Software Asset Management: Are You Audit Ready?


If one of your software vendors announced it was conducting an audit of your license usage tomorrow, how confident would you be?

Our experience is that most companies would be at least a little anxious. Software licensing terms are notoriously complex, and areas of potential noncompliance can be cryptic and even counterintuitive. At any given time, numerous employees potentially touch software and may not fully understand the specific entitlements and obligations related to its use. And non-compliance claims are frequently in the tens of millions of dollars or higher, often significantly exceeding the actual value of the purchased software.

Software compliance can be a significant risk area for many companies. And software audits are used as an indirect sales engine to induce companies to purchase more software.

During the first part of 2020, ISG saw software audit activity decrease significantly as software publishers apparently recognized the negative optics of squeezing their customers at a time of COVID-induced distress. However, by the second half of the year, audit activity was ramping back up to pre-COVID levels. We expect this to continue.

Most frequently, audits are initiated when software publishers see a likelihood of uncovering non-compliance with a particular customer and when normal revenue growth appears unlikely with that customer. Audits are most common when a customer:

  • Hasn’t acquired new licenses for some time and hasn’t communicated a roadmap for future license growth
  • Has a heterogenous and decentralized technology environment
  • Is making significant changes in IT operations, such as outsourcing
  • Is in the midst of M&A activity

How confident would you be if you were audited?

While some companies still attempt to manage software assets via spreadsheets, many have purchased software audit management (SAM) tools and still find themselves unable to produce an accurate view of utilization vs. entitlements. Even companies that have implemented leading SAM tools like Flexera, SNOW, Aspera, ServiceNow and others still struggle. Often at the heart of this is a lack of strong data governance, improper implementation of auto-discovery or a lack of awareness of critical blind spots that exist in every tool. When we work with an enterprise, we are able to quickly gain a relatively accurate impression of whether or not they have SAM under control. Experienced software publisher’s client account directors can do the same; when they sense that there’s “blood in the water,” they act accordingly.

Data management is key to managing software

SAM data falls into two buckets: entitlement data and utilization data. It is all very well to have great record keeping of your license contracts and purchases, but without a solid understanding of consumption, you may not know whether you are getting value from the software or be prepared to defend against a compliance claim. If you know how all your software is being utilized but don’t keep track of your entitlement data, you likely don’t know whether you are at risk for non-compliance, or, even worse, purchasing more licenses than you need.

Software vendors construct licensing models that are convoluted, complex and change frequently. This is not an accident. While buyers likely want to extract maximum value and utilization from their software, sellers are focused on extracting maximum revenue from license growth. The onus is on the customer to keep SAM tools current with ever-changing license models and manage any custom license models they may have negotiated.

SAM data is great when it shows how many instances of an active or available instance have been discovered in your environment, but data also must be able to accurately link each instance to a specific entitlement, whether it is part of a product bundle, a named user license, a concurrent user license, an active database record license, or a divisional or enterprise metric, such as total revenue or FTE equivalent.

This can become even more challenging when you consider cloud deployments and try to match your entitlements and utilization across multiple SaaS, PaaS and IaaS ecosystems. For example, how does IT know whether it is contractually entitled to redeploy on-premises licenses into a private IaaS cloud? Your software vendor will certainly use any uncertainty in your entitlement data or utilization data as leverage.

SAM needs to be an organizational priority

Too often, organizations fall into the trap of implementing SAM in response to a particularly painful software compliance audit. Plenty of focus and attention is given to SAM for the next year or two, and the organization works hard to update the data and risk controls. After a couple of years, with no further compliance issues and no audit noise, the company loses focus and stops valuing the SAM expertise, dilutes responsibility or accountability for SAM data, and inevitably the SAM function slips quietly into obscurity. It is only a matter of time before a software vendor discovers an organization’s ineffective SAM function, and – when the time is right – triggers a compliance audit.

Note that software vendors communicate with each other. If one software vendor discovers an ineffective SAM function, you can bet other software vendors will know about it in short order.

As counterintuitive as it may be, a top-notch SAM function is largely invisible. There will be no compliance problems, license wastage or value leakage in your software fleet. SAM should be a strategic priority (not a tactical reaction). It should be grounded in a cloud-based SAM tool with rich data structures, reliable functionality and up-to-date license intelligence. It should be supported by robust organizational processes and accountabilities and linked to entitlement and utilization data in near-real time. Whether you operate a centralized or decentralized SAM model, your success will depend on the expertise of the people accountable for the SAM data and their ability to interpret license entitlement models in the context of how the software is utilized.

With an effective SAM function, you should extract maximum value from your software licenses and likely never feel the pain of a software compliance audit. Even if you do, you will be able to take charge and face it with confidence.


About the authors

Dave Goodman

Dave Goodman

Dave Goodman is ISG’s cloud subject matter expert and thought leader with a focus on enterprise infrastructures, business service management, cloud solutions and services. Dave oversees the strategy and definition of cloud consulting services and meets with CxO’s to understand pain points in adopting cloud and advise on strategic decisions. He is a solution visionary experienced in defining future technology roadmaps, communicating strategy and business value to customers, corporate executive management, and technical teams.
Bill Huber

Bill Huber

Signature traits: Big picture systems thinker and sourcing expert.  Transformation and cost optimization-focused.  Pragmatic and experienced.

Bill works with the world’s leading companies to identify, implement, and accelerate improved capabilities and better ways of working, and to align and optimize the network of strategic suppliers and partners.  These efforts have driven hundreds of millions in savings for his clients. 

Recent projects include helping major manufacturers and healthcare companies to implement broad cost optimization strategies, assisting utilities and medical device companies with their SAP strategies, assisting a leading fashion brand with its IT transformation, eCommerce, and SAP implementation, and working with a global cruise line on negotiation of its reservation and loyalty platform. Prior projects include:

  • Leading several global ITO and BPO projects for the leading cereal and snack food company
  • Infrastructure outsourcing for a leading regional US Bank
  • Implementation of an IT capabilities facility for a low-cost carrier

Prior to his current position, Bill lead ISG’s software advisory practice, lead ISG’s healthcare vertical, co-led ISG’s BPO practice and was a director in ISG’s strategy practice.