What to Expect from a Software Audit

In recent years, there’s been a rise in the number of software audits conducted by software publishers. There are two reasons for this, the first being an attempt to combat software piracy. The second reason is that fines levied against non-compliant organizations act as a source of revenue for software vendors.

Nonetheless, companies with licenses may be unprepared to find that they are being audited by their software vendor. If this happens at your company, here’s what you should know and expect about the impending audit process.

A software audit is conducted when a software vendor believes that a company is in violation of their user agreement. The audit is performed by an independent, unbiased third party that reviews software usage, number of licenses, and contracts to determine if there are any violations that have resulted in software piracy (defined by the BSA). This may include as examples: buying one copy of the software and installing it on multiple devices, making copies of the software, or using virtualization with the wrong type of licensing. If it is determined that the company is in violation of their contracts, then fees or other legal action may be taken by the software vendor.

When a company is served a notice for being audited by a software vendor, it will likely include details as to what software they are being audited for and a time period for which they have to respond to the allegations. This notice can alter long-term plans and spending agreements as resources are reallocated to deal with the audit process, whether or not there are any violations. Knowing what to expect before the software audit letter arrives and how to handle it will help the process move along as smoothly as possible.

In the meantime, in preparation for the actual audit to begin, there are a few things you can do:

The software vendor isn’t likely to forget that they’ve served you with an audit notice, so it’s best to simply cooperate and communicate with the vendor. Be sure to review the audit timeline and communicate your plan of action. This ensures that you have some control in the process while also asserting your company’s proactiveness. Also review with your legal team the policies around data sharing, and be open with the vendor when you are investigating this. If the timing is really bad for your company due to change freezes, or important seasonal activities in your industry, request with the vendor an extension. Communication is key here, and this should be from an appointed single point of contact within your organization. All other communication should stop with that vendor if possible.

Build your own task force comprised of the most relevant stakeholders in your company. These individuals should be from IT, legal and software procurement departments, and would need executive alignment. Meet with your task force to figure out a strategy for the audit process such as timelines or roles and responsibilities. This will save you time and resources later on.

Have legal services review all relevant information, such as:

Existing contracts/agreements with the software company, including:

• End User License Agreement (EULA).
• What constitutes proof of license?
• Clearly define software license usage rights.
• Are copies of the software permitted? (backup and disaster recovery)
• Do test environments need to be licensed?
• What are the consequences of under-compliance?
• Under what circumstances (if any) will the organization be liable for the cost of performing the audit?

Audit provisions:

• Does the organization require confidentiality agreements to be signed by the auditor?
• Are the auditors permitted to remove anything from the organization?
• Will the software being audited be able to continue to be used if the organization is found to be non-compliant?

If your company has never been audited, then this process might be unfamiliar to you. Typically, once you’ve been served an audit notice, you can expect the following things to happen:

• Meeting to explain audit phases – contracted auditors from the vendor will meet with your company to discuss and explain each phase of the audit
• Data collection – the auditors will collect data pertinent to their audit such as number of software licenses, list of applications installed on devices, users who have access to software, and proof of licenses.
• Report of findings – the auditors will put a report together explaining their findings and schedule a meeting with your company to address any concerns. After the meeting, the auditors leave their findings with you and the vendor to decide how to move forward.

Many companies also hire outsourced software auditors to conduct internal audits of their assets and reveal any legal, operational, or security risks within their software usage.

Special considerations:

• IT Actions:
• Inform legal services if the tool can be run in a test environment.
• Inform legal services of the timeframe for adequate testing.
• Test the tool/script.
• Alert management of possible risks.
• Legal services prepare a response to auditor:
• Inform auditor of the time required to test their tool/script.
• Arrange a contract for consequential damages if the tool/script impacts the organization’s production environment.
• Request confidentiality agreements and return of any documentation to the organization.

If your company is found to be out of compliance with your software contract, you’ll likely begin negotiations with the vendor on what you’ll be paying them in fees or penalties. Many software vendors are willing to work with your organization to establish a realistic financial plan. With the focus on cloud consumption from most software vendors, there may be an opportunity to negotiate the final outcome based on the types of licenses that are purchased.

It is an important point to note that often due to the complexity of licensing the auditor’s results may not always be 100% accurate. It is always recommended to have a trusted software licensing expert review the results.

In SoftwareONE’s experience for some vendors we have seen an average reduction from the initial findings by over 60%! The recommendation is to conduct your own internal audit and compare the two sets of data to provide evidence during any negotiations or to have the ability to push back on the first draft results provided by the auditing party.

For example, the City of Denver’s Denver Technology Services was found to hold licenses for Oracle software totaling around $1 million a year, however their usage of Oracle resources was actually about $10 million. Oracle agreed to settle the audit for $3 million with a 5 year contract for $4 million a year.

To avoid noncompliance and fines in future audits, you need to keep track of your software assets by implementing a software asset management plan. This plan will help you manage licenses and software usage so you can remain compliant. A software asset management program will:

• Help control costs on software spending and consolidate software that does the same thing
• Manage legal and security risks stemming from incorrect software usage
• Enable IT growth by determining what software is needed while also anticipating future software needs

Being served an audit notice can certainly be alarming. However, if you’ve taken the necessary steps to make sure your organization is compliant, then it will be less resource intensive, and ultimately provide financial security.

Internal software audits are important to conduct on a regular schedule, perhaps once or twice a year or whatever is best for your business cycle. Regular audits help minimize security, legal, and operational risks associated with licensing software. SoftwareONE can assist your company with both an identifying SAM Maturity Assessment and a software compliance assessment that identifies risks and provide action plans.

There may also be a reason for concern if you are not being audited, with particular emphasis on the software that is being utilized in the cloud. Our experience is that most companies do not have the right tools to manage their cloud spend with regards to visibility of where the consumption is being used from within the business, but also to allow for accurate future forecasting. SoftwareONE has assisted many companies to have access to this data, eliminating the cloud risk of significant overspend, resulting in wasted budget.

The advice as always is to be proactive. Take the time to understand your entitlement, your on-premises deployments, and your cloud consumption. A small investment here can pay dividends with a rapid and expansive return on investment.