First, I do not recommend going through one alone. That would be like going to an IRS audit alone - there are far too many obscure rules that can come back to haunt you. Get professional help before it starts and keep that help around through completion...very few rules are "black and white" and you need an advocate on your side who fully understands the rules and can balance the publisher's interpretation of use.
Here are a couple of things to know before heading into an audit:
- Not all audits are the same - know when you have the right to refuse or limit and when you've already waived those rights.
- Make sure the scope is clearly defined - is it all subsidiaries, all geographies, etc.
- Require a project specific non-disclosure agreement (NDA) be in place with any third-party gaining access to your information and follow up at the end of the audit to require disposal of the records.
- Understand under what circumstances you'll be billed for the cost of the audit.
- Ensure that the audit is being conducted under the rules of your active agreement with the publisher and the pertinent product use rights for the products in use.
Pitfalls to be aware of to avoid audit problems:
The best possible situation is to avoid an audit altogether. While this is becoming more and more difficult as publishers have realized that audits are a profitable activity that helps them meet revenue goals (most of the heads of software publisher compliance groups have revenue goals much the same as a sales group), there are steps you can take to reduce your chances of an audit.
- Regularly conduct your own audit. Know what you own, what and how you are using it. If contacted for an audit, be sure that your executive handling the conversation can speak knowingly and authoratatively on current usage by product and the timeliness of that data. Software publishers don't want to throw their money away on an audit that is going to produce no licensing revenue. The more they feel that you already have things under control the less likely they are to require a full onsite audit.
- Watch your external access, make sure you are appropriately licensing clients, vendors and partners for their access to your computing resources.
- If your customers are using your computing resources, make sure that you are covering that usage under the appropriate licensing agreement. Most publishers have service provider agreements (Microsoft's SPLA or VMWare's VSPP program being two of the most common) allowing for you to host their products for use by others - there is a lot of gray area in determining when you need to license under these versus when you can use perpetual licenses so make sure you have a professional help you make this determination.
- Licensing is typically entity specific. While everyone in my organization is licensed to use a Microsoft Windows 2012 server within my organization that licensing does not cover us for when we access a client's organization.
- There are expensive ways of handling this and less expensive ways - having licensing advice when you're setting up access can help you avoid unnecessary costs.
Already in an audit:
Regardless of what stage the audit is in, get help. Make sure you have someone working as your advocate that has experience in software audits, strong knowledge of the publishers current and historical agreements and product use rights and the frankness to give you an accurate picture of where you stand (this is not the time your management team wants anything sugar coated...they need to know the reality so they can prepare).
Double check everything the auditors present to you - math errors and mis-interpretation of product use rights and licensing terms are frighteningly common.