the top 10 software vendors' compliance programmes, I believe my answer to this question will be
interesting, and more importantly, useful to you and your organisation when your next “Audit Notification Letter” lands.
This will be the first time in the industry that a vendor-appointed audit firm shares audit insights and bullet-dodging
techniques. Some of the things you read may be already known, while others will be complete surprises – so please
buckle up and I hope enjoy the read.
Compliance will be rewarded.
Are you ready to comply?
Eric is the Director of Fisher IT Asset Consulting, with a team of 20 enthusiastic and highly experienced licence auditors and
consultants. Prior to his current role he managed a similar team at one of the “Big Four” audit firms and was responsible for the
launch of UK compliance programmes for a number of major software vendors.

3. Who we are
3
Fisher IT Asset Consulting (FIAC) are part of HW Fisher &
Company, a top 30 UK professional services firm founded in
1933. Collaboratively, our team of 20 contract and licensing
experts deliver Licence Compliance, Software Asset
Management (SAM) and IT Asset Management (ITAM)
services to organisations across all industries globally.
At its core, our portfolio of services is designed to assist
organisations to:
Gain total visibility of their IT asset ownership and liability
and understand how the assets are being utilised.
Identify and reduce risk of over-deploying software
licences to prevent vendor audit exposure and significant
penalty payments.
Optimise IT contracts and improve asset utilisation to
reduce overall cost of IT asset ownership.
Eric Chiu, Director
• Tel: +44 (0) 20 7554 3014
• Mob: +44 (0) 754 0123 970
• echiu@hwfisher.co.uk
Stuart Burns, Partner
• Tel: +44 (0)20 7380 4964
• sburns@hwfisher.co.uk
Rafi Saville
• Tel: +44 (0)20 7874 7967
• rsaville@hwfisher.co.uk

4. What will be covered in this Guide
The average settlement fee per audit
equates to 34% of a company’s
existing annual contract value with the
auditing vendor.
4
Facts
•Fundamental
knowledge of the
Licence Audit
business
Facts
•Fundamental
knowledge of the
Licence Audit
business
Survival
•What happens in
an audit and how
to watch your
every step
Survival
•What happens in
an audit and how
to watch your
every step
Take Advantage
•Why licence audit
can be good for
you and how to
reap the benefits
Take Advantage
•Why licence audit
can be good for
you and how to
reap the benefits
Free Assessment
•A high-value, no
cost independent
check of your
readiness
Free Assessment
•A high-value, no
cost independent
check of your
readiness

5. Facts
Fundamental knowledge of the Licence Audit business

6. Fact 1:
There is no escape
8 out the top 10, or 13 out of the top 20 software
vendors (by revenue) have active Licence
Compliance Audit Programmes globally to
safeguard licensing revenue
A recent IDC survey shows that 63% of the enterprises in North America and Europe
were audited by at least one software vendor for “licence compliance” in the past 12
months. Over one third of the survey respondents said that they paid more than
£200,000 for audit settlements and penalties.
Adobe, IBM, Microsoft, Oracle, SAP and Symantec are the vendors who initiate the
most audits. However, many more software vendors are relying on licence compliance
audits today as one of their key revenue contributors under a challenging economy.
If your organisation has never been audited before, you probably will receive one of
those notorious ‘Audit Notification Letters’ soon.
6

7. Fact 2:
This is not about honesty
The average settlement fee per audit
equates to 34% of a company’s
existing annual contract value with the
auditing vendor.
7
This is not about whether your users are downloading cracks or ‘keygens’ from the
internet.
The traditional whistle-blower-led anti-piracy raids can often be difficult to execute,
costly and sometimes political for Software vendors, while generating a limited return.
In comparison, checking on paying customers who may have been less than careful in
reading contractual terms and obligations, or in controlling the usage of legitimate
software, has proven to be a robust and sustainable revenue generating strategy.
You might see yourself as an honest customer for spending £1 million a year buying
Oracle or IBM licences and support annually. What your supplier sees, however, is a
compliance opportunity estimated at £340,000, waiting to be ‘recovered’!

