Table of Contents
Software audits are anxiety inducing. Before an audit notice comes, there is the anxiety of wondering if you are in compliance, or if something has drifted into problem territory. During an audit, there is anxiety with each probing question, data request, and demand for architecture details. You are not quite sure if responding a certain way is giving-in to the vendor’s well laid trap, or if it is justified. After the audit there is anxiety wondering whether the vendor took advantage of your inexperience, and if you paid too much.
For more than 25 years, House of Brick professionals have helped customers in more than a thousand audits from diverse vendors such as Oracle, Broadcom/VMware, Microsoft, Quest, IBM, IFS, and others. We know the audit playbooks inside and out. When House of Brick joined Opscompass, we started capturing this expertise into our software product that automates compliance checking and usage data tracking. Opscompass is now the industry’s most effective tool for eliminating audit anxiety – before, during, and after.
The Key Elements of a Productive Software Audit
There are important elements that must be understood and managed to ensure preparedness for, and positive outcomes from a vendor’s software audit. They include:
- License/subscription agreement terms and conditions
- License entitlement details
- Software deployment platform resources
- Software usage profile and history
- Organizational cohesiveness and unified understanding
- Audit defense strategic plan
Within our customers’ organizations, different people have responsibility for each of these key elements. It is important to bring the people, and their knowledge, together for a successful audit. Opscompass solves this problem by bridging organizational silos, autonomously monitoring and verifying software compliance, and by democratizing access to critical information. The following sections expand on how Opscompass alleviates audit anxiety, and fills our customers with confidence that they know all the answers ahead of the exam.
License/Subscription Agreement Terms and Conditions
When our customers use Opscompass for license compliance monitoring, the first step they take is to upload their license entitlement, supporting agreements, ordering documents, support renewals, and other documents into Opscompass. This establishes the foundation for compliance. These supporting documents can be difficult for even seasoned license professionals to interpret and understand. Opscompass provides powerful Artificial Intelligence (AI) integrations to read, understand, and inform our customers on the details and nuances of their supporting documents.
As shown in the Opscompass screenshot, customers can create a library of supporting documentation, with the ability to add their own commentary and also to have the AI engine analyze and summarize each document for them.
A new Opscompass feature that we are in pre-production testing on is called “Chat with Your License Agreement™.” This powerful capability allows for interactive discussions with your supporting documents. Just imagine the power of asking questions such as “Does my license agreement require me to have additional licenses for my disaster recovery environment?” and “Is there a penalty if I cancel support on a portion of my perpetual licenses in this ordering document?”. Training our AI models with House of Brick expertise makes Opscompass unmatched in its ability to empower our customers in understanding their license agreements and supporting documents.
License Entitlement Details
Understanding how many licenses you have for a given software product is important, but not sufficient to ensure audit-readiness. You need to track every detail of your license entitlement, especially including any unique limitations or privileges associated with those licenses.
As shown in the Opscompass screenshot, limitations or privileges are often specified in the license ordering documentation. In this case, these licenses may only be used for a specified application. Any use of these licenses for other applications would constitute a potentially costly audit risk.
In determining how to optimize license costs, it is also important to track how many licenses are on each order, and the support cost of each. In the example below, Opscompass shows us that we have two orders for Oracle Database Enterprise Edition. Notice, however, the difference in support costs between the two orders. If we can optimize license usage so that we can reduce the number of Enterprise Edition database licenses needed, it would make sense to eliminate licenses from CSI #10293847 as a priority, since its support price per license is more than 2x what the other order is.
Understanding the details of the software license entitlement will also allow us to mitigate any compliance risks that Opscompass may identify. As the next example shows, we have a potential compliance risk of $231,800 for 4 unlicensed Processor uses of Oracle DBEE, but we have 650 Named User Plus (NUP) licenses that are unused. By converting 200 NUP licenses to Processor licenses, we are in full compliance, and ready for an audit.
Software Deployment Platform Resources
Many vendors’ software licenses are based on the characteristics of the platform that the software runs on. This could include processor cores for server-based licensing, or virtual CPUs (vCPUs) for cloud-based licensing. There may also be dependencies for how high-availability (HA) or disaster recovery (DR) are configured.
Opscompass tracks these platform details, and more importantly, constantly watches how the platform configurations are changing. Two examples from AWS instances illustrate the power of Opscompass to avoid costly audit risk.
One of the biggest challenges that our customers face in the cloud is maintaining visibility and governance on new instance creation. In the first example, a new AWS RDS instance with Oracle was detected. Opscompass determined that this instance was flagged for Bring Your Own License (BYOL), but this instance was not included in the inventory of databases we were tracking for license compliance. As soon as the new instance Drift was detected, Opscompass immediately created a High Severity alert for the user flagging this issue.
The second example shows the power of the AI integration in Opscompass to democratize complex data and transform it into actionable intelligence that can be managed by both technical and non-technical users.
