IoT
IoT
IT Leadership
News
1/1/2016
08:06 AM
100%
0%
RELATED EVENTS
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

How To Survive A Software Licensing Audit

Enterprise IT organizations face software audits as a matter of doing business with large technology vendors. What's the best approach to dealing with them? Here's a look at what you should and shouldn't do when you get that software licensing audit notice.

Windows 10 Vs. Windows 7: What Enterprise IT Needs To Know
Windows 10 Vs. Windows 7: What Enterprise IT Needs To Know
(Click image for larger view and slideshow.)

You've received a software licensing audit letter. What do you do now?

You can disregard it, which is unwise, or react to it in a number of ways. There are better and worse ways of handling an audit, and if you don't know the difference, your audit experience may be more costly, time-consuming, and frustrating than it needs to be.

Most companies want to do the right thing, but that very desire may drive them to take actions that are not in the best interest of their organizations. Here are a few factors that can help or hurt.

[One organization has been campaigning for clearer software licensing terms. Read Oracle Stokes Hostile Customer Relations, Study Says.]

Getting Audited? Get help

The worst thing to do is to react to a software audit without thinking. It is far wiser to involve your in-house legal department or outside counsel, so you can understand how you can respond to the audit notice without exposing your company to unnecessary risks.

"I wouldn't just start handing over information. There are a lot of details that need to be checked, such as the licensor's right to audit, restrictions on it, how confidentiality works, and so on," said Greg Wrenn, a partner at law firm Paradigm Counsel, in an interview. "If you get a notice, talk to your legal adviser to ensure you don't expose anything that's inappropriate when facing a situation like that."

It's important to cooperate with the auditors, but in the spirit of doing so, individuals may start handing over information that can be used as evidence if the matter proceeds to litigation.

"The No. 1 thing people should do is be very careful about who they allow to respond, and how they respond," said Robert Scott, managing partner at law firm Scott & Scott, in an interview. "You need to be very disciplined in your approach when responding to audit requests. Most companies are honest and diligent and they acquiesce to the publisher's methodology. The company cooperates, and later when it gets a financial demand [and] the company finds itself in an adversarial situation."

Some of the exposure could have been avoided if the audit had been managed more responsibly, meaning that the right stakeholders were involved in responding to the audit.

Cooperate With the Audit

An adversarial attitude about a software audit is unwise. It's best to cooperate with the auditors, albeit while protecting the interests of your company. There are different types of audits: Those that are done by the big accounting firms and those that are conducted by organizations such as BSA -- The Software Alliance. BSA does what it calls "a cooperative self-audit," which means that it asks a company to perform an audit of its own systems and report that information back to BSA.

"When we send audit letters to companies in the US and Canada, we're asking them to tell us what's on their system. We're not entering their premises when we do these audits," said Coates.

Regardless of who does the audit, there may be discrepancies in how the licenses are counted. Robert Scott recommends his clients use the same tools and processes to manage their software agreements that the auditors use.

"It's almost impossible to manage compliance and license agreements using a different toolset than what the publisher is going to use in an audit, because you're measuring apples and they're measuring oranges," said Scott. "If you can't get forbearance then the best way to proactively manage [licenses] is to set up programs and systems that are aligned with what the auditors will use so you get the same datasets and comparable analysis."

(Image: jarmoluk via Pixabay)

(Image: jarmoluk via Pixabay)

Otherwise, your numbers may be lower than the auditor's numbers. Then, you may have to explain to the publisher why the auditor's methodology is faulty -- and remember, the software publisher hired the auditor.

"The auditors try to rush the targets through the audit. They're constantly hounding [the targets] to finish [and the reports are] frequently half-baked when they're sent to the publisher. So the publisher comes up with an outrageous number and payment has to be made in 30 days or the license is terminated," said Scott.

Don't Destroy Records

A company's record retention practices may work against it during a software audit. Similarly, in a state of panic, an individual might think the way to avoid liability in the first place is to destroy the records.

"If it's a bad situation, you're just going to make it worse. If you're telling the truth, it's going to make you look like you're lying," said Paradigm Counsel's Wrenn. "Don't start shredding things and burning hard drives. Also, make sure you don't have any automated backups just because you have some new ones." Wrenn preserves such information on the legal server so he can ensure it's available when needed.

