HW Fisher IBM Audit Defence_ITAM Review Audit Defence Workshop Amsterdam April 2016

Eric Chiu Fisher IT Asset Consulting

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016

Who we are


§  Part of HW Fisher, an 80-year old, top 30 accountancy in London.

§  Team of 21 with 20+ years experience in licence audit & advisory.

§  IBM Audit Defence, Internal Baseline and IBM LMO Readiness (License Management Options) are amongst most popular services FIAC offers.

Fisher IT Asset Consulting

fiac.hwfisher.co.uk| [email protected] | @auditdefence

Here today


Alessandro (Alex) Iannucci Manager

•  Enterprise Contract Advisory

•  IBM •  Microsoft •  Red Hat •  Oracle

Hans Moorkens Manager

•  Baseline & Audit Defence

•  Microsoft •  Adobe

Eric Chiu Director

•  Process, Policy & Procedures

•  IBM •  EMC

•  Microfocus / Attachmate •  SAP

Agenda


§  Why and How IBM audits its customers

§  IBM SLR Lifecycle and Defence Strategies

§  Top Compliance Risks

§  IBM Licence Management Option

§  Best defence - tackling your IBM licence management challenge

What will be covered

fiac.hwfisher.co.uk| [email protected] | @auditdefence

Why and How IBM Audits


Revenue Generation Software business contributes

nearly 50% of group profit, over 20% of software revenue is from

compliance

Forced New Business Compliance settlement figures

are often ‘offsetted’ by commitments toward new

product purchases or Enterprise Agreements

Self-Declaration

Assisted Self-Assessment (ASA)

Software Licence Review (SLR)

SLR Lifecycle & Defence Strategies


Selection Notification Scoping & Initiation

Data collection

Data analytics

and validation

Factual accuracy discussion

3-way hand-over

Settlement discussions



Selection Notification Scoping & Initiation Data collection Data analytics

and validation Factual accuracy

discussion 3-way hand-over Settlement discussions

§  Select customers for audit based on risk and rewards

§  Clear internal conflicts and politics

What IBM & Auditors typically do

§  Maintain good relationship with IBM

§  Negotiate audit clause out of the contract

§  Understand the licence models and do NOT sign up to the models that you cannot manage

§  Understand risk indicators (e.g. Sub-capacity, M&A, high-growth etc.) and demonstrate control

What customers can do

SPEN

D

Customer’s purchase level with the vendor

OR

G

Organisational structure complexity C

HA

NG

E

Level of organisational change such as M&A activities C

OM

PLEX

ITY Complexity of

licensing model agreed PA

TTER

N

Purchase pattern that does not reflect growth M

ATU

RIT

Y SAM maturity intelligence gathered from account team






§  Send formal audit notification letter to notify customers regarding the audit

§  Specify contact details of IBM compliance manager

§  Specify timeframe and audit partner

§  Chase for a ‘kick-off’ meeting


§  Define a project team to manage the audit, and assign a Single Point of Contact (SPOC)

§  Take ownership of timeline

§  Apply delaying tactics and launch internal audit immediately, if you lack of visibility and confidence in licence compliance


Ask Yourself

  Can you measure non-PVU software usage?

  Do you discover non-windows, test/dev servers?

  Is your knowledge based on facts or words






§  Walk you through what will happen in an audit (could be intentionally vague about data requirements)

§  Propose audit scope

§  Propose project plan


§  Request for NDA

§  Request clarifications and review on data requirements before any commitment

§  Control the scope of audit to your advantage (e.g. expand or limit)

§  Take ownership of the project timeline after data requirements and scope are agreed







§  Remote data collection

§  Onsite data collection


§  Ensure all data collection requests are reviewed by the SPOC

§  Ensure all communications are through the SPOC

§  Limit the scope of scripts to be executed and onsite validation samples

§  Ensure data sets released are of good quality and do not conflict each other

§  Ensure you understand the use and impact of each data set released


  Interviews: auditors talk to your staffs and collect information verbally or through observations

  Self-declaration: a guided template for you to supply software usage information

  Request existing records: any existing data that you already have from CMDB or tools

  In-App reports: generate built-in reports in some applications, such as user or connection reports.

  Execute scripts / tools: run auditor’s bespoke software and hardware inventory scripts

Challenge on requests that you

are not comfortable with

!






§  Consolidate data and generate reports

§  Ask for additional follow-up questions


§  Use a consistent review and communication protocol as per Data Collection stage







§  Present you with a Draft Effective Licence Position Report with initial findings

§  Seek your factual accuracy confirmation (agreement) to the Draft Report


§  Investigate the compliance issues in detail, on both licence and usage quantities. Involve the team that provided the data and product owners.

§  Validate auditor’s comments and assumptions documented

§  Seek clarifications for items that you do not fully understand

§  Only to provide ‘agreement’ with heavy caveats







§  Close the ‘fact-finding’ part of the audit, and confirm compliance observations

§  Discuss settlement timeframe


§  Highlight disagreements on any compliance observations

§  Do not commit to any settlement timeframe proposed

§  Start preparing for settlement negotiation strategies







§  Send an initial cash quote with very high figures (‘the stick’)

§  Offer concessions and discounts if valid mitigation circumstances are provided

§  Part-cash, part purchase commitment offers

§  Partial settlement offers

What IBM typically does

§  Create strong mitigation circumstances

§  Request for weavers

§  Use time to your advantage

What customers can do Immediate

revenue Future

revenue

Time of payment Relationship

Mitigating circumstances

Publisher’s Goodwill

Top Compliance Risks


Virtualisation (Sub-capacity)

User role & access

definition

Server role definition

Multiplexing

Application specific

restrictions

3x – 8x

20x – 50x

2x – 5x

50x – 100x

2x – 3x

Mainframe Risks


Unlicensed Product & Features

SYSPLEX & Sub-Capacity Violation

Complex Licence

Calculation

IBM Licence Management Option


§  ESSO/NGSA Customers Only

§  Offered at contract renewal or under audit

§  Replacement of audit clause with self-reporting

§  Must be certified first!

Is IBM LMO for You?

Best Defence – take control


Top Down

Bottom up then

What we

have bought

?

PVU

Non-

PVU

ILMT Deployment & Validation Bundling, coverage & accuracy

Additional Information Required

Design Data Collection

Methodology to measure usage

according to charge metrics

Manual Calculation

ILMT Update & Sign-

off

Effective Usage

i.e.

Licence Consump

tion


Questions?

HW Fisher IBM Audit Defence_ITAM Review Audit Defence Workshop Amsterdam April 2016

Technology

Transcript of HW Fisher IBM Audit Defence_ITAM Review Audit Defence Workshop Amsterdam April 2016