What to Expect when Expecting a Software Audit

Do you find yourself becoming easily agitated or frustrated? Are you feeling overwhelmed, like you are losing control or need to take control? Maybe you are having difficulty relaxing or quieting your mind. If you feel any or all of these symptoms, you may be experiencing stress as a result of an upcoming software audit.

Expect to be audited

A software audit isn’t personal; however, it is how software companies ensure that customers are paying for every license they have installed. Software audits can also generate revenue for software companies; therefore, auditors tend to target organizations that lack an understanding of their software licenses substantially more often than companies that understand and properly manage their software licenses.

Software audits used to be a rare event for an organization; however, some software companies are performing audits more frequently than in the past. In a report posted by cio.com, 58% of executives surveyed said they have been audited by Microsoft in the last 12 months. The report went on to say that audits from Microsoft have become more frequent in the past five years. “Most often we are seeing Microsoft approach customers via email to conduct a self-audit, but we also see the more invasive, third-party types of audit that will send a shiver down any CIO’s spine.”

It is no longer a question of ‘if’ you will face an audit, it is now a question of ‘when’. Organizations can avoid unexpected costs resulting from a software audit if they invest in tools that accurately report the software installations matched with their software entitlements. First, it is important to understand your software license agreement.

Expect the auditor to understand your software license agreement

A software license agreement can be very complex. One thing to expect from the auditor is that he/she has a thorough understanding of your software agreement. If you do not understand your agreement, you will have to rely on the findings of the auditor.

Endpoint software licenses agreements are not just a question of how many software installations you have versus how many you own, they are also about software entitlement. For example, a software license agreement might state that a license may allow a user to install the software on more than one device. This would be important information when calculating the software entitlement.

Software license agreements become more complex in the data center with software such as Oracle, Microsoft SQL, server virtualization, desktop virtualization, etc. These solutions often use per-processor licensing or multiplexing.

For example, a Licensing Server Quick Reference Guide for SQL Server 2008 R2 explains the license as follows: For any virtual OSE, you can calculate the number of Per Processor Licenses required for the SQL Server edition that you are licensing by dividing data point A (number of virtual processors supporting the virtual OSE) by data point B (# of cores [if hyperthreading is turned off] or threads [if hyperthreading is turned on] per physical processor). If the result is not a whole number, round up to the next whole number.

The complexity as shown above has opened the door for mistakes. An article by Computer Weekly claims “Along with economic pressure, the survey of 92 senior decision makers reported that technological changes such as virtualization have also driven the increase in audits. The complexity of those technologies makes it harder for companies to be sure they are using them properly.”

Once you have a good understanding of your software license agreement, you will be able to apply your software asset management tools more effectively

Expect to pay if you are not properly tracking your software licenses

It is important to invest in tools and resources to track software licenses, software deployments, and software entitlements. Accurate reporting of software licenses is critical to avoiding unexpected software license costs resulting from an audit. IT departments need to have the ability to do a self-audit internally or by a third party.

Software auditors are aware of organizations that are not using tools to manage software licenses, and those organizations tend to be targeted for an audit more often. One report states “Respondents whose organizations have implemented IT asset management (ITAM) tools report a 32% lower audit rate within the last two years than organizations with no such tools.”

Software companies are aware of the high cost required to perform a software audit, just as they are aware of the revenue that can be generated by the audit. In an article posted by Martin Thompson on the ITAM Review, he states “Because audits are very expensive, a vendor doesn’t undertake them lightly and if you have received a request for an audit it is no longer about the deterrent value of an audit, but because the vendor has decided that there is a strong chance that an audit of your company will bring in more money than it will cost to carry out the audit.”

Expect to pay retroactive maintenance fees for unlicensed software

If a software audit reveals you are using more licenses than you own, expect to pay retroactive maintenance for those licenses. That’s right, you won’t just pay the cost of the license, expect to pay more. Think of it as a penalty similar to paying your taxes after the deadline.

An article published in PC World states, “If a customer is found to be out of compliance, IBM asks them to buy the right licenses and pay two years of retroactive maintenance fees.”


To reduce the stress and costs that result from a software audit, I recommend the following:

  • Understand your Software License Agreements
  • Track software installations with Software Asset Management tools
  • Enable your IT Departments to do self-audits or contract with a third party that can do it for you on a regular basis.


When I was 10 years old, I had to walk half a mile to and from school every day with my two buddies. We often deviated from our path when returning home so we could cut through a small shopping center that consisted of a supermarket, a bank, and several small shops. I remember the bank more than anything because every Friday, there was a line of people waiting to deposit their paychecks. The line stretched out of the bank and down the sidewalk covering the length of three stores.