Also, don't delete software, which is another panic-based knee-jerk reaction.

"Forensic examinations can find evidence of deleted software, so you're potentially putting yourself in a hole because something that could have been easily resolved now looks like you're covering up misdeeds," said Alex Wolf, an associate at law firm Smyser, Kaplan & Veslka, in an interview.

Don't Make a Panic Buy

In an effort to be honest after the fact, individuals or small businesses may feel compelled to run out and buy licenses once they receive an audit notice. They believe they're "doing the right thing," but such action is nevertheless inadvisable.

"Don't go out and buy software in an attempt to somehow fix the problem. This is why counsel is appropriate. People tend to ignore this directive," said Wolf. "When you ultimately face the audit, the audit procedure is usually, 'Show us what you've installed and show us the receipts.' [Auditors will] see that the receipts are dated after the letter was sent. That proves that you were engaged in wrongdoing prior to that point."

In other words, panic buys do nothing to address the liability issue.

What the Auditors Are Looking for

There is more than one way to breach a license agreement. Technology companies and technology-driven companies tend to have clauses in their employment agreements that prohibit activities such as reverse engineering, derivative works, or other engineering-related tasks that can expose the company to serious liability. Most of the time auditors are looking for discrepancies between software usage and license purchases.

"If you have a license that says you're entitled to deploy a piece of software on four devices, I'm going to look to see whether you've deployed it on four. If it's less than four, I'll probably point out you're under-deployed, and you haven't been managing your assets very efficiently. If it's more than four, we're going to have to rectify it. I want to compare your entitlements to you deployments," said Adam Coates, associate general counsel and managing director for compliance and enforcement, Americas, at BSA, in an interview.

Bottom Line

No one looks forward to a software audit because it's a nuance, and it takes valuable time away from value creation. One of Scott & Scott's large enterprise clients estimated it would take 14,000 hours to respond to an audit done by an accounting firm. Although self-audits are far less onerous, it's best to avoid software audits if possible. If it's not possible, you may be able to save yourself -- and your company -- the unnecessary fallout caused by common mistakes, even if those mistakes are well-intentioned.

In short, if you receive an audit notice, do not engage in self-help. Get the right stakeholders involved, and don't attempt to cover your tracks.

Also remember there's no substitute for genuine legal advice, including this article -- which was written for informational purposes only. If you don't understand when you should be talking to a lawyer about these matters, consult your company's inside counsel if you have one, or seek outside counsel if you don't.

**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
1/6/2016 | 8:20:48 AM
Re: interesting info
"Also, I think spending a half hour or an hour with a lawyer to understand your rights and obligations can be money well-spent."   Those letters can come off as very aggressive and accusatory but when you call and talk to someone you realize they are worded that way to get your attention.  I did some work for a small company that received such a letter and before my regular check in with them word had already spread through their very small office and people were freaking out about programs that they installed without me. In cases like that I do agree that a lawyer can read between the lines and put a company at ease before they do something foolish. 
LisaMorgan
50%
50%
LisaMorgan,
User Rank: Moderator
1/5/2016 | 1:46:13 PM
Re: interesting info
Actually, you caught a typo I made in haste.  It's corrected now, but yes, having someone try to fix the problem without understanding the potential ramifications of what they're doing.

Also, I think spending a half hour or an hour with a lawyer to understand your rights and obligations can be money well-spent.  Large companies tend to have very expensive licensing agreements and more formal structure as you point out.  

Regarding the BSA and their audits:  They ask for self-assessments as Adam Coates said.  The BSA itself is the best party to explain their rolem, but here's a link you may find helpful:

http://www.bsa.org/anti-piracy/ap-communications

One of the lawyers I interviewed handles audits very differently than the other lawyers I interviewed.  And, he only uses the tactic mentioned when the client is a very large company with the kind of bargaining power that most companies lack.  

Don't cooperate isn't the message.  Cooperate without compromising your own interests.  There's a difference.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/5/2016 | 1:25:49 PM
Re: interesting info
By "they", do you mean the sender of the letter? Or some internal person trying to comply with the letter's request and doing the wrong thing?

I think you intended this advice for large companies, then it certainly makes more sense. If you have a legal department, you might as well use them.