8. Fact 3:
Many names for one goal
‘SAM Engagement’, ‘True-up’, ‘Licence
Optimisation’, ‘Baseline’ and many more …
no matter how the vendors call it, it is
always an audit that will cost you money.
8
Licence audit is costly for all software vendors whether they are using an internal team
or working with independent audit firms to conduct the exercise.
Yet we have never seen any software vendor that had a compliance programme and
decided to ‘switch it off’ – every licence compliance programme that we know is ‘self-
funded’ and in most cases, highly profitable.
This means that you, the customers, are footing the bill. Some vendors are generous
enough to only demand for the licences owed plus back maintenance; others may
even ask you to pay for the auditor’s fee.

9. Fact 4:
Can’t outsource the challenge
Whoever ‘looks after’ licensing for you,
whether it is a LAR, SAM service provider or
SAM tool vendor, no one will guarantee
your compliance or pay your audit bills
9
As long as you still buy software under your company’s name (an exception will be
having no IT department and using an external provider to deliver IT as a Service),
licence management remains your responsibility.
Outside support can help you automate processes and improve the underlying data
quality to make calculation of licensing positions easier and more accurate. However,
it is ultimately your (the software licensee’s) responsibility to make sure that you are
consuming software licences in accordance with the agreed terms and levels you
have with the software vendor.
This is why there are many organisations providing Software Asset Management
support and services, yet no one sells ‘software licence compliance insurance’.

10. Survival
What happens in an audit and how to watch your every step

11. Audit Selection
11
What happens
Because licence audits are often costly to conduct and sometimes trigger
emotional reactions from the customer, the last thing a software vendor
wants is an audit that identifies no compliance issues (and subsequently,
no revenue).
Therefore, very rarely a software vendor will pick its audit targets randomly.
To ‘recover’ the maximum amount of revenue under a set compliance
budget every year, most vendors use a combination of indicators to
gauge the ‘reward level’ of an audit candidate and prioritise their
selections accordingly. The most common type of such indicators used
are:
How to Survive
Unfortunately many of the ‘risk indicators’
used by vendors to select audit targets are
often beyond your control. However, there
are still two practical tips that can be useful
to lower your rank on the target list:
Maintain an open and transparent
relationship with your account managers. Tell
them why you are not renewing or buying
licences, and tell them how you control and
monitor the use of licences
Negotiate yourself out of licensing metrics
that are difficult to measure, especially when
there is no licence consumption reporting
mechanism built-in to the software.
Customer’s
purchase level
with the
vendor
Organisational
structure
complexity
Level of
organisational
change such as
M&A activities
Complexity of
licensing
model agreed
Purchase
pattern that
does not
reflect growth
SAM maturity
intelligence
gathered from
account team

12. The Notification Letter
12
How to Survive
The first thing you should do is to look for your licence agreements and the audit
clause within. You should also notify the relevant stakeholders and assemble a
team that can provide both resource and expertise during the audit process.
At this point, if you are not confident of your compliance status, you should
quickly arrange a mini-audit internally. If this is restricted by in-house expertise or
resource level, it will be a good time to seek outside expert assistance.
It is vitally important that you have a clear view of your compliance position
before the vendor does it. This is not about trying to hide or delete over-used
software – because, even if you do, most auditors can still find them.
However, most vendors are willing to give significant discounts for up-front
settlement for the sake of saving their effort and cost of running an audit
What happens
You will receive a formal notification
from your software vendor or their
appointed auditors.
This could come in as a letter or an
e-mail addressing the contract
signatory within your organisation,
often requesting a ‘kick-off’ meeting
to discuss the audit strategy and
expected timeframe of completion.
It will often inform you that any
additional licences purchased
beyond the date of the letter will not
be counted towards your licence
ownership for the purpose of the
audit. Ask
Yourself
Are you aware of all licence restrictions and obligations stated in the EULA?
Can you measure software usage that is not licensed on user or install basis?
Does your Discovery tool cover non-Windows or test/dev servers?
Is your compliance calculation based on words or validated facts?

