Preparing for a software licence audit
- 10 December, 2012 12:46
Facing a trying economy and decreasing new licence sales, enterprise software vendors are turning to more frequent licence audits to turn up missing revenue.
A Gartner survey revealed increasing software licence reviews, with 60 percent of respondents in 2010 reporting being audited in the previous year compared with around 30 percent in 2007. And a 2011 IDC/Flexera study revealed that 56 percent of large enterprises were audited in the prior year – 17 per cent of them saying they had been audited three or more times.
"The difficult economy and resultant ongoing enterprise IT budget constraints means that large software deals are becoming less common," says Dr. Jonathan Shaw, a principal with outsourcing consultancy Pace Harmon.
"The worst mistake that an enterprise can take is to sit back and passively accept the audit terms, process and results."
Meanwhile, licensing use-rights are being applied to increasingly complex IT environments that have evolved beyond their long-standing software agreements.
"Software providers' reaction to infrastructure advances had led to a proliferation of abstract and potentially confusing licensing metrics in contemporary agreements, which have made entitlement tracking considerably more difficult with a risk that simple technology refreshes and environment optimisations will cause an enterprise to fall out of compliance," Shaw says.
When a software provider wants to conduct a compliance audit, it formally notifies the enterprise of its intention and then works with the customer to examine the enterprise environment to identify any license shortfalls.
Anything from use of software on non-named servers to lack of centralised software asset management processes to inadvertent including of software on a base image can raise red flags.
Any gaps uncovered form the basis of a settlement and a requirement that the enterprise rectify the situation within a certain period of time. But there are steps a corporate IT organisation can take long before the auditors arrive to limit potential damages, from choices made during contracting to management of the software life cycle to preparing for the audit itself.
Pick the right licensing structure
Selecting the right licensing structure is the first step toward maintaining compliance. There are an increasing number of options, and picking the one that meshes best with the enterprise's software asset capabilities is key.
"An enterprise with robust desktop asset management and configuration discovery capabilities may find it straightforward to manage a per-device or per-named-user licensing scheme," says Shaw.
"Conversely, if the enterprise doesn't have its distributed environment under control, such a licensing scheme could be disastrous, and a per-processor or per-processor core scheme might be a better option."
Left unchallenged, a vendor will write as many rights and restrictions as possible, such as precluding an outsourcer's use of the software, geographical limitations, and sublicensing bans. "All, depending on the leverage that the enterprise wields, are negotiable," says Shaw.
Software customers can also look closely at the provider's audit rights. While audit rights are standard in any enterprise software agreement buyers may be able to negotiate limits on audit intrusiveness and duration and provisions for equitable settlement of inadvertent non-compliance, says Shaw.
Keeping compliant with software licences
The best way, by far, to stay out of license trouble, is to maintain robust software asset management (SAM) processes. "Given the increased market risk and Sarbanes-Oxley, the average enterprise generally has at least basic SAM processes in place, typically augmented with some sort of automated SAM toolset," says Shaw.
But that's not enough. To stay in compliance in a dynamic enterprise, software licensing must be a core part of change management, says Shaw. Upgrading servers?
One of the first questions ought to be how that impacts licensing needs. "Most enterprises have room for improvement in this area, as demonstrated by the frequency and size of licensing settlements," says Shaw.
As for tools, spreadsheets are no longer enough. An IDC enterprise software survey found that about 75 percent of companies use an automated solution to help manage software compliance.
When an IT organisation does find a licensing issue, it's best to fess up. "If the enterprise knows that it is out of compliance, then it should engage with the vendor," says Shaw.
"It may also be advantageous to pursue proactive remediation, which generally allows the enterprise to take advantage of negotiated discounts, select the licenses it needs and avoid any punitive costs, which may not be options in an audit scenario."
Even in gray areas, the increased likelihood of an audit today make taking it to the vendor the best call. Working with the provider account team means that the enterprise is engaging with a group that is interested in the longer-term relationship and gives the enterprise an opportunity to negotiate pricing and terms, and to achieve favorable outcomes on areas open to interpretation," Shaw says.
"Once you are in an audit situation things become much more restrictive, and your negotiating leverage is dramatically reduced once it is demonstrated you are out of compliance."
Preparing for the software audit
Audit procedures vary by provider, but the first step is to contact the vendor to find out the scope of the audit and begin an internal audit in parallel. Depending on results, it may be possible to proactively address the shortfalls.
If the audit proceeds, its important to manage the process "aggressively," says Shaw, ensuring that all communications are appropriate, that the process includes an opportunity to review findings prior to settlement, and validate that the auditor has included all licenses to which the customer is entitled.
"The enterprise should clearly understand the audit rights in the provider agreement and reasonably push back against any activities that are not mandated," says Shaw. "Auditors may not have included or correctly applied all licence entitlements. They may have classified development or test servers as production machines. They may have made incorrect assumptions around complex areas such as virtual server pools."
Finally, customers should approach settlement talks as another negotiation. "Never accept the initial settlement demand as cast-in-stone," Shaw says. "If non-compliance was inadvertent and reasonable, a possible counter-offer might be based on achieving and maintaining future compliance rather than back-dated compensation, retributory list pricing and other punitive costs."
In other cases, have in mind a dollar value settlement. A reasonable target settlement amount is the estimated supplementary costs had the enterprise stayed in compliance, according to Shaw. Don't expect to get off without writing a check at all, but use any leverage as a current and future customer to seek an equitable result.
"The worst mistake that an enterprise can take is to sit back and passively accept the audit terms, process and results," says Shaw. "This can result in interminable fishing expeditions that consume internal resources for months at a time, settlement demands based on erroneous assumptions and data, and a settlement that is many times greater than it could or should be."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Trust issue looms large for tech companies capitalizing on personal data
5 women who've made it in IT
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Keeping up with an Increasingly Sophisticated Threat Environment
Relying on traditional signature based Anti Virus alone is simply not sufficient to prevent today’s onslaught of new, sophisticated and advanced malware. This whitepaper describes in detail, some trends and statistics on the malware detection, it then introduces a multi-vector approach to accurately detect malware in the IT environment, and verify that existing anti malware already deployed are functioning optimally.
Evolving Threats Demand New Approaches to Security
As the world becomes increasingly hyperconnected, the opportunities for innovation are virtually limitless. At the same time, the complexity and risk associated with those opportunities is great. Security threats have the potential for enormous ramifications, but so does deploying a security strategy that compromises the user experience, performance, and the ability to innovate online. This paper will profile the emerging disruptive players, and identifies the essential steps to establishing a secure environment without compromising performance or experience.
Taking Managed Security Services to the Next Level
In this white paper, we will outline the changing landscape of security; the importance of a high-security posture; the elements of effective Web, endpoint, user and mobile protection; and the ways in which Webroot helps partners increase the value and profitability of their security practices.