Opscompass detected a Drift on an Oracle database where the Multi-AZ flag was toggled from “False” to “True.” This may have been done by a cloud administrator to ensure that there was an appropriate level of availability for that database. This administrator may not, however, have considered the licensing impact of such a move. As illustrated in the Opscompass Smart Drift Summary™, this risk is explicitly identified with the text “Turning on Multi-AZ for Oracle on Amazon RDS will double the licensing costs since the feature creates a duplicate compute and storage environment.”
Opscompass is a multi/hybrid cloud monitoring platform, so you can see all operating platforms in a single view. One of the biggest challenges that Oracle, Microsoft SQL Server, and open-source database customers have is keeping a handle on database sprawl. As shown below, Opscompass watches these database installations wherever they are, on-premises, and in the cloud, and alerts on potential problems before they become audit risks.
The active monitoring of the operating platform by Opscompass helps avoid costly mistakes. Even if these types of mistakes are inadvertent, they will be audit red flags that can end up costing millions of dollars.
Software Usage Profile and History
While most Software Asset Management (SAM) tools have the ability to discover software that is installed in on-premises and cloud infrastructure, they typically fail at the ability to dynamically watch the usage of that same software for governance, compliance, and audit risks. Paying constant attention to software usage is where Opscompass shines in anticipating and curing issues that will cause security vulnerabilities, as well as platform and license cost overruns. Opscompass watches every change (Drift) to the usage and resource configurations, and filters that against a vast library of industry-standard, Opscompass best-practice, and customer-defined checks to determine if the change is concerning. This vigilance on usage monitoring is what makes Opscompass a critical platform for eliminating audit anxiety.
In this example, Opscompass discovered an Oracle database feature in use that was not covered by existing licenses. The database name, instance location, and critical details are identified. Furthermore, the specific activity that caused the unlicensed usage alert is identified. An inexperienced DBA may have done this inadvertently, and not known how to keep it from happening again. Opscompass not only shows the cause, but with the “Recommended Action” also provides guidance on how to prevent future unlicensed uses from occurring.
Diligently monitoring software usage, submitting usage changes to a comprehensive litany of risk checks, and notifying the user with active alerts is how Opscompass eases audit anxiety associated with the use of vendor software.
Organizational Cohesiveness and Unified Understanding
Most of our customers do not replace existing SAM or CMDB tools with Opscompass. Those systems have a breadth of features and capabilities that Opscompass does not provide. These customers do, however, integrate Opscompass into the raw SAM and CMDB data to provide the strategic intelligence that organizations need to prepare for a software audit.
It is typical for organizations using SAM tools like Flexera, Eracent, ServiceNow, etc. to have a single person, or even a team that is responsible for the administration of those systems and to field organizational requests for reports that they will generate and distribute. Why does access to information have to be this difficult? Why can’t every person in an organization with an interest in the IT assets get easy access to this information?
One of the benefits of Opscompass that our customers enjoy is that it breaks down organizational silos and allows all parties to communicate more effectively together regarding audit risk, and optimization opportunities. Gartner identifies this as a “Network of Supporters” that are all critical to ensuring the organization is accountable for its software asset deployments, and audit preparedness.
Audit Defense Strategic Plan
The Audit Defense Strategic Plan is where all the other key elements of a productive software audit come together. This paper has shown how Opscompass is critical in each of the key elements leading up to this plan, including: License/subscription agreement terms and conditions, License entitlement details, Software deployment platform resources, Software usage profile and history, and Organizational cohesiveness and unified understanding.
The components of an effective audit defense strategic plan include:
- Communication: This applies to communication with the auditing vendor, but also and especially, internal communication plans. Aggressive auditors such as Oracle, will often approach multiple contacts throughout the organization to fish (phish) for information that they can use to increase their findings of non-compliance.
- Data Reporting: Audits require the customer to report installation, usage, entitlement, and/or platform configuration information. Many software vendors request information that may be sensitive or confidential to the licensee. Opscompass can help filter the data so that only information that is absolutely critical to the audit is delivered.
- Contractual Basis: Many license/subscription agreements have an Audit clause governing the process that the vendor can invoke in performing a software audit. These clauses also typically outline the rights that the licensee has in the process. Understanding these is important to preserve your rights and ensure that the audit does not become an unreasonable interference to your normal business operations.
- Organizational Impact: An audit can be a significant impact to an organization, that unfortunately, can last for a year or longer. The “Current State” view in Opscompass provides our customers with a dynamically updated view of the anticipated audit results so there are never any surprises.
- Strategic Response: Most software vendors use a degree of intimidation to control the flow the audit activity and response. We encourage our customers to take control of the audit themselves, and dictate to the vendor what they are prepared to do. Opscompass comes with a managed service from House of Brick that provides the experienced support services you will need to effectively defend your audit.
If you have undue anxiety over how your organization would be impacted by a software audit, reach out to us for a confidential conversation. We can show you how to prepare, and how deploying Opscompass will provide the highest return-on-investment you could hope to receive from an IT asset intelligence platform.
Opscompass does not price its solution based on the number of users, as most SAM tools do. This means that we encourage our customers to create as many Opscompass users as they need to, in every discipline outlined in Gartner’s network of supporters, to empower the organization to be ready for a software audit. The AI integrations in Opscompass ensure accessibility by both technical, and non-technical users.
