Protecting Enterprises Against Software Audit Risks

By TMCnet Special Guest
Jonathan Shaw
  |  April 29, 2013

Today’s IT environments utilize enterprise applications in ways that have evolved beyond those envisaged by legacy license agreements. Multi-core and multi-thread processor architectures and data center virtualization have made CPU and server-based licensing schemes substantially more complex. Tightly integrated application architectures and information portals blur the definition of direct and indirect users. And developments such as globalization, shared service centers and business process outsourcing each risk contravening license restrictions. These factors make it more challenging to remain compliant with license terms; even an IDC (News - Alert) survey showed that 62 percent of software providers considered maintaining compliance with their software products to be “somewhat” or “very” challenging.

Beyond the increasing likelihood of out-of-compliance software usage, a difficult economy and decreasing new license revenue have led providers to conduct more frequent audits. While audits previously occurred in response to whistleblowers or suspicious licensing behaviors, many providers now proactively audit all or most of their customers. For Fortune 500 companies, this can potentially result in multi-million dollar liabilities so it is critical to manage this growing area of risk with specific steps at each stage in the software lifecycle — during initial license acquisition, throughout the period of software usage, and in response to a provider audit.  

Recommended Steps to Reduce Compliance Risk

Negotiating a software agreement can be complicated, and there are a few key areas that require focus. If licensing options are available, the enterprise should select the structure that, in addition to offering cost effectiveness, best enables compliance certainty. A per-user or per-device licensing scheme in an environment with weak configuration discovery and desktop asset and management could be disastrous. 


Within the agreement, the enterprise should attempt to remove use restrictions that could constrain possible software use and cause inadvertent non-compliance. Providers’ default agreements may preclude third-party use by an outsourcer or business partner, limit geographical flexibility to consolidate data centers or deploy global shared service centers, and restrict sublicensing and assignment. Audit rights will be outlined in the agreement, and the enterprise should negotiate reasonable constraints that limit audit intrusiveness and duration, as well as providing for equitable settlement in the event of non-compliance. Note that software agreements frequently refer to other documents, such as “Customer Agreements”, “Product License Agreements”, or “Product Guides”. The enterprise should make sure that the agreement does not allow either the agreement or referenced documents to be changed unilaterally.


Establish Robust Software Asset Management

Having established an agreement that helps the enterprise avoid license infringement and protects from the worst aspects of a software audit, the focus then shifts to ongoing operational compliance and implementing a robust approach to software asset management.

License compliance and tracking should be centralized as a core capability within IT with an assigned executive owner. The compliance team should be involved in any license procurement and included in the enterprise change management process to catch any unanticipated licensing implications. The team should also conduct periodic manual audits to confirm the output of any automated discovery tools and verify enterprise license entitlements.

ITILv3 provides some guidance on SAM, but a more detailed source of better SAM practices is the ISO/IEC (News - Alert) 19770-1 standard, which outlines a process framework designed to satisfy corporate governance requirements. In the event of an audit, adherence to processes based on ISO/IEC 19770-1 demonstrates, at a minimum, that the enterprise has made reasonable efforts to maintain control. 

With regard to supporting technology, most enterprises are realizing that Excel and manual data entry is no longer sufficient; 75 percent of enterprises support their SAM processes with tools, such as those provided by the software vendors, as modules within a larger enterprise ITSM toolset or third-party standalone applications. 


Engage Actively in All Software Audits

In the almost inevitable case that the enterprise is audited, the worst mistake is to sit back and passively accept the audit terms, process and results. This can result in interminable fishing expeditions that consume internal resources for months, settlement demands based on erroneous assumptions and data, and an unnecessarily costly resolution.

The enterprise must understand the provider’s audit rights and reasonably push back against any activities that are not mandated. Audit duration should be defined upfront and if non-compliance is not demonstrated in the available time, then the audit must end. Following audit completion, the enterprise needs to review the auditor’s report in detail. Auditors, who may be third parties with limited expertise in complex licensing schemes or infrastructures, may not have correctly applied all license entitlements (particularly if product names have changed over time) or classified development or test servers as production machines. Also they may make incorrect assumptions around virtual server pool allocations and CPU types. These need to be addressed before any settlement amount is raised. Finally, the enterprise should treat the initial settlement demand as a negotiation starting point.  If non-compliance was inadvertent and reasonable, a possible counter-offer might be based on achieving and maintaining future compliance rather than back-dated compensation, retributory list pricing and other punitive costs. If the enterprise can establish a reasonable and fair position and demonstrate its resolve to contest any larger claim, it may force the software provider to consider the value of the “bird in the hand” in meeting reporting or personal bonus deadlines. 

For enterprises with a substantial software portfolio, software audits are now practically unavoidable. However, by actively taking steps to structure licensing agreements appropriately, minimizing compliance uncertainty through robust SAM processes, and vigorously engaging with the provider during software audits, the risks and resultant potential costs from these events can be effectively mitigated.

Jonathan Shaw, Ph.D, is a principal at Pace Harmon (News - Alert) (, an outsourcing advisory services firm providing guidance on complex outsourcing and strategic sourcing transactions, process optimization, and supplier program management.

Edited by Stefania Viscusi