13. Kick-off & Scoping
13
How to Survive
There are a number of important steps to safeguard your interest in the kick-
off meeting:
Ensure that the agreed scope only includes software licences under your
direct ownership and management. Do not include subsidiaries or
overseas entities unless they are covered by the same licence agreement
that is owned and managed by you.
Request for NDA to restrict the use of audit data from other purposes.
Ask for a reasonable timeline – you are not contractually bound to
complete an audit within a set-timeframe, as long as its ‘reasonable’, so
do ask for extra time if you are under-resourced or migrating your data
centre.
What happens
This is the initial meeting where you and
the auditing software vendor, often with
their appointed auditors, sit together
and negotiate on the scope, approach
and time line for the coming audit.
Typically, the audit scope can be
geographic, organisational or limited by
product families.
The auditors will outline the information
they will need to gather to conduct the
audit, and discuss the methods of
collecting such information with you.

14. Managing Data Collection
14
How to Survive
The data collection process needs to be very carefully
managed so that only relevant and requested data is
submitted to the auditors. The most important tips on
managing data collection include:
Have your own project manager who understands
the audit scope, to oversee data collection, so your
‘techies’ won’t give away more than necessary.
Make sure you understand the rationale behind
each data request – don’t be afraid to ask ‘what do
you need this for?’ or ‘why are you running this
script?’
Be extra-careful with what you declare – if you are
not sure, spend the time and effort to investigate,
instead of giving a ‘half-correct’ answer that will
expose you into deeper scrutiny by the auditors later
on.
What happens
The auditors will start the audit by gathering information
after the kick-off meeting. The most common types of
information gathering exercise include:
Interviews: auditors talk to your staff and collect
information verbally or through on-screen observations
Self-declaration: you will be provided with a guided
template to populate software usage information
Request existing records: these can be any records that
you already own from CMDB reports to HR records
In-App reports: the auditors may ask you to generate
built-in reports in some applications, such as user or
connection reports.
Execute scripts / tools: the auditors may ask you to run
software they provide to scan your machines

15. Validating Draft Audit Reports
15
How to Survive
If you have done something wrong earlier in the process, whether by supplying outdated
user information or including decommissioned servers in your self-declaration, this is your
last chance to fix the issue. Once you have ‘accepted’ the report, it will be extremely
difficult to reverse what you have said – even if what you have said does not reflect the
reality. Therefore, it is vitally important that, at this stage, you:
Check the entire report thoroughly. Don’t just look at the summary ELPs; review the
underlying datasets at least for the software titles that are in ‘red’ – identified as under-
licensed.
Ask for clarification if you do not understand any part of the report entirely. It is the
auditors obligation to explain how they arrive at their conclusions.
Involve the original person who supplied the auditor with raw data in the review
process, to make sure the data has not been manipulated or interpreted incorrectly.
Try to remove any ‘assumptions’ the auditors made in the report due to lack of data
from you, as most of these will not be in your favour. Supply them more data where
possible.
What happens
After the auditors finish
collecting the required audit
information, they will
prepare a Draft Licence
Compliance Report with
Effective Licence Positions
(ELP) for each software title
that you licence and
consume.
Some will share the same
draft with the vendor at the
same time, but most will ask
for your comment, and if
possible, your acceptance
of the report’s ‘factual
accuracy’ before doing so.

