KPMG's Software Dinner
On the 19th March we held our 3rd "Software Dinner" for IT and procurement professionals with an interest in software asset management. The attendee list saw an increase over the previous two years, showing a heightened awareness, maturity and importance of software asset management.
Please contact us for inclusion on the next invite.
As usual we discussed a number of topics in a workshop environment during the afternoon session which was then followed up with dinner at the KPMG dining rooms.
The note below captures the essence of the discussions. A variety of views were expressed on most parts. We have not captured all of these in this summary, nor should this summary be taken as necessarily reflecting KPMG’s view. We also delivered a short presentation on the International Organisation for Standardization (ISO) which can be found here.
Also for your amusement, the YouTube clip played during the event can be found here.
Below the write up we have included an outline of KPMG’s service offerings in relation to SAM and naturally we’d be delighted to talk further with you on these.
Group 1: "Getting ready to buy"
Topic 1: How do you determine the value of software support and maintenance?
Software publishers commonly establish an annual fee for support and maintenance which is calculated as a percentage of the cost of a licence (for example 18%-25%). The exact benefits will vary from publisher to publisher, but typically support gives rights for the following:
- Right to upgrade to the latest product version released during the support period
- Access to technical support
The group felt that bug fixes and security fixes should always be provided free of charge (as is the case with Microsoft) unlike Oracle, IBM and SAP who only provide fixes for customers with active support and maintenance. It was felt that organisations shouldn’t be paying for errors that the software writers had made.
It was felt reasonable that additional benefits such as upgrade rights were charged for however the panel did say that it was questionable how many companies take advantage of these upgrade rights given the support cost percentage. To illustrate this, if the support percentage was 25%, it could be argued that an organisation should upgrade at least every 4 years in order to justify the business case for support in terms of right to upgrade.
We suggest that organisations periodically review the capabilities of the versions of products they hold entitlements for and compare this to the “roadmaps" published by software publishers. These can usually be obtained from the publishers’ websites, during presentations to user groups or via account managers and set out what is due to be delivered over the coming years. Based on this information a judgement can be made of the value of paying for maintenance over the coming years or whether it will be more cost effective to simply purchase new licenses at a future date. An appropriate time to conduct this review is on renewal or anniversary of the licence purchase date.
Access to technical support
The main suggestion was that the best way was to review if and how often support has been used. A show of hands was asked for and of the group representing six organisations only two had some form of process in place to do this.
It was suggested that support and maintenance needs to be looked on as a form of insurance especially in regulated industries where not having support provided by software manufacturers could potentially lead to problems with the regulatory bodies. It was also the case that some enterprise software needs to be kept up to date more often than desktop software e.g. when HR systems need to be updated as a result of government legislation.
Overall, it was felt that paid-for support and maintenance was less important for commodity software deployed on the desktop than infrastructure software deployed in the data centre.
A final observation was that some of the benefits provided as “free” as part of a support and maintenance agreement can actually have significant cost to an organisation as parties tended to take a “silo’d” view of life not realising that something one group could do for free or of minimal cost could have big cost impacts to other parts of an organisation. The example was given of when an outsourcer is involved and that the “free” update to a piece of software results in a large bill from the outsourcer to implement the change.
Topic 2: What is the ideal preparation and skill-set for negotiating software renewals?
The key piece of preparation was felt to be the need to understand the overall business strategy (e.g. expansion, relocation, new services products etc.) and then evaluate what changes IT will need to make to support this. This IT strategy should specify upgrade paths for existing technology and timescales for implementation of new technology and be created in conjunction with knowledge of the vendor’s future product release strategy.
The skill-set for negotiating renewals is varied and not often found in one person. Therefore a team should be put together comprising a licensing expert who understands how the manufacturers licensing options best fit with the business need; someone from the affected IT team who understands what the technical requirements of the software are; someone with good negotiation skills; a representative from the legal team to review contractual paperwork and the relevant business owner(s) who understand how the product is actually used in the organisation.
Topic 3: If you can deal direct with the vendor, what is the role of the reseller?
Generally, it was felt that resellers are better when working with commodity products rather than expensive enterprise products when working direct with the vendor can be a better option. At times it appeared to some that the primary driver of a reseller was to meet sales targets rather than to provide the best advice, this was primarily because the software acquired via resellers tended to be cheaper commodity items rather than expensive enterprise products. There were however advantages of dealing with resellers rather than software publishers including:
- They have an understanding of local culture and customs which a global vendor may not have. Having a globally negotiated contract with local purchasing via an in-country reseller can present advantages.
