Vendor audits are on the rise in 2021; here’s how to prepare

Over the last three or so months, Livingstone Group has witnessed a marked up-tick in the number of audit letters and new audit requests being sent out to our clients. Our conservative estimate is that requests are up by 40 percent when compared to pre-pandemic levels.

While worrying for ITAM professionals and the organizations they work for, this news should not come as a tremendous surprise. Indeed, it is something we predicted might happen in our previous blog of May 2020.

There are several overlapping reasons why we’re seeing this increase in audit activity right now.

 

Why audit requests are spiking
 

  • Revenue protection

The pandemic has tipped global markets into recession and there’s no obvious path to recovery. Software and cloud service providers will be thinking long and hard about how to protect their revenue streams. Audit penalties, together with back payments for unlicensed usage, are proven ways to bolster their balance sheets.

  • To drive customers to the cloud

Many of the traditional vendors, which made their names developing on-premise software, are still grappling with ways to migrate their customers to the cloud. This is necessary if they are to stave off competition from the new generation of cloud-based service providers and remain viable in what’s become a cloud-first industry. An increasingly common tactic during audits is for vendors to (at least, in part) overlook non-compliance if the customer commits to new cloud contracts. The sooner the vendor can get customers to shift from on-prem to the cloud, the better it is for their revenue flows.

  • The likelihood of non-compliance is high

There’s also a suspicion that vendors are seeking to audit companies now because they know there’s a high likelihood that they are not compliant. When workplaces shut their doors last March, businesses were forced to deploy new services and technologies, often lured by free offers and without the involvement of IT or procurement. In the rush, there is a very real risk that contracts were not adequately reviewed and that usage does not match entitlement.

 

Vendor nuances at play

While the increase in audit activity has been across the board, there are of course differences between how each vendor or service provider is currently tackling inspections. Here are some of the most noteworthy changes in behavior:

  • Oracle using third parties to widen audit reach

Oracle has always placed great focus on audits (you can read more about its modus operandi here) but it has doubled down on this activity over the last few months. In particular, Oracle has increased its use of Oracle Partners to perform audits of its behalf, targeting small to medium companies, presumably to help scale its efforts. Oracle does not pay these partners to conduct this activity. Instead, partners can generate revenues by reselling licenses to the end user organization to resolve non-compliance once the audit is complete. This creates a conflict of interest that is not likely to sit well with businesses.

  • Micro Focus contracts require close scrutiny

Another provider which has upped the ante is Micro Focus, which is taking a much more active approach to auditing its customers. Like Oracle, it is making use of external auditors to help with the process, but unlike Oracle, these external auditors are typically the ‘Big Four’, most frequently PwC. The good news is that its model is unlikely to create the same type of conflict of interest as seen with Oracle (unless, of course, the same company acts as your financial auditors, when things do become complicated).

Micro Focus is, however, using changes in its contracting terms to its advantage with reference to acquisitions. An organization which may have legacy contacts with HPE, might have been asked to agree to updated T&Cs with Micro Focus. These T&Cs can be long and complex, yet the process of agreeing to them requires little more than a click of the mouse, so it is important that no corners are cut when reviewing the paperwork. Standard Micro Focus contracts allow third parties to undertake audits and can even provide the vendor with audit rights that were never included in the original contracts.

  • IBM focusing on accelerating cloud adoption

IBM is also upping its audit activity, but its motivations appear to be purely cloud-based. In our view, it is currently using non-compliance as leverage to get customers to move to as-a-Service consumption models, which will have a more positive impact on its own balance sheet in the long-term. In essence, IBM audits have become part of its sales teams’ arsenals, but also using the ‘Big Four’ such as Deloitte and KPMG.

  • SAP following the enhanced audits route

Another change of note is from SAP. It seems to be broadening its focus by undertaking more and more enhanced audits, scrutinizing deployments of its growing stable of cloud-based solutions, including SuccessFactors, Business Objects and HANA, not forgetting Indirect Access, which is a key focal point during the enhanced audit.

 

Five ways to ready your organization for increased audit activity

It’s a reasonable expectation that vendors will become even more focused on audits in the forthcoming months. As such, it is important that organizations understand how to prepare for this frenzy. Here are five ways to get ready:

  1. Ask for a deferral. Even Oracle, which has the strongest track record of sending out audit letters, will consider a deferral. It is perfectly reasonable to ask for a delay if your organization has other mission-critical or time-sensitive priorities making it difficult to free resources in order to manage complex audit procedures. This is particularly the case for organizations operating in the frontline of the pandemic, for example, public sector, pharma, logistics or retail, but it is an option available to all companies. The important thing is to follow an audit timeframe that suits your business, not the vendor.
  1. Go direct. Ask your vendor to conduct the audit itself, rather than appoint a third party. This solves issues associated with conflicts of interest and tends to make the process both smoother and simpler. Even if your contract dictates a third-party auditor can be used, vendors can be swayed, particularly if the customer is large or planning to expand usage.
  1. Know your audit scope. With plenty of M&A activity in the software and cloud industry, it is imperative that you are fully up-to-speed on any changes to your contract terms as what you signed up for originally may no longer stand. Furthermore, understanding the scope will help you identify when a vendor is trying to overstep the mark, by asking to investigate deployments outside of the contract.
  1. Develop a strategy. Create and introduce a repeatable process that you can follow each and every time you receive an audit request, something that you can expect with increased frequency from here forward. You can read more about developing a proactive strategy in order to achieve a permanent state of audit readiness here.
  1. Do not be lured by the cloud. Most businesses now recognize there are advantages to moving from on-prem to cloud-based solutions, but don’t be rushed into the decision by a vendor which is using your state of non-compliance as a means to win more business. Assess your cloud needs on your own terms and then, and only then, engage with the vendor about a new licensing agreement.

 

For more information on how to defend against and mitigate the impact of vendor audits, please take a look at our dedicated webpages.

 

About the Author

Paul Stevens-Craig, Head of Audit Practice

Paul is our Head of Audit Practice and has worked closely with many of our clients and partners delivering strategic business outcomes. He leads our highly experienced and qualified consultancy team, creating a centre of excellence.

Paul provides customers with expertise and advisory services with reference to IT Asset Management and IT/Digital Transformation initiatives. Having worked in the IT Industry for over 25 years, he has had roles in senior management and software & license consultancy for companies such as Oracle, Hitachi Consulting and PricewaterhouseCoopers (PwC).

Since leaving Oracle in 2005, Paul primarily focused on complex vendors such as Oracle, SAP and IBM, providing advisory services such as process and contract management, licensing, optimisation and risk mitigation for many UK and Global companies, across different industries within the private and public sector.

Related Services

Alternate Text
Audit Defense Support

Software & Cloud Optimization

Alternate Text
Negotiation & Benchmarking

Software & Cloud Optimization

Alternate Text
Strategic Licensing Reviews

Software & Cloud Optimization

Alternate Text
Audit Risk Assessment

Trustworthy Data

Alternate Text
Data & Insights

Trustworthy Data

Alternate Text
Tier Two Vendors

Mega Vendors

Alternate Text
IBM

Mega Vendors

Alternate Text
SAP

Mega Vendors

Alternate Text
Microsoft

Mega Vendors

Alternate Text
Oracle

Mega Vendors