Eric Chiu Fisher IT Asset Consulting

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Who we are

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

§  Part of HW Fisher, an 80-year old, top 30 accountancy in London.

§  Team of 21 with 20+ years experience in licence audit & advisory.

§  IBM Audit Defence, Internal Baseline and IBM LMO Readiness (License Management Options) are amongst most popular services FIAC offers.

Fisher IT Asset Consulting

fiac.hwfisher.co.uk| licensing@hwfisher.co.uk | @auditdefence

Here today

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Alessandro (Alex) Iannucci Manager

•  Enterprise Contract Advisory

•  IBM •  Microsoft •  Red Hat •  Oracle

Hans Moorkens Manager

•  Baseline & Audit Defence

•  Microsoft •  Adobe

Eric Chiu Director

•  Process, Policy & Procedures

•  IBM •  EMC

•  Microfocus / Attachmate •  SAP

Agenda

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

§  Why and How IBM audits its customers

§  IBM SLR Lifecycle and Defence Strategies

§  Top Compliance Risks

§  IBM Licence Management Option

§  Best defence - tackling your IBM licence management challenge

What will be covered

fiac.hwfisher.co.uk| licensing@hwfisher.co.uk | @auditdefence

Why and How IBM Audits

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Revenue Generation Software business contributes

nearly 50% of group profit, over 20% of software revenue is from

compliance

Forced New Business Compliance settlement figures

are often ‘offsetted’ by commitments toward new

product purchases or Enterprise Agreements

Self-Declaration

Assisted Self-Assessment (ASA)

Software Licence Review (SLR)

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation

Data collection

Data analytics

and validation

Factual accuracy discussion

3-way hand-over

Settlement discussions

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Select customers for audit based on risk and rewards

§  Clear internal conflicts and politics

What IBM & Auditors typically do

§  Maintain good relationship with IBM

§  Negotiate audit clause out of the contract

§  Understand the licence models and do NOT sign up to the models that you cannot manage

§  Understand risk indicators (e.g. Sub-capacity, M&A, high-growth etc.) and demonstrate control

What customers can do

SPEN

D

Customer’s purchase level with the vendor

OR

G

Organisational structure complexity C

HA

NG

E

Level of organisational change such as M&A activities C

OM

PLEX

ITY Complexity of

licensing model agreed PA

TTER

N

Purchase pattern that does not reflect growth M

ATU

RIT

Y SAM maturity intelligence gathered from account team

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Send formal audit notification letter to notify customers regarding the audit

§  Specify contact details of IBM compliance manager

§  Specify timeframe and audit partner

§  Chase for a ‘kick-off’ meeting

What IBM & Auditors typically do

§  Define a project team to manage the audit, and assign a Single Point of Contact (SPOC)

§  Take ownership of timeline

§  Apply delaying tactics and launch internal audit immediately, if you lack of visibility and confidence in licence compliance

What customers can do

Ask Yourself

  Can you measure non-PVU software usage?

  Do you discover non-windows, test/dev servers?

  Is your knowledge based on facts or words

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Walk you through what will happen in an audit (could be intentionally vague about data requirements)

§  Propose audit scope

§  Propose project plan

What IBM & Auditors typically do

§  Request for NDA

§  Request clarifications and review on data requirements before any commitment

§  Control the scope of audit to your advantage (e.g. expand or limit)

§  Take ownership of the project timeline after data requirements and scope are agreed

What customers can do

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Remote data collection

§  Onsite data collection

What IBM & Auditors typically do

§  Ensure all data collection requests are reviewed by the SPOC

§  Ensure all communications are through the SPOC

§  Limit the scope of scripts to be executed and onsite validation samples

§  Ensure data sets released are of good quality and do not conflict each other

§  Ensure you understand the use and impact of each data set released

What customers can do

  Interviews: auditors talk to your staffs and collect information verbally or through observations

  Self-declaration: a guided template for you to supply software usage information

  Request existing records: any existing data that you already have from CMDB or tools

  In-App reports: generate built-in reports in some applications, such as user or connection reports.

  Execute scripts / tools: run auditor’s bespoke software and hardware inventory scripts

Challenge on requests that you

are not comfortable with

!

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Consolidate data and generate reports

§  Ask for additional follow-up questions

What IBM & Auditors typically do

§  Use a consistent review and communication protocol as per Data Collection stage

What customers can do

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Present you with a Draft Effective Licence Position Report with initial findings

§  Seek your factual accuracy confirmation (agreement) to the Draft Report

What IBM & Auditors typically do

§  Investigate the compliance issues in detail, on both licence and usage quantities. Involve the team that provided the data and product owners.

§  Validate auditor’s comments and assumptions documented

§  Seek clarifications for items that you do not fully understand

§  Only to provide ‘agreement’ with heavy caveats

What customers can do

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Close the ‘fact-finding’ part of the audit, and confirm compliance observations

§  Discuss settlement timeframe

What IBM & Auditors typically do

§  Highlight disagreements on any compliance observations

§  Do not commit to any settlement timeframe proposed

§  Start preparing for settlement negotiation strategies

What customers can do

SLR Lifecycle & Defence Strategies

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Send an initial cash quote with very high figures (‘the stick’)

§  Offer concessions and discounts if valid mitigation circumstances are provided

§  Part-cash, part purchase commitment offers

§  Partial settlement offers

What IBM typically does

§  Create strong mitigation circumstances

§  Request for weavers

§  Use time to your advantage

What customers can do Immediate

revenue Future

revenue

Time of payment Relationship

Mitigating circumstances

Publisher’s Goodwill

Top Compliance Risks

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Virtualisation (Sub-capacity)

User role & access

definition

Server role definition

Multiplexing

Application specific

restrictions

3x – 8x

20x – 50x

2x – 5x

50x – 100x

2x – 3x

Mainframe Risks

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Unlicensed Product & Features

SYSPLEX & Sub-Capacity Violation

Complex Licence

Calculation

IBM Licence Management Option

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

§  ESSO/NGSA Customers Only

§  Offered at contract renewal or under audit

§  Replacement of audit clause with self-reporting

§  Must be certified first!

Is IBM LMO for You?

Best Defence – take control

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Top Down

Bottom up then

What we

have bought

?

PVU

Non-

PVU

ILMT Deployment & Validation Bundling, coverage & accuracy

Additional Information Required

Design Data Collection

Methodology to measure usage

according to charge metrics

Manual Calculation

ILMT Update & Sign-

off

Effective Usage

i.e.

Licence Consump

tion

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Questions?