- It was felt that it was easier to get consumption reports from resellers than vendors although where multiple resellers are involved this can present challenges if the underlying data doesn’t come from the vendor (e.g. Microsoft MLS reports) as several resellers may need to be contacted to collect the data.
- It is possible to enter into a competitive bidding situation with resellers where a number of resellers are invited to tender and one can be chosen that either provides the best pricing or best value-add to the organisation.
- Resellers can maintain purchase history data for the organisation; one company in the group actually paid their reseller on a consultancy basis to maintain their software asset register.
- Resellers often have advance notice of deals or changes to vendor licensing and can provide suggestions for products from different vendors that may provide a solution to a business requirement.
The final point made was that resellers need to be under an NDA so that they are not passing information they discover about the organisation on to other companies.
Back to top
Group 2: "Checks and balances"
Topic 1: Controlling consumption of All-You-Can-Eat agreements: Is there a need and if so, how have you done it?
Many software publishers will enter into “all-you-can-eat” type agreements if the deal size is large enough for them. These agreements are characterised as multi-year (three is typical) agreements during which the customer can deploy software as required for a fixed price. There are some variations which are almost “all-you-can-eat”, the most common of which is the “substitution” or “fence” agreement where a fixed financial amount is agreed with a product price list. The customer is then able to change the product mix around as long as the total financial amount is not breached.
There are some obvious benefits to these agreements for both the customer and the publisher. From the customer’s perspective the discount levels offered are usually the highest that the publisher will offer (reflecting the fact that these deals are only available for large orders). Additionally there is the removal of the administrative costs of placing individual orders for software licences during the agreement term.
From the publisher’s perspective the obvious benefits are a smooth, multi-year revenue stream, an efficient sales process (one deal for a large value), and a secure customer perhaps pushing out the competition for a number of years.
So what are the downsides? As with any longer term contract there is the risk that during the term of agreement requirements change and you may no longer need the software or you want to deploy alternative technology, but there will still be a requirement to pay per the agreement terms.
The cynics will also argue that a downside could come at the end of the agreement term; the publisher will be hoping for as much technology to be deployed as possible during the “all-you-can-eat” phase because when the agreement expires, the publisher will then get to charge an increased support and maintenance fee for all the products which the organisation has become dependent on. To put this bluntly, the “all-you-can-eat” agreement can make you fat.
The group felt that it was important to control the consumption of “all-you-can-eat” agreements principally to stop the risk that the inevitable renewal gets overly expensive. There was also a point made that measurement of these agreements was also important so that it can be determined how much value is being derived from the agreements.
The point was made that even though control and measurement is important in the longer term, it can be difficult to avoid the business believing that software included in an “all-you-can-eat” is free. An interesting concept that was mentioned was the “show back” which is similar to the “charge back”, but performed retrospectively (for example annually). This is an innovative solution where at the end of the year you look back at how much software was deployed and divide the annual cost by the usage and show each business unit their share of the cost.
Another suggestion that was made was that for “all-you-can-eat” agreements you need to plan sufficient time in advance of expiry to conduct a full inventory of usage and purge the unnecessary deployments before the end of the term to ensure the subsequent renewal or maintenance fees are reasonable; using the food analogy, it is important to go on a diet before you get to the end!
Topic 2: Discussing entitlement with vendors: Pros and cons and ways to get information without increasing likelihood of audit
The obvious risk that comes to mind if you start asking vendors for their version of the licences you have purchased is that the vendor starts to suspect you don’t have control, which then leads on to an audit.
The benefits of dealing with the vendor is that they can provide the highest level of audit evidence of licence entitlement, and can often provide a more complete record of the quantify of licences purchased. It is important to note here that this only applies to “volume licence” sales as vendors generally cannot provide any visibility on licences bundled with third party hardware or purchased through retail channels.
Some organisations make the point that their vendors have not been able to provide very complete records of licence entitlement. In KPMG’s experience the vendors can often provide a much higher count of entitlement than a large organisation can achieve by reviewing their own internal records, if the vendor has spent sufficient resource determining all the permutations of corporate names which may have purchased software (e.g. the vendor looks for sales to WHSmiths, W H Smiths, WH Smiths etc). Given this experience we advise organisations who have made the decision to approach vendors for entitlement information to enter into a collaborative and iterative process.
