The Auditor’s perspective
My friend Martin at the ITAM Review scored quite a coup when he asked a former software auditor to sit for an interview.
It’s a really meaty article, with some great information from the point of view of the often mysterious third party in the ITAM triangle (by which I man the software manufacturer as opposed to an end user or channel partner).
But I do disagree passionately with him about his response to the first question Martin asked. The ex-auditor commented:
A colleague of mine once insisted that reconciliation is just once component of SAM and that an effective asset management program includes other equally important factors. The logic is sound, but I have always felt that being able to accurately reconcile software installations against entitlement is cornerstone of any SAM process. And in my experience, even the best organized IT department does not always put a strong focus on being prepared for a vendor audit.
My personal view, as an end-user sitting inside an IT Department, is that our SAM processes should be geared to meet the service-management needs of the business, and as such audit-readiness should be as integral to the IT Department as ensuring a server is maintained or that projects and programmes are tracked and managed effectively.
Too many of us in the industry like to present SAM as something unique and special, with particular and extraordinary risks attached to getting it wrong.
It isn’t.
I would propose instead that SAM is often the largest unmanaged risk that a company faces.
If you think of a heirarchy of risks, a company will manage the existential risks first (the ones that will put it out of business if they get it wrong) and then move onto risks that will reduce profitability, either directly (eg by incurring a fine) or indirectly (eg a reputational risk).
SAM is not really an existential risk, although in an extreme case it could be, for instance if a fine or unbudgeted license purchase tipped them over the edge into bankruptcy.
This is a major reason why IT Departments – even the best ones – are often not so hot on managing SAM, and why if you want to get IT Managers to sit up and take note, focus on the SAM-related risks that are existential in nature first.
The only truly existential risk relating to SAM is data security – that is the right enjoyed by software manufacturers to enter a company’s premises and audit their IT systems. The risk here is that the software manufacturer will have access to company confidential data.
In reality, it’s a fairly remote risk, particularly as there will frequently exist pre-signed confidentiality agreements with any vendor critical enough to need access to production systems during an audit (eg Oracle) – and if there is no pre-signed confidentiality agreement then this is certainly something that can and should be negotiated during preparations for an audit.
But it is interesting that when I am outlining the risks of SAM to IT managers it is the data security risk that makes them blanche - not the financial risks of unbudgeted software purchases, not the legal risk of breach of contract, or the remote but real risk of a criminal prosecution. What really gets IT managers motivated to take SAM seriously is the data-security risk posed by an audit because they know data security is an existential risk for most large firms.
Don’t believe me? Did you know that if you are regulated by the FSA (Financial Services Authority) that they can just shut you down if they are concerned there has been a data breach? Did you also know that if one piece of client confidential data is released by a finance or insurance firm that the firm must then inform ALL of its clients that sensitive data may have been leaked? What a GREAT way to lose clients!
No wonder IT Managers start taking you seriously when you mention the two dreadful words…. Data Security!
Recent Comments