Software audits may be an inevitable annoyance for enterprise organizations. They can be expensive, resource-intensive, and stressful. Organizations can end up paying six-figure sums to vendors, even without going to court, and those funds are often unbudgeted expenses that have not been part of your company's strategic plan. These audits are a momentum-killing drag on any enterprise's success.
How widespread are such audits? In 2013, Gartner polled attendees at two of its events -- in Orlando and Barcelona -- as well as attendees at the ITAM North America Summit. All respondents were involved in IT procurement. Nearly half of the 103 respondents said they had to contend with more than one software audit in the previous year.
Costs go beyond the settlement itself. Staff members are pulled off their normal tasks to deal with the work related to the audit. The experience can disrupt a company's productivity and workflow.
Data from a 2013 survey by Express Matrix found that the vendors most likely to conduct software license audits are Microsoft, Adobe, Autodesk, Oracle, and SAP, in that order. Among organizations with 10,000 or more employees, IBM took the number-four spot, bumping Oracle to number five. The Express Matrix survey was based on interviews with 178 senior IT managers at North American companies with 500 or more employees. It found that 53% of respondent firms have been audited within the past two years.
[Looking for more on software license audits? Read Software Audits: Are You Ready?]
While some software audits are inevitable, it may be possible to reduce your risk, depending upon the language of the software license.
Software licenses are contractual agreements between a software publisher and the user. Failing to abide by the terms and conditions stated in a software license may result in an audit, unplanned licensing costs, and maybe even litigation. If the matter goes to court, your company may be held liable for breach of contract and copyright infringement, whether or not the infringement was intentional.
Software audits can be mildly annoying or excruciatingly painful depending on a number of factors, including the software publisher involved, the dollar value of the software, who is conducting the audit, and the licensee's recordkeeping practices. To help minimize your risks, consider the following.
Understand the Language of the Contract
Software licenses, like other types of contracts, use specific language to define the rights of the parties. One obvious, but necessary, point that companies should pay more attention to is the scope of the license, such as how many users or CPUs it covers. SaaS solutions inherently avoid such issues because license management is an inherent feature of the platform, but few companies are only using SaaS products.
"For desktop environments counting users and devices is important and contentious. In the data center, it's about [how licenses are used], who has access, and you count in light of complicating factors like virtualization or third party access," said Robert Scott, managing partner at law firm Scott & Scott, in an interview.
There are other terms and conditions that can trip companies up, including renewal terms and the software publisher's right to audit. Depending on how the license agreement is written, there may be a period of forbearance in which the publisher won't audit.
There may also be language defining how discrepancies will be handled, such as whether a penalty will be assessed, and whether the target has to pay for the software at retail price or at a discount. Scott makes a point of negotiating the auditing terms for his large enterprise clients. Smaller companies don't often enjoy the same level of bargaining power.
"We'll negotiate heavily on the terms and conditions, including the audit language. We'll say we'll sign this three-year deal for X dollars if you agree you won't audit us during the deal. You can audit us after the deal expires. That way, you've eliminated the publisher's right to audit and you don't have to worry about it," said Scott.
Some software publishers conduct audits as a matter of course, which may come as a surprise later if a company fails to properly review and manage its software licenses.
What Triggers an Audit
Software misuse usually triggers an audit. A disgruntled employee may have reported such misuse to BSA, The Software Alliance or a similar organization in hopes of getting a portion of the settlement. Alternatively, the software publisher may have noticed something that suggests an audit may be wise.
"There are some instances where there's an anomaly in reporting that indicates to the licensor there's a problem. Or there may be news about a merger, a major expansion, or something else that tells the licensor the customer may be due to up their limit, especially for products and systems that aren't self-regulating," said Greg Wrenn, a partner at law firm Paradigm Counsel, in an interview. "A lot of [software publishers] systematically go through large accounts to make sure they're compliant, and so the audits may be triggered by a renewal period."
Sometimes the activations at a particular customer site appear to indicate infringing use. For example, a customer bought product X but not product Y.
"IBM's virtualization rules involve something called subcapacity licensing, which customers have to qualify for to be eligible, and virtually none of the clients of IBM are eligible," said Scott. "Almost all of IBM's customers using virtualization are buying licenses as though they were entitled to subcapacity, but they haven't deployed IBM's discovery tool, called [IBM License Metric Tool], which is required to be eligible for subcapacity licensing. [When] the auditors come in, they ask the customer, 'Do you use virtualization?' Yes. 'Do you have ILMT?' No. And then they calculate a damages model that's based on full capacity."
Liability for Noncompliance
Violating license agreements can be expensive. Six defendants recently pled guilty in a software piracy case worth more than $100 million. While it wasn't an enterprise company left holding the bag, the outcome illustrates the consequences. In enterprise settings, most noncompliance is unintentional, which usually means the company did a poor job of managing its software licenses.
If a company does not go to court, at minimum it will likely have to "true up," which means pay any licensing fees owed for software overuse. That can easily mean six or seven figures in large organizations. Licensees may also be subject to fines and penalties outlined in the license agreement. If the matter goes to litigation, the causes of action usually include breach of contract and copyright infringement, whether or not the noncompliance was willful or negligent.
"You risked using copyrighted material. In addition to all the legal fees that would be involved in litigating a copyright infringement matter, you're also looking at damages, statutory damages most likely, for the infringement itself," said Ty Doyle, a partner at law firm Smyser, Kaplan & Veslka, in an interview. "Even assuming a minor infraction of only a few copies of a not particularly valuable piece of software, you might have to spend five figures or more defending yourself it becomes a lawsuit."
The best way of reducing the potential liability associated with an audit and the amount of overhead involved in an audit is to understand and manage the licenses you have. Adam Coates, associate general counsel and managing director for compliance and enforcement for the Americas at BSA, highly recommends using a software asset management tool that can help ensure compliance.
"You don't have any way of knowing whether you're deploying licenses properly if you're not managing them. It can be an issue when a company has not been careful in procuring software. Maybe they've gone online to find the best possible price and they go to a less-than-reputable seller online [who has] sold the company an academic or a home license. It may be that it isn't until we come calling that they realize what they bought wasn't what they intended to buy," said Coates, in an interview.
Also, while many people in an organization may believe they are able to read and understand the plain language of a licensing agreement, lawyers understand considerably more, including the legal meaning of the language and why licensing agreements are structured the way they are. To minimize unnecessary risks, companies should have policies and procedures in place that govern software acquisition and use.
"Responsible software asset management includes policies. You have to make it clear that your organization doesn't install unlicensed software, so everyone knows this is a properly run company with policies in place. You want to implement those policies, monitor the implementation of those policies, and educate employees," said BSA's Coates.
What to Do if You're Facing an Audit
That's a topic worth its own article, and we've got you covered in an upcoming follow-up. Be sure to read it so you understand what the auditors are looking for and what you should do and not do if you receive an audit notice.
In the meantime, it's important to understand that the information contained here is for informational purposes and is not legal advice. If you want to minimize your risk of an audit, and minimize the potential costs and time that may be associated with an audit, make sure you work with in-house or outside legal counsel as necessary. This will ensure that you understand your scope of responsibility and the potential risks of failing to comply with a software license well before ever receiving an audit notice.
**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.