OK, so I know the title is a bit "doom and gloom" - but frankly I've seen too many companies over the years get seriously bitten during software audits because they didn't have a healthy respect for the risk when they first accepted the audit (and for the sake of this article...I'm calling it an audit any time you share your installation data with a publisher or anyone representing the publisher).
First, I do not recommend going through one alone. That would be like going to an IRS audit alone - there are far too many obscure rules that can come back to haunt you.
Get professional help before it starts and keep that help around through completion...very few rules are "black and white" and you need an advocate on your side who fully understands the rules and can balance the publisher's interpretation of use.
Here are a couple of things to know before heading into an audit:
- Not all audits are the same - know when you have the right to refuse or limit and when you've already waived those rights.
- Make sure the scope is clearly defined - is it all subsidiaries, all geographies, etc.
- Require a project specific non-disclosure agreement (NDA) be in place with any third-party gaining access to your information and follow up at the end of the audit to require disposal of the records.
- Understand under what circumstances you'll be billed for the cost of the audit.
- Ensure that the audit is being conducted under the rules of your active agreement with the publisher and the pertinent product use rights for the products in use.
There are many more, but this is a start. The
ITAM Review has a number of useful articles on this topic that you should consider reading as well.
Pitfalls to be aware of to avoid audit problems:
The best possible situation is to avoid an audit altogether. While this is becoming more and more difficult as publishers have realized that audits are a profitable activity that helps them meet revenue goals (most of the heads of software publisher compliance groups have revenue goals much the same as a sales group), there are steps you can take to reduce your chances of an audit.
- Regularly conduct your own audit. Know what you own, what and how you are using it. If contacted for an audit, be sure that your executive handling the conversation can speak knowingly and authoratatively on current usage by product and the timeliness of that data. Software publishers don't want to throw their money away on an audit that is going to produce no licensing revenue. The more they feel that you already have things under control the less likely they are to require a full onsite audit.
- Watch your external access, make sure you are appropriately licensing clients, vendors and partners for their access to your computing resources.
- If your customers are using your computing resources, make sure that you are covering that usage under the appropriate licensing agreement. Most publishers have service provider agreements (Microsoft's SPLA or VMWare's VSPP program being two of the most common) allowing for you to host their products for use by others - there is a lot of gray area in determining when you need to license under these versus when you can use perpetual licenses so make sure you have a professional help you make this determination.
- Licensing is typically entity specific. While everyone in my organization is licensed to use a Microsoft Windows 2012 server within my organization that licensing does not cover us for when we access a client's organization.
- There are expensive ways of handling this and less expensive ways - having licensing advice when you're setting up access can help you avoid unnecessary costs.
- Minimize OEM and non-volume purchases. Frankly, publishers regularly mine their entitlements data on clients to determine inconsistencies for compliance issues. If a publisher can't see a full picture of your purchases it can increase the chances of an audit.
- Keep your purchasing records. If you are still using the software (or it's successor if that successors licensing is based upon the original purchase), then you need to have ready access to your proof of purchase. Consider for example Attachmate the owners of some (current and) legacy emulation software. They audit on a regular basis - can you demonstrate that you purchased the 50 copies of KEA or myEXTRA! that you still have running in your organization? If not, the cost to buy new licenses can include interest based upon when the software was originally released.
- Pay attention to country of usage rules. Most publishers have some restriction on using software in a country other than the one purchased. Autodesk, VMWare and Microsoft (under the Open licensing program) all restrict usage across geographical boundaries.
- Understand transferability rules of licenses during mergers, acquisitions and divestitures. For example, Autodesk states that their licenses are typically not transferable and have the right to refuse a request for transfer, if they do accept the transfer they can require that subscription costs be added to the license.
Already in an audit:
Regardless of what stage the audit is in,
get help. Make sure you have someone working as your advocate that has experience in software audits, strong knowledge of the publishers current and historical agreements and product use rights and the frankness to give you an accurate picture of where you stand (this is not the time your management team wants anything sugar coated...they need to know the reality so they can prepare).
Double check everything the auditors present to you - math errors and mis-interpretation of product use rights and licensing terms are frighteningly common.
