The removal from IBM’s audit clause of the undertaking to carry out the audit in a way that ‘minimises disruption’ to the customer’s business activities is currently provoking a great deal of discussion throughout the SAM community. Although other changes were made to IBM’s IPAA, it is this alteration that is currently the focus of discussion, as it is seen as underlining the change in attitude by many vendors to the audit process.
A number of discussions suggest that this is a response to some customers who continually cite business reasons for not complying with the audit clause, or continually attempt to delay audits in the hope that the vendor will get bored and go away. They won’t, but by the time the audit does eventually happen, the relationship between the vendor and the customer is likely to be less than cordial, which doesn’t bode well for either the audit process itself or any settlement discussion.
Most organisations accept that they are likely to be audited by their software vendors on a regular basis, and that these audits will be repeated every few years even without any event such as M&A, whistleblowing, maintenance cancellation, changes in purchasing behaviour etc to trigger the audit. Equally, most organisations also accept that due to the variety of software that they use, this can mean multiple audits in any one year (Gartner’s 2013 survey data indicated that 49% of respondents experienced more than one audit in the previous year, while 4% had 10 or more to contend with).
We all know that audits often cost a lot of money in terms of settlements. But what about the other costs?
Talking to clients, most are aware that the impact of managing an audit is significant and disruptive. Many of those I speak to complain of being unable to ‘get on with the day job’ due to the time taken managing audits – and however effective their audit management processes, it is reactive ‘firefighting’ to minimise the impact of non-compliance rather than a business-as-usual activity to demonstrate known compliance.
And despite the fact that audits consume significant resources, from across the organisation, very few clients are able to tell me what resources each audit has consumed (including the need for any additional support for the people assigned to work on the audit), whether there is a financial value assigned to this based on internal resource costs, or what the business impact has been (in financial terms) of diverting people from their ‘day jobs’ to support the audit. In additional this there may be other business impacts, such as delays to projects, disruption to change plans or even changes in strategy where lengthy audits mean that alternative suppliers have to be sought until the audit is over.
Many organisations are motivated to invest in SAM as the result of audit failure, while those who aren’t failing audits (or not failing any individual audit in a significant way) may not see the need – but without understanding the costs of reactive audit management, how can they be sure that this is the most cost-effective way to deal with the problem. By quantifying ALL of the costs involved in managing audit activity, the business case for SAM should become clearer.
Do you know what the impact of audits is on your organisation? If so, how do you measure and quantify it? If not, why not?
Read Complimentary Relevant Research
Predicts 2017: Artificial Intelligence
Artificial intelligence is changing the way in which organizations innovate and communicate their processes, products and services. Practical...
View Relevant Webinars
How to Live Without Mobile Device Management
This webinar addresses the growing trend of users refusing to have enterprise management of their mobile devices due to privacy concerns....
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.