Bank Line

Waiting in a line for anything is not a pleasant experience, at least for most people. To solve the problem of long lines at the bank, somebody invented ‘direct deposit’ for paychecks while somebody else invented the ATM. I was amazed the first time I used a machine instead of a person to withdraw cash. Instant gratification is a feature that has no boundaries. In the world we live in today, people continue to invent methods to get faster results for their needs and desires. Just when you thought ‘next-day delivery’ was as good as it gets, someone figured out how to use drones to deliver your internet purchase within an hour.

Instant gratification is not only an expectation for consumers who wish to manage their bank accounts, make purchases, or watch movies online, it has also become an expectation for an organization’s IT Service Desk. Today’s IT customer is conditioned to expect instant answers to questions, problems, and desires.

It is no longer acceptable in the minds of most customers to be on hold listening to music that Shazam would not even be able to recognize. To meet the instant gratification challenge, IT support solutions need to build automated solutions to address their customer problems and requests.

I Can’t Login…

One of the most common reasons a user contacts the IT help desk is because they cannot access the network or a network application. The reason? They forgot their password.

On a Forrester blog post by Stephen Mann, he states that “2%-28% of tickets relate to passwords – the average is 6%”

When users forget their passwords to their online personal accounts, such as their bank account, they simply click ‘forgot password’ and answer a series of questions that eventually provides a way to unlock their account without any human interaction. The security measures taken to unlock the account usually includes an email or text which provides a code before the user is allowed to reset the password.

If your IT Service Desk does not automate password reset, then it is time to look for a new solution.

Build Automation for Request Fulfillment

IT requests can be divided into three areas

  • IT asset requests
  • Account requests
  • Software requests

IT Asset Requests

Most of your IT users have purchased something online. The experience they want when requesting something like an external hard drive, a phone, or a new laptop is what I call the ‘Amazon’ experience. Users expect the request process to be just like an online purchase.

For example, if your organization supports certain models of the iPhone and Samsung, then you should display the model number with specs, a picture, and details regarding the expected delivery of the device. When possible, a method to ‘expedite’ the item should be made available.

Don’t forget, the user should always be able to check the progress of any IT request. Provide updates to set expectations for delivery of the asset.

Account Requests

The IT Service Desk needs to have the ability to link account requests to the associated hardware request when necessary, so that the user doesn’t end up with a phone and no service.

Account requests to company applications or databases should be instant. For example, someone in a management position may request temporary permission to an HR database. Automation for this request should verify the person meets the employment level required, then instantly grant temporary permission to the HR database.

Software Requests

We all know what happens when we purchase an app from our smartphone’s application store. The application is immediately delivered to the phone.

  • Users request an app because they want to use it now, not later.

Automated application delivery needs to be instant, just like the user has come to expect. Unless an approval is required, IT Service Desk application requests need to contact the software delivery system and have that system immediately kick off the software distribution.

Automating the Approval Process

Automation for any request may need management approval. It is important that approvals can be done from any smartphone so that requests are not delayed. If an IT Service Desk requires the approver to login to a system versus approving something directly from email on their smartphone, then the automated process is not as ‘remote’ friendly as intended.


Today’s IT Service Desk (ITSM) solutions need to provide ‘instant gratification’ which is expected from their customers. Processes for incident resolution and request fulfillment should be automated for quick incident resolutions and request fulfillment with minimal human interaction, much like an ATM fulfills customer banking requests without human interaction.

-follow me on Twitter @marcelshaw

Thanks to Nicole Shaw for the Graphic

Four Areas to Start Integrating ITAM into IT Service Management (ITSM) – Part 2 of 2

As a child, I would often look at the toy section in my mother’s department store catalogs and I would imagine playing with the toys I would see in the pictures. As an adult, I still enjoy looking through a catalog; however, the toys have changed. Now I like to browse through electronics such as TVs, computer devices, and audio devices. With current technology, I can look at catalog items on my computer and, if I provide a credit card number, I can purchase an item directly from the catalog with the click of a button.

When consumers purchase an item directly from an internet site, a process is executed by the internet vendor. Usually, that process will authorize the purchase, verify the inventory, procure the item, provide information to a third party company for shipping and provide a status update via email to the customer.

During the first decade of the internet, companies became victims of their own success as they struggled to properly manage their inventory supplies. As integration between consumer internet sites and their inventory management systems improved, customer expectations were properly set.

