Audit Defense Your playbook for license compliance audits

Audit Defense
Your playbook for license
compliance audits
President of Aspera Technologies Inc.
Christof Beaupoil
Co-founded Aspera in 2000
13 year’s experience in software asset and
license management
Masters in Mechanical Engineering and
Information Technology
Certified ITIL Foundation and Licensing
Led numerous license management
projects for international corporations
10 Steps
1. Announcement / Audit Announcement Letter (AAL)
2. Access / Confidentiality / NDA
3. Procedures / Data Formats / Tools
4. Timeline
5. Data collection
6. Data verification
7. Licensing Compliance Table (LCT)
8. Settlement
9. Transfers
10. Back to production
1 Announcement
Audit Announcement Letter (AAL)
Sends Audit Announcement Letter (AAL)
Requests starting date of the review
Names contracted auditor
Sets vague scope
Communicates SPOC
Negotiates starting date
Questions scope
Questions right to audit
Questions auditor (already in
accountant role?)
DO NOT buy any licenses until
DO NOT try to remove software
DO NOT disclose any information until
confidentiality agreement is signed
NOBODY other than SPOC
communicates with IBM
2 Access / Confidentiality / NDA / Scope
Requests uncontrolled deep access into your organization
Tries to establish timeline
To Auditor
Grants NO unrestricted access (“darkroom”)
Grants NO access to non IBM data
(e.g. 3rd party vendors, customer data)
Auditor may not keep data after audit
NO sweetener clause (Auditor may not
profit from audit result)
DOES NOT agree on timeline to Step 4
Teams up:
 Upper Management
 Legal
 IT
 Procurement
 License experts
 Local license managers
Welcome to the TLA/FLA
World of IBM
Welcome to the TLA/FLA World of IBM (1/3)
IPLA International Program License Agreement (see §11)
ILAN International License Agreement for Non-Warranted
ILAE International License Agreement for Evaluation of Programs
ILAR International License Agreement for Early Release of
IPAA International Passport Advantage Agreement (incl. SubCapacity Attachment)
ELA Enterprise Licensing Agreement
CEO Complete Enterprise Option
ESSO (International) Enterprise Software & Service Option
Welcome to the TLA/FLA World of IBM (2/3)
S&S Support & Subscription
SLA Software License Agreement
 LI License Information (edition and version specific)
 PLET/GA Program Announcement Letter / General Availability
FTL Fixed Term Licenses
PoE Proof of Entitlement
FCT Flexible Contract Terms
Welcome to the TLA/FLA World of IBM (3/3)
PVU Processor Value Unit
VC Virtual- (a.k.a. Sub-) Capacity
RVU Resource Value Unit
AUTH Authorized User
FL Floating User
FUSSI Floating User Single Session Single Install
AUSI Authorized User Single Install
3 Procedures
Data Formats and Tools
Provides ASA Workbooks
Provides scripts/instructions
Requests on-sites
To Auditor
Reviews and extends ASA Workbook
Requests full details on FastPass reports
(auditor may not withhold
Questions Missing Base License (MBL) rules
Agrees on rules for transitioned vendors and
PoE (hard-copy vs. invoices, POs)
Imposes own procedures and (scan) tools
Starts contract review and
entitlement collection
Evaluates available
internal tools and
Agrees to internal
timeline for data
4 Timeline
Will propose unfeasible timeline (time-pressure works only in favor of
To Auditor
Extends times for data collection
Adds steps for review of any output
Auditor produces
Introduces Quality Gates that need
to be passed before next phase
Agrees on time frames, not dates
Plans for a long timeline
(12 – 18 months)
5 Data Collection
Provides FastPass / PPAO extract
Reviews collected data / requests additional information
 Screenshots
 Script output
To Auditor
Many IBM metrics require
additional data collection via
script / admin log on
Does not provide script output
without review:
Count inactive/legacy users
High watermarks
Concurrent limited to
Focuses on ENTITLEMENT collection
Missing base licenses
Loads license data and assembles
effective license position
May restrict auditor’s access to selected
information – but may not
withhold access to licensing
relevant data
5.1 Passport Advantage Online (PPAO)
Key Focus
Missing licenses:
Transited Vendors (FileNet, Cognos, SPSS,…)
Missing trade-ups
Missing Site Numbers
Transferred entitlements (negative numbers)
Delayed/faulty transmission from reseller
Purchased outside of PPA:
Passport Advantage Express
Enterprise Licensing Agreement (ELA)
Complete Enterprise Option (CEO)
(International) Enterprise Software & Service Option (ESSO/iESSO)
Export option is available only per site – Auditor has
Access via FastPass and can provide full export
5.2 ILMT
Over counting:
Missing Bundle Rules (Check LI)
Hyper Threading
Counting of Deactivated Cores (Check LI)
Wrong product/edition
Incomplete product names (e.g. missing edition)
Ghost installs/false positives
Keeps high water marks
