In many cases where we are retained to assist companies targeted for software audits after software-deployment data already has been submitted to the auditing entities, we have the regrettable obligation to let our clients know that they have disclosed too much. Over-disclosure can cost a company millions of dollars, and it is typically very difficult or impossible for us to “un-ring” the disclosure bell by convincing the auditing entity that it needs to disregard audit data previously provided by our client.
The most critical stage of any audit is confirming and then remaining diligently cognizant of the scope of an audit. Audit scope can have several components, including the products, datacenters, and look-back time periods to be included in the audit analysis. However, in many cases, the most important aspect of the audit scope is the entity or entities whose computers are to be included in the inventory. Many companies, especially larger, multi-affiliate enterprises, may have a common IT network, but a number of different procurement and IT organizations supporting different components of that network. If an auditor gives notice that it is seeking to verify the license-compliance status of just one of those entities, then it is vital to ensure that any audit data or systems access provided to the auditors is strictly and carefully controlled to avoid providing any information regarding out-of-scope systems or products.
In many cases, we recommend entering into pre-audit agreements with auditors, confirming the scope of audits at the outset and in writing in order to avoid any confusion or disputes later during the data-gathering process. Such agreements also can help to make it easier to mitigate the effects of any inadvertent over-disclosure by giving the audited company a basis for challenging audit findings that exceed the agreed scope of the review.
As always, IT, procurement and legal teams all need to work closely with each other from the earliest stages of any third-party audit to ensure that the audit scope is consistent with applicable license agreements and also to ensure that the progress of the audit conforms to the parties’ legitimate expectations.