Software Audits: Are You Ready? - InformationWeek
Software // Enterprise Applications
09:50 AM
Connect Directly

Software Audits: Are You Ready?

Study reveals more than half of companies have faced software audits within the past two years. Microsoft, Oracle, SAP, and IBM top list of auditors.

7 Super Certifications For IT Pros
7 Super Certifications For IT Pros
(Click image for larger view and slideshow.)

The five vendors mostly likely to audit corporate software licenses are Microsoft, Adobe, Autodesk, Oracle, and SAP, in that order. Among organizations with 10,000 or more employees, IBM took the number-four spot, bumping Oracle to number five, and moving SAP off the top-five list.

These are among the findings of the "2013 Software Audit Industry Report," a survey released last month by Express Metrix, a provider of software asset management software. Based on interviews with 178 senior IT managers at North American companies with 500 or more employees, the study found that 53% of respondent firms have been audited within the past two years. Companies with 5,000 to 9,999 employees were the most audited, followed by firms with 10,000 to 25,000 employees.

Audits are inquiries (and sometimes systems-monitoring investigations) to ensure that every copy of installed software is actually licensed. Anecdotal reports indicate that audits are on the upswing. Express Metrix launched its survey to create an annual benchmark that will yield reliable statistics on trends. Auditing used to be carried out primarily by the vendor-funded Business Software Alliance (BSA), but that's changing, according to Dawson Stoops, a co-founder and VP of sales at Express Metrix.

"The BSA is still doing audits, but many vendors, because of their need to drive revenue, have taken on the task of doing audits themselves," Stoops said. "Now that industry groups and individual vendors are both auditing, we're seeing more activity."

[Want more on licensing snafus? Read "Microsoft's Software Licensing: Why I've Had Enough."]

The top-five list shouldn't be surprising in that these are among the leading software suppliers around the globe, and more customers translates into more audits. Rounding out the survey's top-10 list of most-frequent auditors are McAfee, Attachmate, VMware, and Symantec. With these and other prominent suppliers of software now auditing, the question isn't will you face an audit, but when and will you be ready?

Tracking software installed versus software licensed may sound straightforward, but when companies have hundreds, thousands, or tens of thousands of users, things can get complicated. Carolina Container, a High Point, N.C.-based packaging company, was audited by Microsoft last year, and JC Coleman, the company's network administrator said "it caused a lot of headaches."

"I had to come up with real numbers, real quick -- for every operating system, every Office suite, every SQL Server, Visio, PowerPoint -- everything," said Coleman.

The company's calculations were complicated by the fact that Carolina Container makes extensive use of terminal services (also known as remote desktop services). "Over half of our environment is thin client, so I couldn't scan anything to know who had what access to what software," Coleman explained -- an observation that hints that virtualization and private-cloud delivery might also complicate licensing matters.

Microsoft was ultimately satisfied with the numbers that Carolina Container reported and the company had only a minor increase in licensing fees. The biggest hit, according to Coleman, was the time it took him and his staff to come up with accurate numbers. Vowing not to repeat that experience, Coleman said he has since licensed Express Metrix's software in part because it can track software usage through terminal services as well as conventional installations.

If companies track software and licenses at all, they often do it with a mix of spreadsheets, file cabinets, and purchasing systems, according to Stoops. But that leads to a reactive approach when vendors give notice that they plan to audit -- a right they have stipulated in most every software licensing agreement. Stoops said software asset management (SAM) systems monitor actual software usage and enable companies to take a proactive approach that might help them eliminate shelfware and reduce license and maintenance fees.

"Our software gives them an inventory of what they have, reconciles that with what they own, and, over time, gives them detailed insight into what's actually being used," said Stoops. "So when a vendor says, 'We're going to do an audit in two weeks,' the CIO can be ready and say, 'Great, bring it on.'"

With the rise of auditing, the entire SAM category -- with vendors including Express Metrix, Flexera, and Snow Software -- has gotten a lift. Larger organizations tend to use IT asset management systems to track software as well as other intellectual property. Indeed, Stoops said Express Metrix licenses its technology to IT asset management system providers including IBM and BMC.

While SAM software introduces yet another piece of software that has to be licensed and tracked, Stoops described it as "audit insurance" and said it typically costs $10 to $20 per user. A "freemium" version of the software, introduced last week, inventories software on up to 1,000 machines, but you'll have to buy the paid version to get software usage tracking and advanced features for tracking software licenses.

Doug Henschen is executive editor of InformationWeek, where he covers the intersection of enterprise applications with information management, business intelligence, big data, and analytics. He previously served as editor-in-chief of Intelligent Enterprise, editor-in-chief of Transform magazine, and executive editor at DM News.

Solid state alone can't solve your volume and performance problem. Think scale-out, virtualization, and cloud. Find out more about the 2014 State of Enterprise Storage Survey results in the new issue of InformationWeek Tech Digest.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Author
1/28/2014 | 10:46:08 AM
Re: Audit Questions
I'm also curious about how software companies handle audits of cloud apps licenses, e.g. Office 365. I suspect that would be much easier to police than installed software. 
D. Henschen
D. Henschen,
User Rank: Author
1/28/2014 | 10:39:27 AM
Audits vary in their invasiveness...
I've seen varying accounts of just how invasive these audits can be. In general, you get a couple of week's notice that there's going to be an audit and you can negotiate on the timing and scope of the inquiry. The vendor usually hires a third-party firm to carry out the review. It may be as tame as a self-audit request for data. That's the experience that Carolina Container had. With D&B, Hoovers and so on, it's pretty easy to know how many employees companies have and whether the numbers might be out of step with reality. There are also "phone home" reporting mechanisms built right into a lot of software, so you're vendor may have insight on what's in use within certain networks without having to do much poking around. If there's suspicion of non-compliance, the investigation might progress to code scanning of networks using the same sort of technologies that software asset management vendors build into their software.

In extreme cases at large enterprises, audits can drag on for months, and complications include having multiple generations of software, using snipets of larger software packages, having software that has been migrated to new generations of hardware, and, of course, complicated terms and conditions.  
User Rank: Author
1/28/2014 | 10:07:02 AM
Re: Audit Questions
I now see that you already explained that the right to audit is part of most contracts. But I'd like to know more about the actual audit process--how intrusive and time-consuming it is. 
User Rank: Author
1/28/2014 | 10:04:54 AM
Audit Questions
Doug, for the uninitiated (me, for one), under what authority do software vendors have the right to conduct an audit of their customers' software usage? The IRS has government authority. Do the contracts customers sign with their software vendors give the vendors the right to audit at any time? And what (generally) does an audit entail -- an on-site investigation of some sort?
<<   <   Page 2 / 2
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll