Depending on your licensing structure you could also have to deal with differentiating between installed software versus purchased software. This is what's known as a bucket level assessment; installed versus entitled.
"Many times the root cause of non-compliance is administrator rights on local machines. This is something that companies need to take a long hard look at this topic," says Houghton.
BYOD is another area that can cause companies to be non-compliant. According to Krysten M. McCabe, CISA, Director of ISACA, member of ISACA's Audit Committee and Finance Committee, and senior manager in the Assurance and Advisory Management Program at The Home Depot, BYOD broadens the scope of those who could cause the company to be non-compliant. "Communication with this broader audience is necessary to ensure they are well educated about the need for compliance and the requirements of compliance," says McCabe.
Not being prepared, "says Beaupoil is one of the most common mistakes. "Software audits are part of buying business software now. It's a huge mistake to not start a license management program. Without it, companies don't have a license management tool and/or don't have the skilled resources to produce their own compliance balance. In other words, they cannot verify the auditor's data and compliance results. They are basically at the mercy of the auditor and have to accept what he delivers in the end - discrepancies and all.
"Assuming the audit will go by quickly," says Beaupoil. Audits for Aspera generally take a minimum of 6 months and their average is 12 to 18 months. In some extreme circumstances companies have reports it taking 3 years. This could result in an organization having to shelve equipment until the legal battle is over.
Product/Vendor Naming Discrepancies Components of Asset Management
You can't get the data necessary to know if you are compliant or not if you don't have a plan in place to manage your software licenses and hardware. Software compliance begins with a good asset management (ITAM) system that consists of two parts, according to Mike Houghton, an IT veteran who has worked in compliance and asset management for the last 7 years. A system of discovery is one key piece. This is software that has an agent on each machine that provides visibility on all software installed on your network. The second component is a system of record, a virtual warehouse that contains all of your IT hardware and software assets. "Ideally they (the components) are part of the same system and they talk to each other but it's not necessary," says Houghton.
"The most basic function of license management and LM tools is to centrally gather all licenses owned within an organization, calculate the metrics to get the software usage and compare them. This fundamental practice requires the collection and processing of many different types of data. The result is a compliance balance that clearly shows the company's licensing status - if it is over or under-licensed, the "cost-of-compliance" (buying additional licenses to eliminate under-licensing) and a few other key insights, "says Beaupoil.
Sign up for CIO Asia eNewsletters.