Received a software audit notification? Here’s what to do next…

null

‘You have been selected for a routine software license review….’ This is the start of a chilling and possibly bruising process. 

Software audits, instructed by vendors against their customers, can be damaging to a business and its finances. In fact, a global study by Flexera shows that 75% of enterprises are found to be out of compliance with their software contracts during an audit. 

The problem has become increasingly prevalent over the past two decades, driven by the huge migration of IT systems to the cloud. This has placed new and mounting pressures on vendors historically reliant on the sale of ‘on-premise’ software. The vendors, in turn, are using their software audits on existing customers in order to generate more revenue.

The performance of different IT heavyweights contextualises the issue: while the cloud market has expanded at pace, Oracle’s revenues have risen by only 7% in six years. Meanwhile, from the start of 2012 IBM saw its revenues fall for 22 successive quarters, only bottoming out this year. Conversely, since its launch in 2006 Amazon Web Services has gone from non-existent to a $24bn cloud business, while Google has also seen significant success with its G-suite – having launched in 2010, it already turns over $4bn a year.

The resulting reliance on software audits as a revenue-generating mechanism for traditional vendors around the world has put large enterprises under threat – a growing number of high profile cases have entered the news over recent years in which firms have been heavily penalised for non-compliance uncovered during an audit, and awareness of this issue is growing. So, for organisations that have been notified of a pending software license review, here are some thoughts on what to bear in mind:

1. Don’t take it personally: every major corporate struggles with software licensing. With shifting technologies, legacy businesses and continuous refinement of the infrastructure, under-licensing will always occur.

2. Recognise that this will take time: yes, you could settle immediately. But if you truly want to interrogate any audit findings and only settle for the true liability, this may be a three to six month process, so prepare for the long term.

3. Don’t give up information: be intensely guarded, especially in the early days, in surrendering key information to the vendor. Such information might be used against you down the line.

4. Examine the audit rights clause: some provisions are poorly worded and, for instance, grant no rights of access to company premises. Others refer only to use of the software but do not extend to permitting access to the full infrastructure.

5. Secure a data-sharing agreement where necessary. 

6. Don’t be bullied into irrelevant cloud purchases; these purchases are increasingly part of tacit demands by the vendor. The current class action suit against Oracle explicitly highlights this (alleged) unsatisfactory practice.

7. Remediate now: if you have some residual anxiety about whether you are fully licensed, examine whether deployment or license usage can be adjusted now – before the auditor’s scripts are run.

8. Run your own internal audit first: specialist licensing consultants can utilise equivalent or better scripts, analyse license usage versus the original grant and assess likely financial demands from the vendor.

9. Alert the CFO: they should expect, in due course, a very large unbudgeted demand that can, if properly supported, be reduced down substantially. It is important to ensure the company’s response to the audit has the full knowledge and support of the CFO and that no divide and rule approach by the vendor can succeed.

10. Don’t assume that legal arguments alone will displace a large demand: license managers at the vendor fully believe that only they are the arbiters of truth and that their interpretation of the license terms are correct; solicitors’ letters are generally ineffective.

11. Forget that you’ve had a long-term trusted relationship with the vendor; this counts for nothing as the audit will be instructed from the very top level of management within the vendor and not with the organisation’s usual point of contacts.

12. Recognise the true audit purpose: this is not a reassuring chat to confirm that all is well. The process is a determined revenue-generation mechanism for the vendor.

13. Check shelf and other software not yet deployed: demands based on ‘matching service levels’ can be substantial.

14. If using virtualisation (VMware), consider the licensing impact – for example, IBM’s sub-capacity terms or Oracle’s partitioning policy. Have you been reporting under ILMT? Assume licenses are applicable to all processors potentially available to the programs unless approved hard partitioning is in place. Understand that licensing is generally based on installation or potential usage as opposed to actual running.

15. Consider whether indeed you might be interested in new product purchases: check elsewhere in the business for other applications/technology purchases being considered. An offer here can be an effective element to bring a confrontational audit to a close.

16. Consider the vendor’s timelines: their year-end can be pivotal but in other areas, such as Service Provider Licensing Agreements (SPLAs), the vendor may only be concerned with agreement to the Effective License Position irrespective of timing.

17. Consider the auditor’s timelines: a number are incented on speed to closure of an audit.

18. Consider your own timelines: check the deadlines of your own statutory audits and when any provisions as to software liabilities would need to be disclosed.

19. Instruct specialist software licensing advisers independent of the vendor: don’t assume that a reseller or platinum partner can assert your best position to the vendor.

20. Fight every demand: there are often contractual, technical and commercial arguments that together can destabilise and substantially reduce any settlement payments that are demanded.

Ultimately, it is important for organisations to understand that action can be taken before or after the audit is conducted. As outlined above, the CIO ought prepare thoroughly for a license review, ideally by conducting its own. Furthermore, even during and after the audit, steps can be taken to challenge claims and decrease the final bill.

Robin Fry, Director of Cerno Professional Services

Image Credit: Wrangler / Shutterstock