Software // Enterprise Applications
News
1/28/2014
09:50 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Software Audits: Are You Ready?

Study reveals more than half of companies have faced software audits within the past two years. Microsoft, Oracle, SAP, and IBM top list of auditors.

7 Super Certifications For IT Pros
7 Super Certifications For IT Pros
(Click image for larger view and slideshow.)

The five vendors mostly likely to audit corporate software licenses are Microsoft, Adobe, Autodesk, Oracle, and SAP, in that order. Among organizations with 10,000 or more employees, IBM took the number-four spot, bumping Oracle to number five, and moving SAP off the top-five list.

These are among the findings of the "2013 Software Audit Industry Report," a survey released last month by Express Metrix, a provider of software asset management software. Based on interviews with 178 senior IT managers at North American companies with 500 or more employees, the study found that 53% of respondent firms have been audited within the past two years. Companies with 5,000 to 9,999 employees were the most audited, followed by firms with 10,000 to 25,000 employees.

Audits are inquiries (and sometimes systems-monitoring investigations) to ensure that every copy of installed software is actually licensed. Anecdotal reports indicate that audits are on the upswing. Express Metrix launched its survey to create an annual benchmark that will yield reliable statistics on trends. Auditing used to be carried out primarily by the vendor-funded Business Software Alliance (BSA), but that's changing, according to Dawson Stoops, a co-founder and VP of sales at Express Metrix.

"The BSA is still doing audits, but many vendors, because of their need to drive revenue, have taken on the task of doing audits themselves," Stoops said. "Now that industry groups and individual vendors are both auditing, we're seeing more activity."

[Want more on licensing snafus? Read "Microsoft's Software Licensing: Why I've Had Enough."]

The top-five list shouldn't be surprising in that these are among the leading software suppliers around the globe, and more customers translates into more audits. Rounding out the survey's top-10 list of most-frequent auditors are McAfee, Attachmate, VMware, and Symantec. With these and other prominent suppliers of software now auditing, the question isn't will you face an audit, but when and will you be ready?

Tracking software installed versus software licensed may sound straightforward, but when companies have hundreds, thousands, or tens of thousands of users, things can get complicated. Carolina Container, a High Point, N.C.-based packaging company, was audited by Microsoft last year, and JC Coleman, the company's network administrator said "it caused a lot of headaches."

"I had to come up with real numbers, real quick -- for every operating system, every Office suite, every SQL Server, Visio, PowerPoint -- everything," said Coleman.

The company's calculations were complicated by the fact that Carolina Container makes extensive use of terminal services (also known as remote desktop services). "Over half of our environment is thin client, so I couldn't scan anything to know who had what access to what software," Coleman explained -- an observation that hints that virtualization and private-cloud delivery might also complicate licensing matters.

Microsoft was ultimately satisfied with the numbers that Carolina Container reported and the company had only a minor increase in licensing fees. The biggest hit, according to Coleman, was the time it took him and his staff to come up with accurate numbers. Vowing not to repeat that experience, Coleman said he has since licensed Express Metrix's software in part because it can track software usage through terminal services as well as conventional installations.

If companies track software and licenses at all, they often do it with a mix of spreadsheets, file cabinets, and purchasing systems, according to Stoops. But that leads to a reactive approach when vendors give notice that they plan to audit -- a right they have stipulated in most every software licensing agreement. Stoops said software asset management (SAM) systems monitor actual software usage and enable companies to take a proactive approach that might help them eliminate shelfware and reduce license and maintenance fees.

"Our software gives them an inventory of what they have, reconciles that with what they own, and, over time, gives them detailed insight into what's actually being used," said Stoops. "So when a vendor says, 'We're going to do an audit in two weeks,' the CIO can be ready and say, 'Great, bring it on.'"

With the rise of auditing, the entire SAM category -- with vendors including Express Metrix, Flexera, and Snow Software -- has gotten a lift. Larger organizations tend to use IT asset management systems to track software as well as other intellectual property. Indeed, Stoops said Express Metrix licenses its technology to IT asset management system providers including IBM and BMC.

While SAM software introduces yet another piece of software that has to be licensed and tracked, Stoops described it as "audit insurance" and said it typically costs $10 to $20 per user. A "freemium" version of the software, introduced last week, inventories software on up to 1,000 machines, but you'll have to buy the paid version to get software usage tracking and advanced features for tracking software licenses.

Doug Henschen is executive editor of InformationWeek, where he covers the intersection of enterprise applications with information management, business intelligence, big data, and analytics. He previously served as editor-in-chief of Intelligent Enterprise, editor-in-chief of Transform magazine, and executive editor at DM News.

