hw fisher ibm audit defence_itam review audit defence workshop amsterdam april 2016
TRANSCRIPT
Eric Chiu Fisher IT Asset Consulting
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Who we are
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
§ Part of HW Fisher, an 80-year old, top 30 accountancy in London.
§ Team of 21 with 20+ years experience in licence audit & advisory.
§ IBM Audit Defence, Internal Baseline and IBM LMO Readiness (License Management Options) are amongst most popular services FIAC offers.
Fisher IT Asset Consulting
fiac.hwfisher.co.uk| [email protected] | @auditdefence
Here today
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Alessandro (Alex) Iannucci Manager
• Enterprise Contract Advisory
• IBM • Microsoft • Red Hat • Oracle
Hans Moorkens Manager
• Baseline & Audit Defence
• Microsoft • Adobe
Eric Chiu Director
• Process, Policy & Procedures
• IBM • EMC
• Microfocus / Attachmate • SAP
Agenda
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
§ Why and How IBM audits its customers
§ IBM SLR Lifecycle and Defence Strategies
§ Top Compliance Risks
§ IBM Licence Management Option
§ Best defence - tackling your IBM licence management challenge
What will be covered
fiac.hwfisher.co.uk| [email protected] | @auditdefence
Why and How IBM Audits
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Revenue Generation Software business contributes
nearly 50% of group profit, over 20% of software revenue is from
compliance
Forced New Business Compliance settlement figures
are often ‘offsetted’ by commitments toward new
product purchases or Enterprise Agreements
Self-Declaration
Assisted Self-Assessment (ASA)
Software Licence Review (SLR)
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation
Data collection
Data analytics
and validation
Factual accuracy discussion
3-way hand-over
Settlement discussions
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Select customers for audit based on risk and rewards
§ Clear internal conflicts and politics
What IBM & Auditors typically do
§ Maintain good relationship with IBM
§ Negotiate audit clause out of the contract
§ Understand the licence models and do NOT sign up to the models that you cannot manage
§ Understand risk indicators (e.g. Sub-capacity, M&A, high-growth etc.) and demonstrate control
What customers can do
SPEN
D
Customer’s purchase level with the vendor
OR
G
Organisational structure complexity C
HA
NG
E
Level of organisational change such as M&A activities C
OM
PLEX
ITY Complexity of
licensing model agreed PA
TTER
N
Purchase pattern that does not reflect growth M
ATU
RIT
Y SAM maturity intelligence gathered from account team
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Send formal audit notification letter to notify customers regarding the audit
§ Specify contact details of IBM compliance manager
§ Specify timeframe and audit partner
§ Chase for a ‘kick-off’ meeting
What IBM & Auditors typically do
§ Define a project team to manage the audit, and assign a Single Point of Contact (SPOC)
§ Take ownership of timeline
§ Apply delaying tactics and launch internal audit immediately, if you lack of visibility and confidence in licence compliance
What customers can do
Ask Yourself
Can you measure non-PVU software usage?
Do you discover non-windows, test/dev servers?
Is your knowledge based on facts or words
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Walk you through what will happen in an audit (could be intentionally vague about data requirements)
§ Propose audit scope
§ Propose project plan
What IBM & Auditors typically do
§ Request for NDA
§ Request clarifications and review on data requirements before any commitment
§ Control the scope of audit to your advantage (e.g. expand or limit)
§ Take ownership of the project timeline after data requirements and scope are agreed
What customers can do
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Remote data collection
§ Onsite data collection
What IBM & Auditors typically do
§ Ensure all data collection requests are reviewed by the SPOC
§ Ensure all communications are through the SPOC
§ Limit the scope of scripts to be executed and onsite validation samples
§ Ensure data sets released are of good quality and do not conflict each other
§ Ensure you understand the use and impact of each data set released
What customers can do
Interviews: auditors talk to your staffs and collect information verbally or through observations
Self-declaration: a guided template for you to supply software usage information
Request existing records: any existing data that you already have from CMDB or tools
In-App reports: generate built-in reports in some applications, such as user or connection reports.
Execute scripts / tools: run auditor’s bespoke software and hardware inventory scripts
Challenge on requests that you
are not comfortable with
!
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Consolidate data and generate reports
§ Ask for additional follow-up questions
What IBM & Auditors typically do
§ Use a consistent review and communication protocol as per Data Collection stage
What customers can do
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Present you with a Draft Effective Licence Position Report with initial findings
§ Seek your factual accuracy confirmation (agreement) to the Draft Report
What IBM & Auditors typically do
§ Investigate the compliance issues in detail, on both licence and usage quantities. Involve the team that provided the data and product owners.
§ Validate auditor’s comments and assumptions documented
§ Seek clarifications for items that you do not fully understand
§ Only to provide ‘agreement’ with heavy caveats
What customers can do
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Close the ‘fact-finding’ part of the audit, and confirm compliance observations
§ Discuss settlement timeframe
What IBM & Auditors typically do
§ Highlight disagreements on any compliance observations
§ Do not commit to any settlement timeframe proposed
§ Start preparing for settlement negotiation strategies
What customers can do
SLR Lifecycle & Defence Strategies
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Selection Notification Scoping & Initiation Data collection Data analytics
and validation Factual accuracy
discussion 3-way hand-over Settlement discussions
§ Send an initial cash quote with very high figures (‘the stick’)
§ Offer concessions and discounts if valid mitigation circumstances are provided
§ Part-cash, part purchase commitment offers
§ Partial settlement offers
What IBM typically does
§ Create strong mitigation circumstances
§ Request for weavers
§ Use time to your advantage
What customers can do Immediate
revenue Future
revenue
Time of payment Relationship
Mitigating circumstances
Publisher’s Goodwill
Top Compliance Risks
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Virtualisation (Sub-capacity)
User role & access
definition
Server role definition
Multiplexing
Application specific
restrictions
3x – 8x
20x – 50x
2x – 5x
50x – 100x
2x – 3x
Mainframe Risks
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Unlicensed Product & Features
SYSPLEX & Sub-Capacity Violation
Complex Licence
Calculation
IBM Licence Management Option
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
§ ESSO/NGSA Customers Only
§ Offered at contract renewal or under audit
§ Replacement of audit clause with self-reporting
§ Must be certified first!
Is IBM LMO for You?
Best Defence – take control
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Top Down
Bottom up then
What we
have bought
?
PVU
Non-
PVU
ILMT Deployment & Validation Bundling, coverage & accuracy
Additional Information Required
Design Data Collection
Methodology to measure usage
according to charge metrics
Manual Calculation
ILMT Update & Sign-
off
Effective Usage
i.e.
Licence Consump
tion
ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016
Questions?