If you’re like most organizations, it’s been a while since your last self-audit. A survey we conducted found that out of 102 IT admins and executives, 56 percent said their company hadn’t completed a self-audit in the past year.
That doesn’t mean they’re more confident they’ll never see an audit. Almost two-thirds said they believe software audits are becoming more prevalent. And a 2013 Express Metrix survey of 178 senior IT managers in North America about audit activity found that more than half had been audited in the last two years.
The most frequent auditors cited in the Express Metrix survey were Microsoft, Adobe, Autodesk, Oracle, and SAP, in that order. Does your organization license software from any of those publishers? Most companies use software from at least one, so you should be expecting an audit request in the mail soon, if it hasn’t come already.
While some might see IT asset management and other ongoing maintenance as a time waster, the true time drain is responding to a simple audit when you’re not ready. A prepared organization could potentially respond to a request in days, while those that are unprepared could spend months gathering the necessary information.
I got an audit letter — now what?
When you have a few PCs and servers, the effort to plan for an audit is minimal. But as your IT environment grows, to perhaps hundreds of thousands of end points, responding to an audit request can be labor intensive and expensive, particularly for unprepared organizations.
IT administrators basically have three options after receiving an audit letter:
1. Ignore the request. And hope it doesn’t resurface. It’s an option, but one that won’t end well for your organization when the auditor returns with less patience and an exacting eye to detail.
2. Hand over your raw data to the auditor. Permit the auditor to perform a compliance analysis for you. This option is better than doing nothing, but companies lose control over the interpretation of their data, and leave themselves at the mercy of the publisher’s auditing team.
3. Plan ahead, and prepare for the audit. Start by proactively managing your software estate, and reinforce your efforts with assistance from an organization that offers data collection, licensing expertise, and reconciliation services.
The third option is your best choice, of course. Many audits include a timeline for response, which can be as little as 30 days. Depending on the scope of the request, a well-prepared organization may be able to respond to an audit request in a few days, while unprepared organizations can take weeks or months to address the data collection and analysis requirements.
Let’s take a look at an example of a Microsoft audit request and how much time it takes the prepared and unprepared to complete:
The prepared customer might complete all of those tasks in a day. In the best-case scenario for an unprepared customer, it takes at least four weeks — 20 business days — to respond. In this scenario, the unprepared customer has already taken 20 times longer than the prepared customer.
In the worst case scenario, it could take the prepared customer four days to complete those tasks. The unprepared customer could spend up to 10 weeks responding to an audit, nearly 13 times longer than the prepared customer. IT administrators would be spending more than a tenth of their year responding to the audit.
Start your audit planning now
SHI advocates a focused, objective-based strategy that actively addresses your top risk or spend areas, and to create a risk mitigation strategy that passively addresses financial or process risk.
By developing ITAM strategies and practices ahead of time, organizations can reduce and sometimes completely do away with the fire drill an audit request so often sparks. Preparing for an audit allows IT administrators to respond to any request in days and focus their valuable time on fulfilling business objectives and improving IT.
If you have questions about how best to manage your IT assets in preparation for an audit, please contact your SHI Account Executive.