Solid state alone can't solve your volume and performance problem. Think scale-out, virtualization, and cloud. Find out more about the 2014 State of Enterprise Storage Survey results in the new issue of InformationWeek Tech Digest.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CaryKing
50%
50%
CaryKing,
User Rank: Apprentice
2/14/2014 | 10:47:58 AM
Re: Audit Questions
If you install it, you owe for it.  Any installation creates a constructive liability. 

Copyright Law - Title 17 of U.S. Code.

Organizations should, therefore, consider the business risks of uncontrolled installation of software, and the resulting, perhaps unplanned, liabilities.  And, create controls appropriate to the risk.

We see companies that have gotten a single true-up settlement, with a single supplier, of 23% of the total IT budget.  And, then, the other suppliers also seem to find out.  If in an industry with high IT costs, say 7% - 8% of revenue, this can result in a unplanned liability in the 3% to 4% of overall revenue.  Close to a reportable event on annual report.  And, certainly, a huge unplanned expenditure.

Where companies are most at risk seems, these days, to be the uncontrolled use of "Cloud" and copies of platforms to the "Cloud" that create significant liability.  A single Virtual platform can contain $30k or more of software - for which the company is instantly liable, most often without preventative controls.

 
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
2/1/2014 | 9:26:01 AM
Re: Audits vary in their invasiveness...
Even when negotiating, It's likely that any competitor also has audit requirements in their contract.
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
1/28/2014 | 8:17:05 PM
Re: Audits vary in their invasiveness...
 

@Lorna...Whenever I read about VDI or it was brought up I could never get a clear answer on licensing. I think you are correct, there is a lot of confusion over that topic. I am under the impression it is very costly to implement VDI. That may be incorrect because I never got that clear answer. I look forward to reading your survey.
Dawson Stoops
50%
50%
Dawson Stoops,
User Rank: Apprentice
1/28/2014 | 6:25:44 PM
Re: Audits vary in their invasiveness...
Yes, audit provisions within licensing agreements are certainly negotiable. I've never heard of a situation where even a large company could have them completely removed.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
1/28/2014 | 5:22:54 PM
Re: Audits vary in their invasiveness...
Seems to me that audit provisions would be something a large company could strike from the contract by threatening to go with a competitor's software. If that doesn't work, there's always open-source...
Dawson Stoops
IW Pick
100%
0%
Dawson Stoops,
User Rank: Apprentice
1/28/2014 | 3:53:30 PM
Re: Audit Questions
Rob, Software vendors have the authority to audit their customers under the terms and conditions of the EULA (End User License Agreement) that the customer agrees to. The EULA typically spells out the length of time required for audit notification, and how the audit will be conducted. Most companies accept the audit provision terms without understanding or preparing for the repercussions. The audit is typically conducted onsite by a third part firm hired by the ISV.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
1/28/2014 | 11:25:09 AM
Re: Cloud (SaaS) Is Easier
Easier to control piracy with the SaaS model, too. No suprise that vendors are doing more of their own auditing these days. It's a good conversation starter to get customers to move to from traditional licensing to SaaS.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/28/2014 | 11:21:05 AM
Re: Audits vary in their invasiveness...
The point about virtualization/private-cloud complicating licensing is also key - enterprise software vendors definitely have not kept up with use of server virtualization, never mind desktop. In fact, I think that licensing confusion is one big reason VDI never took off. IT had to pay for the VDI software plus had the same licensing costs.

I'm hoping to do a survey and report on this in 2014, get IT's side of the story.
D. Henschen
50%
50%
D. Henschen,
User Rank: Author
1/28/2014 | 11:16:11 AM
Cloud (SaaS) Is Easier
You got it right that cloud -- at least software as a service -- is easier. You're logging into the vendor's data center, so they know very well how many people and servers are accessing the service. No auditing necessary. Subscribers also get insight into exactly what they're using, so it should be obvious if there are subscribed capabilities that they're not using.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
1/28/2014 | 10:46:08 AM
Re: Audit Questions
I'm also curious about how software companies handle audits of cloud apps licenses, e.g. Office 365. I suspect that would be much easier to police than installed software. 
Page 1 / 2   >   >>
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - July 21, 2014
Our new survey shows fed agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
In this special, sponsored radio episode we’ll look at some terms around converged infrastructures and talk about how they’ve been applied in the past. Then we’ll turn to the present to see what’s changing.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.