Voted Best Answer
Feb 26, 2018 - 09:41 AM
- Test the background data.
- Test the licensing logic.
- Test the application of licences.
The ELP itself should include all of the background data the auditor has used to construct the summary. If it doesn't, the first step for me would be to ask for it. As a general rule, I would normally ignore any products from the summary where no deficit was discovered.
The next step of my test would be to validate the data they have used, to ensure it matches the data I supplied them with, and that their interpretation of it matches my own. It's not unheard of for auditors to either make mistakes with the data or even misrepresent it in some way. As an example, I once caught an auditor who had ignored the fact that a customer had DRS groups deployed on VMware, thereby reducing the physical resources hosting the target VMs, even though the vendor's licensing accounted for the technology.
Assuming the background data all checked out, or once the differences were resolved satisfactorily, I would then compare their ELP to the one I had already done (see previous post on this subject!) to see if their conclusions matched mine. If they did not, I would insist the auditor supplied me with details of the contractual clauses upon which their conclusions were based. You'd be amazed at how often you get pointed to incorrect contracts, incorrect interpretations of a contractual clause, or, worst of all, a vendor's data sheet on the product concerned - I have experienced all of these.
I would also be looking to ensure they used all of the available licences that could be used, and applied them in the most optimal manner. Again, you'd be amazed at how often auditors misapply licences to deployments or ignore swathes of licences that can be used to cover a given deployment or usage of the software.
Lastly make sure you can point to evidence that supports your belief that the auditor has made mistakes and don't back down when challenged. In the case of a 3rd party audit, the auditor will not always accept your view, despite evidence, and leave it to the vendor to make a call on it. If you can point to a correct interpretation of the correct contract then you will generally be in a good place.