The other benefit to working with the vendor is that they are often willing to do a bit more than simply providing a dump of sales transactions from their systems. To be helpful these dumps of transactions need to be analysed to create a current entitlement position. The entitlement position differs from the sales transactions by summarising multiple annual sales transactions for base licences and subsequent support and maintenance into a single total entitlement position for each licence at each version. These types of analysis often also take care of product name changes and changes to licence metrics. Some vendors who are helpful in this regard include Microsoft with their MLS report (Microsoft Licensing Statement) which takes years of sales transactions and summarises this down to vastly reduced number of rows.
So how can you get access to the vendor’s records and keep the risk of audit as low as possible? Several ideas were shared:
- Use the reseller, don’t go direct to the vendor: Often resellers can request entitlement information related to their customers. Resellers have legitimate reasons for being able to access this information and is therefore not likely to ring the vendor’s alarm bells as much as a direct request.
- Agree with the vendor that you will be asking for this information on a routine basis (for example on the anniversary of the agreement or in advance of the renewal of an enterprise agreement).
- Ask for information when there is a change of account manager so that you and the new account manager can sit down and review the entitlement position as part of a business review.
- Ask the vendor to co-terminate all support and maintenance periods. The vendor will have to provide you with a list of all active support to help with this.
Topic 3: SAM and Internal Audit: Is SAM on the internal audit radar? Would the SAM community benefit from internal audit paying more attention to SAM?
The consensus was that SAM was not on Internal Audit’s (IA’s) radar and it is likely that most internal auditors would not recognise SAM. This was not intended to be a criticism, as it was followed up with the fact that IA tend to apply a risk lens to their activity. Therefore the IA community would probably recognise the risk of non-compliance and also the risk of waste associated with inefficient and excessive software purchases. This risk would be balanced against other risks on the organisation's risk register.
From KPMG’s perspective there does appear to be an increase in the frequency in which we see SAM specific issues come up in IA reports. In keeping with the comment in the paragraph above the term SAM is very rarely present and the points which are reported include:
- IT purchasing being decentralised and uncoordinated.
- Lack of central visibility of spend on IT.
- No monitoring of the use and requirement for software licences.
- IT security concerns due to lack of understanding all IT assets within the IT environment.
So it is probably true that the term “SAM” is not necessarily on IA’s radar, there does appear to a slight increase in IA looking at issues which SAM addresses.
Overall the group felt that an increase in IA focus on SAM would be positive as it would help elevate the work that the SAM community is doing up senior management’s priority list.
Back to top
Group 3: "Governance"
Topic 1: What are the SAM considerations when contemplating outsourcing IT?
The group believed that the complexity of software asset management meant that it should ideally be kept in house during outsourcing of operations. There was agreement that this had often not been appreciated when outsourcing arrangements were made and anecdotes were in abundance of situations where outsourcers had added software to or managed software in their estates in ways which were far from ideal – adding additional software using a different licensing metric to the current products, for example, and charging for the purchase of non-transferable licenses in the outsourcer’s name.
Information was agreed to be a significant factor in limiting the extent to which software asset management could be outsourced. Successful SAM processes require extensive up-to-date knowledge of what software is deployed and what is actually being used, and outsourcing arrangements can make the organisation dependent on the outsourcer to provide such information, which group members believed was sometimes of uncertain reliability and consistency.
There was a suspicion that outsourcers were to some extent benefitting from the complexity of their work and their control over vital information in order to entrench their own contractual arrangements and make it unnecessarily difficult for the customers to move outsourcers or take the services back in-house.
The criteria used for remunerating and assessing the performance of an outsourcer seemed often at risk of creating a moral hazard situation, with outsourcers frequently engaged in contracts on which they would be judged principally on the delivery of project objectives, leaving them with an incentive to deploy software in a fast, flexible and extensive manner while leaving the client to bear the legal risk relating to license compliance, leading to violations.
Questions around legal and taxation issues with outsourcing, and software management more generally, were raised by several members of the group. It was agreed that national regulators are increasingly ‘flexing their muscles’ and many members saw potential future headaches with some of the potential legal consequences that could arise if they were minded to investigate their data systems’ setups – situations where staff in country A are accessing data in country B on behalf of an entity in country C using software purchased in country D are increasingly the norm with modern globalisation. Outsourcing adds only additional complexity.
Given that outsourcing programmes frequently involve organisations based in developing countries, there were concerns expressed around differing cultural attitudes to governance. Many members of the group expressing concerns about outsourcers' ability to understand the importance many western organisations place on legal and compliance issues, especially those in highly regulated sectors such as banking.
The group agreed that outsourcing was increasingly being done with arrangements that keep the infrastructure and purchasing in-house, limiting outsourcers to providing human services through gateway access into their systems, in order to avoid many of the issues discussed above.
