Software Asset Management (SAM) professionals are used to audits. External vendor audits, ‘SAM/Compliance Engagements’ or visits from the likes of the Business Software Alliance (BSA) are part and parcel of a SAM professional’s life.
What SAM professionals are less used to is an audit of their function as part of the organisation’s internal audit strategy. Organisations typically set out their internal audit strategy at the start of the year, with business areas that are new, managing risk or managing finance.
With that said, here is how you can survive your SAM audit!
What is an ‘Internal Audit’?
This isn’t an audit focused on license compliance, but an audit that focuses on the effectiveness, efficiency and processes that surround your Software Asset Management (SAM) function. They’ll want to know about the journey the SAM function has been on, what it is responsible for and will review the documentation you have for SAM to see if it aligns with best practice.
Furthermore, the auditors will want to speak to key stakeholders within the SAM lifecycle to get their thoughts on the effectiveness of the SAM processes/documentation in place and also discuss examples of the processes being used.
It’s all well and good have an amazing process on paper, if it’s not being used in anger then it’s worthless.
What’s the process?
You can actually take a lot of your existing external vendor audit approaches and practices and tweak them for an internal audit. The only difference in this case is that the audit is unlikely to be reviewing a certain vendors compliance, but more looking at how your processes, policies, standards and ways of working matches up to a defined standard or maturity model.
It’s really important to understand the process from the outset, and understand what is expected of the SAM team.
Setting the scope
Like with all audits, all parties need to be clear and have an understanding on what the scope of the audit will include. There are a number of key questions to ask at this stage:
- What elements of Software Asset Management (SAM) are being reviewed?
- What are the expected outcomes of the internal audit?
- What standards or frameworks will the audit be based upon (ITIL, ISO standards, Microsoft’s SAM maturity model etc)?
- What data or documentation will be required?
- Time frames.
- Agreeing the relevant stakeholders that need to be involved
This all depends on the scope of the audit. If the whole SAM eco-system is under review, then the following stakeholders may need to be involved:
- SAM Team
- Director/C-Level sponsor
- ITSM representative
- Configuration Management representative
- Procurement representative
- Legal representative
- Data centre Manager
- IT Architecture Manager
- Change Manager
- Quality Assurance Manager
- Customer representative (they can provide feedback on how processes work from a business point of view!)
- 3rd parties weaved into your SAM solution
This shouldn’t be a challenge for the SAM team as they should have a central source for all of the approved documentation. If this isn’t the case, then the SAM team needs to gather all of the evidence they have for the processes, policies and standards they have implemented/are using so they can be reviewed by the auditor.
As mentioned before, if nothing is on paper, then this needs to be explained and will be an action (to document processes) added to the final report.
The audit itself involves a number of interviews with the stakeholders defined when scoping the audit – but the majority of the questions will be heading to the SAM team. They will ask questions about the current SAM maturity level, what SAM’s history is within the organisation and also what the plans are for the future (they may actually want to see a documented plan for 1, 3 and 5 years if your function is mature enough to be thinking that far ahead).
Questions about what works well, what needs improvement and what is currently being worked on will also be asked of the SAM team. This includes SAM related activities, but also other business or IT related activities that impact SAM.
The interviews with the other stakeholders may not happen with anyone from the SAM team present on the request of the auditors. This is so the SAM team doesn’t answer on behalf of other stakeholders or influence any opinions.
Once the interviews have been conducted with all parties and the auditors are satisfied, they will then also spend time reviewing the documentation provided (again, as agreed as part of the scope of the audit) which may also included data outputs from any SAM technologies, inventory sources or even examples that you’re managing your licenses effectively (electronically or physically, although in 2018 it should be electronic!).
It is not uncommon for the auditors to request more information if there are pieces of the puzzle missing. Don’t be too worried or concerned – but if you are then speak with the audit panel and the director/C-Level SAM sponsor to express your concerns.
The auditor will then pull all of their interview notes, documentation and data outputs together and build the audit report, suggested actions and suggested audit rating.
In the past, organisations or SAM professionals might have believed that they couldn’t challenge the findings set out by the auditor, but that is not the case at all. Some auditors even welcome having feedback or an open discussion into the findings as it allows both parties to clarify their point of view or provide further evidence to support each other’s arguments.
It is really important to challenge the audit report – if you disagree with some of the findings or statements, speak with the stakeholders involved, your Director or C-Level SAM sponsor and argue your case. Get them on your side, and if needs be, involve them in the discussions with the auditor to provide that extra bit of clout.
Don’t settle for the wrong audit findings or ratings, especially if it isn’t in your favour. Some organisations internal audit reports even go as high as the Board, so it is vital that the findings are accurate.
It will also list out a number of actions. Make sure they are realistic within your power to change and with a decent time-frame for you to perform said actions. More on that later.
Once you are happy with the report, the rating and the actions, it is time to close the audit and put a plan into place to actually rectify any risks and put a strategy in to place to complete the outstanding actions dictated by the audit.
Audit conclusion and follow-up actions
The internal audit should be used a springboard to make improvements to you SAM function. It will hopefully raise a different approach, processes or ways of working that you previously hadn’t considered, or it will flag areas that you need to take action in to mature your SAM function.
The actions are usually rated by severity so actions that require immediate attention will be listed as ‘high’ or ‘red’. The results may also be graded (1-10 for example), so you need to have an immediate plan in place to rectify the high rated actions. The plan must include time frames as mentioned before, so the SAM team needs to agree with the relevant timescale based on the amount of work.
For example, completely building and implementing a dedicated solution to mange software assets will take an awful lot more time than building a Software Procurement process for example. Depending on the results, a lack of process may be causing problems and a glaring risk/area of weakness, whereas having a solution to manage compliance, inventory assets, track usage and show risk, may not be a high risk due to other systems being in place – It’s all relative to your organisation and SAM function’s maturity.
Anyway, focus on the high priority actions as these actions will not only be high on the SAM teams list, but also on the director/C-Level sponsor for SAM as this may be deemed a high risk or failure point for not only the SAM function, but also the wider IT landscape.
It’s important to show the business that the SAM team has a plan to mitigate the biggest risks and a strategy for addressing the highest actions. Whilst they may be long-term, showing the baby steps or a firm plan will go a long way for the SAM team’s reputation and support from C-Level execs as they can see a plan for reacting to the audit report.
There may also be ‘quick wins’ that have a lower risk or action rating; if so, get them sorted out ASAP as that will also help you improve the SAM function and satisfy the audit committee. Any actions from the audit can be used as an opportunity to mature, improve and grow your awesome SAM function.
It’s important to remember that the purpose of the internal audit isn’t to point any fingers or blame the SAM team for something; it’s a platform for an external expert to look at your SAM function through a fresh set of eyes. They may see things you don’t, or suggest actions or processes that you may not have considered.
You can turn an internal audit into a real positive for your SAM function. Anything that helps you improve SAM within your organisation is a good thing!