Even before the vendor decides to audit you – the customer – the building blocks for an adverse settlement are firmly laid down within the contract terms and conditions.
These terms are seldom read by the customer of if the documents does make it too the legal team, the ramifications of acceptance of certain terms may not be understood.
In the 1990’s thru the 2000’s we all needed much of the fundamental database, security and display software to fuel our new web presence.
Before this time corporate IT firmly rested on the shoulders of the mainframe and its text based 3270 terminals but afterward the corporations became dependent on one of the three large vendors and consequently the terms hidden within their agreements and “click- thru” software licencing.
Twenty years ago you needed the function available to you from these proprietary solutions as there was little open source and you had very poor negotiating power.
Today there are many comprehensive open source solutions and many new players with better more transparent customer focused terms. It is now possible to evaluate and bargain the previously rigid terms found within major vendor agreements.
Proactive SAM and the avoidance of vendor audit begins at the product selection phase with the negotiation of terms. The first terms to consider are the ones that concern the right to audit.
Software vendors should have the right to protect their assets and have you account for their usage in some manner – that is universality agreed. But most of the standard agreements have terms such as “standard verification” or similar hidden in the fine print.
This term allows not only the vendors staff to enter your premises but their agents which are more often than not one of the few large accountancy firms. These firms have grown fat on a diet of compliance activity and it is your number one duty as a negotiator to strike their participation from the agreement or walk away from the table.
The accounting firms are engaged by vendors to give a veneer of independence and probity. While most conduct themselves is an acceptable manner, we must all understand that they work for the vendor and the information they gain is far from secure. These firms work for multiple vendors and once over deployment is confirmed you become an easy target for other vendors who might engage that firm.
In the event that an agreement is already in place, check the details with regard to access rights and time and the relevant insurances. Should an audit tool cause an outage in a critical system is the firm prepared to reimburse your businesses revenue and profit for the outage?
These tactics can be used to slow the standard verification process and secure your organization from the advance of vendor audit, risks from foreign scanning software and leaks to other vendors.
In summary you must show the vendor that the initial purchase is dependent on the terms of the agreement and you are prepared to choose another vendor unless the review terms are more equitable.
Nowadays most common software titles have open source challengers and their inclusion in the decision process should be used to level the playing field.
Fisher Australia believes that real software audit defense begins long before any audit letter and we specialize in proactive audit contract negotiation.