Topic 2: The International Organisation for Standardization (ISO) and ISO 19770: Impact of ISO 19770-4; does it improve or dilute the overall standard? What it means to (a) be able to certify, and (b) to be certified.
There was a consensus that there was very little awareness in the market of ISO 19770, or at least what it entails. Among those who were aware though, it was viewed as a potentially useful guide to best practice, although not necessarily suitable to be implemented to the letter. Additionally, there seemed to be no identifiable benefits in having compliance with the standard certified by third party auditor.
Technical elements of the standard, which are onerous on the publishers (naming conventions for versions and comprehensive tagging of software) are very desirable. Examples were provided of major customers insisting on software being tagged in compliance with ISO, as an indicator of the market beginning to take this seriously.
However, participants believed that much of their problems come from smaller software vendors rather than the major players, and these are less likely to be complying with the tagging and less likely to provide audit forbearance.
It was agreed that internal audit departments are becoming increasingly interested in software asset management, and it was suggested that they could potentially come to see value in the standard as providing them with a basis on which to assess the organisation’s performance. Representatives from organisations in the banking sector, which is in a phase of becoming increasingly concerned with reputational risk and internal compliance saw this as definite possibility for the future.
Some members of the group were aware of other standards which their organisations were dedicated to following, such as environmental and quality standards. However, these were perceived to provide commercial advantage and to be in line with the companies’ overall philosophies, and the SAM standard did not appear to be comparable to this.
The participants expressed a desire to see standardised terms and conditions and licensing metrics as a way of facilitating easier comparisons between vendors, but accepted that this was not a commercial reality.
Topic 3: What KPIs can be used to demonstrate the ROI of an existing SAM function
The previous two topics were discussed in such depth that unfortunately the group did not get onto this question. In KPMG's view calculating ROI from SAM can be measured using some of the following KPIs.
- Number of calls to the service desk, a reduction in the number of service desk calls dealing with software requests, security and patch support per month.
- Number of new products, a reduction in new software titles and unauthorised software per month.
- Number of software versions, a reduction in the number of different version of the same product.
- Number of Products, a reduction, consolidation of the number of products in the infrastructure.
- Overall Cost, reduction in cost per device.
- Audits, a reduction in time and cost per audit.
- Annual software license spend, a reduction in the annual software license spend for new software and for support and maintenance renewals.
Back to top
KPMG's SAM services
Our Software Advisory practice provides a wide array of services related to software asset management and software license compliance. We have helped leading global corporations (including several of the FTSE 100) to address challenges related to SAM with a view toward reducing compliance exposure, optimising costs, and achieving overall IT maturity. A selection of the services we commonly perform are listed below.
Quantification of Licence Position
Utilising our own discovery scripts or by using discovery technology which is already deployed, we turn basic discovery data into licence consumption information. We also gather licence entitlement information from a number of sources and produce a statement which quantifies the compliance position for each software title in scope. Because we do this day-in-day-out for many software vendors, we are confident that the results of our work will be robust.
Establishing a licence position is a building block for most other SAM services and provides the basic licence inventory required for pro-actively managing software.
We can conduct this service as a one-off exercise, delivering a point-in-time statement of licence position, or on a continuing basis.
We build on the basic licence position and provide recommendations for removal of unused software to free up licences for use elsewhere and optimising the configuration of hardware and software to make use of cheaper software licences.
This service typically identifies cost saving opportunities many times the cost of the service itself.
Many software vendors offer a variety of alternative agreement structures ranging from enterprise agreements which commit to an organisation to a set spend for a fixed period of time to a-la-carte models. In order to determine the best model, an organisation needs to have a clear view of its IT strategy over the next 3-7 years and an understanding of the vendor’s product road map for the same period.
We can offer impartial procurement advice to help organisations make the right choice for these high value decisions.
Robust procedures and controls for the processes for acquiring, deploying, maintaining, deploying and retiring IT assets help to reduce the risk of non-compliance and over-spend. We perform business process reviews to generate recommendations for improvements to current processes and suggest additional best practice processes.
Tool Selection and Optimisation
Many organisations have implemented hardware and software discovery technology but we find that many do not exploit these technologies fully and are not getting full value from their investment.
We can review the information that tools are collecting and then provide suggestions as to how the tool can be adjusted to produce better information (for example bundling of certain products or ignoring of evaluation copies) and suggest secondary data collection activities to properly quantify licence requirements.
Back to top