Companies that did not address inventory integration issues often missed shipping deadlines which caused items to arrive late. This caused a lot of stress for the consumer purchasing for the holidays, birthdays, or anniversaries. As a result, many companies lost credibility with their customers which opened the door for their competitors.

IT departments in many organizations are creating self-service portals with catalog items containing IT assets that employees need to do their jobs. For example, phones, laptops, tablets and software licenses are often available through online automated employee request portals. ITSM tools, including processes and catalog services, are often used to build employee self-service portals. Much like consumer internet sites, inventory management plays an important role when fulfilling employee requests for IT assets.

Request Management

Although Request Management is not an official ITIL term, it is a term used by many ITSM vendors. Basically, the term Request Management includes at least two ITILv3 definitions:

  • Request Fulfilment
    • (Service Operation) The process responsible for managing the lifecycle of all service requests.
  • Service Catalog
    • (Service Design) A database or structured document with information about all live IT services, including those available for deployment. The Service Catalogue is the only part of the service portfolio published to customers, and is used to support the sale and delivery of IT services. The Service Catalogue includes information about deliverables, prices, contact points, ordering and request processes. See Contract Portfolio.

Published on the ITSM Review, Peter Hubbard stated:

“Request Fulfilment is one of the most useful, yet underrated, areas within IT Service Management. Request Fulfilment provides a channel for users to request and receive standard services for which a predefined approval and qualification process exists. It simply ensures that each request doesn’t have to ‘reinvent the wheel’. A request model is a way of predefining the steps that should be taken to handle a process.”

Request Fulfilment processes, along with Service Catalog, are becoming more recognized as a way to cut IT costs. Although there are some differences between ITIL definitions and some analyst’s definition of a Service Catalog, ITSM vendors and their customers are learning they can provide most IT requests through the Service Catalog, including requests for hardware devices.

When adding IT assets to your Service Catalog using an automated request fulfilment process, ITAM integration should be integrated into the process so that assets can be tracked.

As an example, let’s look at a request for a laptop. Laptops offered by an organization can be added to the Service Catalog. The portal used to make a request for an item can be built much like a site the customer (employee) would use if purchasing a personal laptop from an online vendor. Below is an example of how you might want to build your ITSM process:

Laptop Process

Much like making any online purchase, an approval process would need to be included. For example, a request for a laptop would need to be approved by the manager whose department will be charged.

Laptop Process 1

Upon approval, the process would need to check current inventory in the ITAM database to verify whether or not a laptop is available.


The ITAM database should contain a lifecycle attribute for all its inventory. Laptops that are not in use would be set to ‘available’ for procurement. This information would be passed to the ITSM request fulfillment process via a connector or an API. If a laptop is available, the process would then reassign the available laptop to the customer who made the request. The lifecycle of the laptop would then be updated to show it has been assigned and no longer ‘available’.



If a laptop is not available, the process should reassign the request to the purchasing department so that a purchase order for a laptop is issued to the vendor. A status update should then be sent to the customer who initiated the request to set proper expectations for delivery.

Laptop Process 4

Additional assets such as software licenses or user accounts might be required for an asset that is requested. These dependent assets should be added to the request fulfilment process. For example, if you know a laptop will require a software license for Microsoft Office, you should build that software asset request into the laptop request process. If the ITAM database manages software license information, have the process check for available licenses, then assign the software license to the customer requesting the laptop.

Laptop 5

Unlike hardware, software can be assigned even though licenses are not available; however, the process should notify the purchasing department so that the license can be purchased. Losing track of your installed software licenses can be costly if, during a software audit, it is found that you do not own enough licenses.

Lifecycle Management

  • Suggestion: Initiate changes to the ITAM lifecycle attributes from ITSM processes.


ITAM solutions manage the lifecycle of an asset. ITSM processes should be used to change the lifecycle of an asset in the ITAM database. For example, if a customer opens an incident due to a problem with his/her laptop, the analyst may initiate a process to request a replacement laptop for the customer. The problem laptop would then be given back to IT so that it can be fixed, replaced, or retired. To accurately track the problem laptop as it goes from the customer to back to IT, update the lifecycle state from the incident that was initially created to report the problem.


Today, integration can be built between ITAM and ITSM solutions through processes, connectors, and APIs. In the future, we will probably see more of a development platform approach for integrating ITAM into ITSM. This is a topic I hope to cover in an upcoming blog.

There is no doubt that ITAM is relevant to effective IT service management. Companies that do not have an ITAM strategy alongside their ITSM strategy will spend more money over time than those companies who have integrated ITAM into their ITSM solutions.

-follow me on Twitter @marcelshaw