Virtual vs. full capacity
Does not apply failover/standby/testing/clustering rules
(Check LI)
6 Data Verification
May ask to verify data in on-site visits
 Positive testing: Picks server from workbook and confirms data
 Negative testing: Picks device that is NOT in workbook and confirms no
IBM software on it
 May try/ask to run additional scripts
To Auditor
Restricts auditor’s
physical access – but
answers license relevant
questions and provides
data for verification
Checks all workbooks for problems described
in 5.x
Loads workbooks – this will show additional
gaps and inconsistencies
Use License data/compliance view in audit
environment to close inconsistencies in
workbooks (choose edition, choose
7 Licensing Compliance Table (LCT)
Manually assembles LCT – always has errors/interpretations
Will not include S&S without base licenses
Uses Version less for products under maintenance
Draft status -> will push for EXIT Meeting
To Auditor
Does NOT agree to present
LCT to IBM (Exit Meeting)
until numbers are corrected,
confirmed, and agreed
In EXIT Meeting: Explicitly
mentions any disagreements
with the auditor, makes sure
included in meeting minutes
Compares to internal compliance view
Checks for:
Multi metric products
Not considered licenses
Wrong editions
Not applied bundling rules
Sub-capacity vs. full capacity
Release dates for out of S&S positions
Over-licensing (Change in metric?
Change in product name?)
8 Settlement & Audit Relief
Will make a settlement proposal based on §11.2 “Resolution” of IPLA:
 Missing base license: Purchase license with two years of RETRO S&S
 Missing S&S: Purchase reinstatement with two years of RETRO S&S
 Typically applies valid discount level
Will propose audit relief (no legal action) only for disclosed
incompliance / resists base-lining
Uses installation dates for less retro S&S
Uses documented disagreements on LCT
as leverage
Pushes for base-lining
No partial settlements
Includes ALL negotiated terms into
settlement agreement
Makes sure that executive
management understands
the audit results
9 Transfers
Settlement was for Group Balance
Will request to create internal compliance per site
Might audit single sites in the future
Receiving site triggers transfers on
PPAO through transfer form (IBM)
Giving site gives approval
Joins base licenses and S&S in
same site
Negotiates internal cost allocation
10 Back to Production
IBM: n/a
Makes sure that agreed
license position is properly
reflected in PPAO
Adds “baseline” / new licenses to the
production system
Applies audit/settlement rules and
exceptions to the system (e.g. bundling
rules, DG rights, metric selections,
full/sub-capacity decisions)
Sets up process to maintain manually
collected software data
Thank You
The Company
Aspera Technologies Inc.
Founded in 2000
Co-founders and management team:
Christof Beaupoil – Co-founder, President, Aspera Technologies Inc.
Bernhard Boehler – Co-founder, CEO, Aspera GmbH
Olaf Diehl – Managing Director, Business Development & Operations
Keith Sauvant – Co-founder, Managing Director, Research & Development
Parent company: USU Software AG
Employees: 92
Partners in: Australia, Benelux, France, Scandinavia, South Africa, and the UK
Portfolio: Tools, LaaS, Managed Services, Master Catalog, Consulting, Project
Customers: 24 Fortune Global 500 companies, very large, large, and medium sized
organizations, government and civil services bodies
Awards, Certifications, and Evaluations
Best Asset
Management Solution
KPMG certifies Aspera
This tool assessment and certification
was provided by KPMG Deutschland AG.
Best Web Services
Aspera SmartTrack reached 100% with
the maximum level of accuracy for Lab
Simulation and Request Catalog.
Best IT Services Tools
Manager – Annual
Aspera is the market leader.
SmartTrack best meets the demands of
large companies who wish to effectively
manage software assets for their server
and desktop environments.
North America:
Aspera Technologies Inc.
470 Atlantic Ave., 4th Floor
Boston, MA 02210
Aspera GmbH
Dennewartstrasse 25-27
52068 Aachen, Germany
Your personal contact:
Shawn Smith
Tel.: +1 508-473-6373
Email: [email protected]
Your personal contact:
Alexander Lodenkemper
Tel.: +49 241-963-3290
Email: [email protected]
Aspera GmbH and Aspera Technologies Inc. check and update the information in this presentation on an ongoing basis. Despite this, data may have changed. Therefore, Aspera cannot be held liable for the up-to-dateness of this document. The content and
structure of this document are protected by copyright. Any reproduction of the information and data contained herein, especially the use of texts, text passages or illustrations, requires written prior consent of Aspera Technologies. Aspera, SmartTrack,
FlowControl, ICM, CMM, FM, MM, and the license management logo are registered trademarks of Aspera GmbH in Germany and/or other countries.