I'm a little confused by this whole BSA driven audit, never heard of this. Just what exactly is their motivation in this process? Are they a paid agent of software companies with legal clout to force the audit? A sort of IRS for the US Treasury? Or are you suggesting a lawyer can prevent someone like Microsoft or ERP company from forcing you to provide data to them on usage of their products?
LisaMorgan
50%
50%
LisaMorgan,
User Rank: Moderator
1/5/2016 | 1:06:17 PM
Re: interesting info
Thanks for sharing your experiences!
LisaMorgan
50%
50%
LisaMorgan,
User Rank: Moderator
1/5/2016 | 1:04:55 PM
Re: interesting info
The reason to ask a lawyer or the legal departrment about a letter you just received helps ensure that you don't start doing something - even in good faith - that compromises your company's best interest.
LisaMorgan
50%
50%
LisaMorgan,
User Rank: Moderator
1/5/2016 | 1:03:06 PM
Re: interesting info
Thanks.  Yeah, that's a common reaction.  Run and hide.  The problem doesn't go away...
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
1/5/2016 | 8:21:49 AM
Re: interesting info
I'm with you here, I can understand notifying a lawyer as a heads up but there are only two outcomes to an audit and if you're confident that you'll pass do you need a legal team?  I've had several self-audits over the years using tools that the company requesting the audit provided.  The first one was somewhat humorous because they were looking for a very expensive application that we purchased and were underutilizing.  I called their auditing team, explained that we actually owned more licenses than we were using and that running their tool on our network was going to miss anyone in the field who had a license.  At first I suspected it was a matter of someone getting in their heads that we must have more people using the software but as the engagement progressed I realized it was more of a software assurance sales tactic.

The worst licensing audit I've ever had was with Microsoft because it took two weeks to sit down and hammer out what exactly we were licensed for and what they really wanted to see.  You mentioned SQL so I'll cover that part too, we had per processor licenses at the time for SQL and when the audit was complete it actually turned out that we had some SQL CALs too, we had to walk back years of agreements including some that were executed by companies we had acquired.   I'm not anti enterprise agreement but buying in with the plan of catching up over a term of 3 years tends to lead to some little things being missed as time passes.

 
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/4/2016 | 1:47:04 PM
Re: interesting info
Hmmmm. I guess I'm a little confused what value the lawyer brings early in the process? I get the lawyer if you are assessed some fee you don't feel is warranted, maybe they can negotiate something which saves you more than they cost.

But you are either licensed correctly or you aren't, nothing a lawyer can do about that. If you aren't, and all software company wants is price of you buying correct licenses, lawyer is no help either. I only see value if software company tries to bill you for "punitive damages" or something, then lawyer "might" be able to help. Only question then would be if they cost more than what they saved you.

Audits can be useful, especially as confusing as licensing can be. We had KPMG lead a software audit for Microsoft products. During the discovery process, we found we had implemented our production Sharepoint environment on a SQL Server which was only single user license, not a site license. I had quoted a site license for SQL but my admin never executed, we continued to use the free single user SQL Server license we had prototyped on. He got software at a seminar he had attended. So we bought the SQL Server we intended to buy in first place, then submitted that proof to KPMG. No extra cost came out of that incident or audit.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
1/4/2016 | 9:57:57 AM
Re: interesting info
Some great advice here.  I know many customers whom once they receive an audit, are often shocked that there is suddenly an outstanding bill, and then tend to hide because they are afraid of paying the fee to settle up their account or start to try to find ways to reduce the outstanding number of licenses.  Partnering with an organization that focuses on trying to make the whole process quick and painless is a great way to make sure the audit is completed, while setting the right expectations throughout the process is a great way to make it less painful.
LisaMorgan
50%
50%
LisaMorgan,
User Rank: Moderator
1/3/2016 | 12:38:58 PM
Re: interesting info
Thanks!
Page 1 / 2   >   >>
Research: 2014 US IT Salary Survey
Research: 2014 US IT Salary Survey
Our survey of nearly 12,000 respondents shows IT pays well -- staffers rack up a median total compensation of $92,000, and managers hit $120,000. Industry matters. And the gender pay gap is real and getting wider.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.