About software audits
Most software applications are not free and all applications have some type of license; a legal agreement that defines, among other things, the terms and conditions by which an application can be used. A license grants a user the right to use an application (according to the terms and conditions) but it also gives the manufacturer the legal right to audit customers to verify that the licensing terms are being followed. There are different types of audits. For example, a License Review allows a customer to audit themselves and to purchase missing licenses at discounted prices or a Software Audit led by an auditor that requires the customer to purchase new licenses at non-discounted rates, pay years of back maintenance, and pay penalty fees if a deficiency is discovered. Audits can easily be underestimated by an organization, so we take each one seriously. Approaching every audit as a potential major event and following established procedures will help ensure that resources are sufficiently enlisted and due diligence is followed to deliver the best results for our campus.
Reducing audit risk
The primary way to reduce audit risk is to maintain compliance by only using the amount of software licenses to which you are entitled and using software within the license’s terms and conditions. There are certain conditions that may trigger an audit or increase the risk of audit. For example, a significant trigger is when a customer abruptly reduces their spending on software products.
Tip: Before reducing the amount of software licenses or the annual maintenance that you purchase from a vendor annually, which may lead to an audit, contact us. We can help you devise a plan and vendor communication strategy to minimize your audit risk.
Responding to a software audit or license review
If you receive a notification from a vendor about a software audit or license review, immediately notify the CU Boulder Software Asset Management (SAM) team at firstname.lastname@example.org, and do not respond to the notification. The SAM team will review the audit request and communicate with you and key stakeholders about next steps. Following this step will help protect the university from financial liability. In response to an audit notice, CU Boulder will follow the OIT Software Audit Response procedures.
Software audit response procedures
The SAM team will lead software audits and form an audit response team. A steering committee composed of a counsel attorney, OIT leaders, key stakeholders, and subject-matter experts may be organized to support the audit team with strategic decisions.
Communication around the audit will be coordinated by SAM to protect the university’s liability. In response to an audit notice, CU Boulder will follow the OIT Software Audit Response procedures below. If you are a part of the CU Boulder campus community and would like to review the full version of the Audit Response Procedures, please contact email@example.com.
Phase 1: Initial Audit Response Process
SAM will confirm the legitimacy of the audit request, execute tracking and control procedures and communication protocols, and determine the responsible party to lead the audit team.
Phase 2: Pre-Audit Activities
SAM will define the members of the Steering Committee and Audit Team, and respond to the audit notice. The response includes a request for the manufacturer to complete a Software Audit Review Questionnaire to document items including the timeline, scope, methodology, discovery tools, and balance calculation methods. The response also includes a request for related contracts, agreements, amendments, statements of work, and purchase records.
The Audit Team will review the completed questionnaire and requested documents to confirm the manufacturer’s right to audit based on the contract(s) and procurement records. Finally, the Audit Team will request a Non-Disclosure Agreement from the manufacturer.
Phase 3: Kick-off, Planning and Scoping
The Audit Team will meet with the manufacturer and agree to the audit ground rules, timeline, data collection, testing and counting methods, priorities, and change management. The Audit Team will create and share a project plan.
Phase 4: Data Collection
The Audit Team will review procurement records for alignment to the audit scope, the completeness of the data categories, the completeness of the data per data category, and compare this to university procurement records for accuracy. The Audit Team will review, test, and approve the data collection method proposed, and coordinate the data collection process. Regular reports will be provided to the Steering Committee, key stakeholders, and the manufacturer through the end of the audit activities.
Phase 5: Data Analysis
The Audit Team ensures that collected data inventory contains only information relevant to the audit scope and masks proprietary university information. The data inventory and entitlement data will be combined to create a license balance. Manufacturer requests received during the data analysis will be reviewed to ensure that the requests are consistent with the ground rules and agreed scope. Finally, the Audit Team will meet with the manufacturer to review and agree on the final license balance.
Phase 6: Negotiation
SAM will arrange a meeting between the campus negotiation team and the manufacturer to review the manufacturer’s discovery results, license balance, and compliance cost results. If necessary, the negotiation team will negotiate the results and remedies.
Phase 7: Audit Completion
SAM will request that the manufacturer deliver an official notice that the audit is closed, that CU Boulder is fully compliant and that the manufacturer will exclude the audit scope in future audits. The conclusion of the audit will be announced to all campus stakeholders.
Phase 8: Implementation
SAM will implement the negotiated results and ensure that all negotiated activities are completed.
Phase 9: Conclusion/Post-Audit
SAM will create a final report to be distributed to key stakeholders, finalize a Lessons Learned document and review it with key stakeholders, and store all documents generated during the audit.
If you're unsure of where to start, please email firstname.lastname@example.org. The SAM team is here to give you help and guidance with any audit concerns you may have.
Software manufacturers needing to direct all inquiries about license reviews and software audits should email email@example.com. Please note that for any audit request, CU Boulder will ask for the manufacturer to complete a Software Audit Review Questionnaire.