Enterprise IT organizations face software audits as a matter of doing business with large technology vendors. What's the best approach to dealing with them? Here's a look at what you should and shouldn't do when you get that software licensing audit notice.
Windows 10 Vs. Windows 7: What Enterprise IT Needs To Know
(Click image for larger view and slideshow.)
You've received a software licensing audit letter. What do you do now?
You can disregard it, which is unwise, or react to it in a number of ways. There are better and worse ways of handling an audit, and if you don't know the difference, your audit experience may be more costly, time-consuming, and frustrating than it needs to be.
Most companies want to do the right thing, but that very desire may drive them to take actions that are not in the best interest of their organizations. Here are a few factors that can help or hurt.
The worst thing to do is to react to a software audit without thinking. It is far wiser to involve your in-house legal department or outside counsel, so you can understand how you can respond to the audit notice without exposing your company to unnecessary risks.
"I wouldn't just start handing over information. There are a lot of details that need to be checked, such as the licensor's right to audit, restrictions on it, how confidentiality works, and so on," said Greg Wrenn, a partner at law firm Paradigm Counsel, in an interview. "If you get a notice, talk to your legal adviser to ensure you don't expose anything that's inappropriate when facing a situation like that."
It's important to cooperate with the auditors, but in the spirit of doing so, individuals may start handing over information that can be used as evidence if the matter proceeds to litigation.
"The No. 1 thing people should do is be very careful about who they allow to respond, and how they respond," said Robert Scott, managing partner at law firm Scott & Scott, in an interview. "You need to be very disciplined in your approach when responding to audit requests. Most companies are honest and diligent and they acquiesce to the publisher's methodology. The company cooperates, and later when it gets a financial demand [and] the company finds itself in an adversarial situation."
Some of the exposure could have been avoided if the audit had been managed more responsibly, meaning that the right stakeholders were involved in responding to the audit.
Cooperate With the Audit
An adversarial attitude about a software audit is unwise. It's best to cooperate with the auditors, albeit while protecting the interests of your company. There are different types of audits: Those that are done by the big accounting firms and those that are conducted by organizations such as BSA -- The Software Alliance. BSA does what it calls "a cooperative self-audit," which means that it asks a company to perform an audit of its own systems and report that information back to BSA.
"When we send audit letters to companies in the US and Canada, we're asking them to tell us what's on their system. We're not entering their premises when we do these audits," said Coates.
Regardless of who does the audit, there may be discrepancies in how the licenses are counted. Robert Scott recommends his clients use the same tools and processes to manage their software agreements that the auditors use.
"It's almost impossible to manage compliance and license agreements using a different toolset than what the publisher is going to use in an audit, because you're measuring apples and they're measuring oranges," said Scott. "If you can't get forbearance then the best way to proactively manage [licenses] is to set up programs and systems that are aligned with what the auditors will use so you get the same datasets and comparable analysis."
Otherwise, your numbers may be lower than the auditor's numbers. Then, you may have to explain to the publisher why the auditor's methodology is faulty -- and remember, the software publisher hired the auditor.
"The auditors try to rush the targets through the audit. They're constantly hounding [the targets] to finish [and the reports are] frequently half-baked when they're sent to the publisher. So the publisher comes up with an outrageous number and payment has to be made in 30 days or the license is terminated," said Scott.
Don't Destroy Records
A company's record retention practices may work against it during a software audit. Similarly, in a state of panic, an individual might think the way to avoid liability in the first place is to destroy the records.
"If it's a bad situation, you're just going to make it worse. If you're telling the truth, it's going to make you look like you're lying," said Paradigm Counsel's Wrenn. "Don't start shredding things and burning hard drives. Also, make sure you don't have any automated backups just because you have some new ones." Wrenn preserves such information on the legal server so he can ensure it's available when needed.
Also, don't delete software, which is another panic-based knee-jerk reaction.
"Forensic examinations can find evidence of deleted software, so you're potentially putting yourself in a hole because something that could have been easily resolved now looks like you're covering up misdeeds," said Alex Wolf, an associate at law firm Smyser, Kaplan & Veslka, in an interview.
Don't Make a Panic Buy
In an effort to be honest after the fact, individuals or small businesses may feel compelled to run out and buy licenses once they receive an audit notice. They believe they're "doing the right thing," but such action is nevertheless inadvisable.
"Don't go out and buy software in an attempt to somehow fix the problem. This is why counsel is appropriate. People tend to ignore this directive," said Wolf. "When you ultimately face the audit, the audit procedure is usually, 'Show us what you've installed and show us the receipts.' [Auditors will] see that the receipts are dated after the letter was sent. That proves that you were engaged in wrongdoing prior to that point."
In other words, panic buys do nothing to address the liability issue.
What the Auditors Are Looking for
There is more than one way to breach a license agreement. Technology companies and technology-driven companies tend to have clauses in their employment agreements that prohibit activities such as reverse engineering, derivative works, or other engineering-related tasks that can expose the company to serious liability. Most of the time auditors are looking for discrepancies between software usage and license purchases.
"If you have a license that says you're entitled to deploy a piece of software on four devices, I'm going to look to see whether you've deployed it on four. If it's less than four, I'll probably point out you're under-deployed, and you haven't been managing your assets very efficiently. If it's more than four, we're going to have to rectify it. I want to compare your entitlements to you deployments," said Adam Coates, associate general counsel and managing director for compliance and enforcement, Americas, at BSA, in an interview.
No one looks forward to a software audit because it's a nuance, and it takes valuable time away from value creation. One of Scott & Scott's large enterprise clients estimated it would take 14,000 hours to respond to an audit done by an accounting firm. Although self-audits are far less onerous, it's best to avoid software audits if possible. If it's not possible, you may be able to save yourself -- and your company -- the unnecessary fallout caused by common mistakes, even if those mistakes are well-intentioned.
In short, if you receive an audit notice, do not engage in self-help. Get the right stakeholders involved, and don't attempt to cover your tracks.
Also remember there's no substitute for genuine legal advice, including this article -- which was written for informational purposes only. If you don't understand when you should be talking to a lawyer about these matters, consult your company's inside counsel if you have one, or seek outside counsel if you don't.
**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.
Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.