16. Settlement Negotiations
16
How to Survive
If you are still on the path of DIY audit defence
at this stage, below are some basics that you
should know before joining the table alone:
Mitigating circumstances: strong and
verifiable ‘excuses’ for accidental usage or
mis-deployment may be considered as
mitigating circumstances
Publisher goodwill: collaborating with the
vendor’s compliance team, rather than
being purposefully obstructive, is more likely
to land you goodwill on some liability waivers.
Vendor Demand Matrix: like all negotiations
this is about give and take. Vendor
compliance teams want immediate revenue,
increased future revenue and swift payment
without upsetting you. Look at what you can
afford and choose your tactic accordingly.
What happens
Any red or minus lines in the Compliance
Reports indicates that you owe the vendor
money and you will be asked to pay up.
Depending on who the vendors are and
the degree of non-compliance, you may
be asked to purchase the licences owed at
full list price without discount, paying back-
maintenance and sometimes even the
cost of the audit.
You will also be asked to clear the payment
within a given timeframe, usually at 4 or less
weeks upon audit completion. It is likely
that your OPEX budget is not big enough to
‘take the hit’, and conversations with CFOs
asking for ad-hoc cash are rarely pleasant.
Immediate
revenue
Immediate
revenue
Future
revenue
Future
revenue
Time of
payment
Time of
payment
RelationshipRelationship
Mitigating circumstancesMitigating circumstances
Publisher’s GoodwillPublisher’s Goodwill

17. Take Advantage
Why licence audit can be good for you and how to reap the benefits

18. Don’t forget the Green lines
Most companies do not take action on the
green lines in a compliance report – these
are the over-licensed positions where you
are paying more licences than required.
You can’t really blame the auditors or vendors for not emphasising the ‘over-licensed’
positions – after all, it is not in their interest and no EULA has a ‘refund’ clause. Sure, there are
sometimes good reasons for why you have purchased more licences than needed – up-
coming projects or buying a bit more for the future and for the discount.
However, if these licences became excess due to genuine reduction of requirement, you
can save significantly and instantly by switching off their annual support & maintenance
payment, usually worth around 20% of the full licence cost.
You may also want to explore the used-software market, where there are increasing
numbers of brokers paying cash to acquire unwanted perpetual licences from end-user
organisations. 18

19. Get up from where you fell down
Don’t throw away your compliance report.
It is a perfect baseline for you to accurately
manage your licence positions going
forward, so harvest it.
19
The compliance reports issued by the auditors and vendors will always have limited scope;
nonetheless they are the next best thing you can have without major investment in your
Software Asset Management practice.
With this validated baseline, as long as you carefully track all new licence purchases and
deployment post audit, you will maintain good visibility over your licence position of the
given vendor.
Of course, such tracking is more difficult to say then do. However, before you get that board
approval on investments in SAM, this is still a very good ‘interim’ practice to keep your head
above water.

20. Learn from the auditors
It takes years of investment for the world’s
largest audit firms to find efficient methods
to measure licence compliance, and this is
shared with you during every audit.
20
We are not talking about counting basic software users or installs here, we are talking about
understanding PVUs and RVUs for IBM, Core Factors for Oracle or one of the hundred types
of users for SAP, plus all restrictions hidden within those 30-page Enterprise Agreements.
Measuring the ownership and consumption levels for complex software licences are often
challenges to your LARs or even the vendors’ own sales teams. However, you have been
given unique access to the best solution because of the audit.
Ask the auditor how they calculate each number, because they will have to explain.
Document the process and keep a copy of their data collection instructions. Perform the
same process yourself in the future so that your SAM practice will be audit-proof.

21. Audit Readiness Assessment
A high-value, no cost independent check of your readiness

22. Audit Readiness Assessment
22
What it is
A one-day independent assessment of
your licence compliance readiness
Interviews, on-screen observations plus
data and document reviews
Focus on ‘what you don’t know’
Same-day presentation of findings, with
optional follow-up remote
presentations at a later date.
Covered by NDA
What you get
Visibility of licence compliance risks
and gaps that were previously
unknown
Estimated financial exposure and
saving opportunities
Ammunition for your SAM business case
Understanding the limitations of your
existing discovery and SAM tools
A suggested plan of action, or a high-
level requirement specification, should
you wish to seek external support
Find out more at www.hwfisher.co.uk/fiac or e-mail licensing@hwfisher.co.uk to book an appointment.