Software Audits on the Rise – The Whys and How to Avoids of Non-Compliance

By Phara McLachlan

Watch dog organizations such as the Business Software Alliance (BSA) and Federation of Software Theft (FAST) are in the business of advancing the goals of the software industry and raising awareness of protecting the intellectual property of software companies. Organizations like these and the software companies they work hard to represent receive most of their tips from within the organization. They give little warning, and have said that they catch an organization out of compliance every working day. Gartner estimates that the probability of an audit for a midsize to large organization is 40% over the next two years and that it will increase by 20% each year.

Why do software vendors do this? Simply put – revenue. When the economy was hit hard in the U.S, and budgets were cut, software spending was cut. As these revenues slowed, vendors had to look into other ways of maintaining their revenue streams. With fines of hundreds of thousands of dollars and even millions of dollars – audits have proved to be lucrative. The BSA estimates that 25% of organizations that do business in the U.S. have some form of noncompliance, resulting in an estimated $6 billion in lost revenues to software manufacturers.

How Do They Know if We Are Out of Compliance?

OK, now that we understand why software vendors are auditing their customers, let’s address how they find companies that are out of compliance.

  • Public information – In today’s online world, private information is rare. Software vendors can search for the published number of employees in most large organization (especially publicly-traded companies) in a number of ways. They compare this statistic to the number of licenses purchased. This may not be fool proof from the vendor’s perspective, but it’s up to the organization to bear the burden of proving them wrong.
  • Disgruntled employees – Organizations like the BSA have tip lines for suspected software piracy and actually offer rewards of up to $1 million for tips. You’d better believe there are former and even current employees chomping at the bit to get a piece of that reward!
  • Vendor interaction – We are in constant contact with our vendors – from asking a simple question to responding to a question – but your query or answer could open up an audit based on the nature of the question or response. Remember that with each interaction with the vendor, information is exchanged. During certain information exchanges, the vendor may pick-up on an issue or perceived issue and starts an audit.
  • Audits – Vendors will simply send an official audit letter and the fun begins. They often focus on one geography or industry at a time, but simply put, the cost burden is on you so there is no downside from the vendor’s point of view to doing an audit.
What is the Cost of Non-Compliance?

Non-compliance doesn’t come cheap. There are several costs that must be taken into consideration:

  • Fines – the infringement on intellectual property plus four times the retail value of the software found to be unlicensed
  • License cost to become compliant – depending on how badly you are out of compliance, this could equal a significant cost in license fees
  • Additional audits – being audited by one software vendor may be a catalyst for other vendors to audit you, especially if the outcome is publicized. The BSA often publicizes settlements and fines for cases they bring to the vendors.
  • Public perception – if the audit/fines are known to the public, it doesn’t bode well for your company’s image. Additionally, jobs can be lost for those responsible for software compliance.

There are two upsides to an audit:

  1. You learn from your mistakes right? It’s a huge wake-up call to everyone in the organization that software asset management isn’t a nice to have, it’s a need to have.
  2. This is an opportunity for you to review and revise policies, process and procedures in order to prevent future pain points from activities like an external audit.
How Do Organizations Fall Out of Compliance?

The fact of the matter is compliance is NOT easy. It’s not just a matter or buying enough licenses either. Software licensing rules are often so complex, even the tech folks don’t understand them fully, and even when they do, they change so frequently it’s difficult to keep up. Most organizations fall out of compliance due to a combination of poor record keeping and a misunderstanding of usage rights. Both are equally important to maintaining compliance. Having a firm grip on your software assets is the first step. This is also a benefit should you get audited to provide records quickly, and also show in good faith that you are making an effort to comply. Additionally, having a lawyer or consultant that deals specifically with contract negotiation explain to you in detail how you can legally use your software is important. Do not attempt to figure this out on your own as it is easy to misunderstand or overlook important aspects of your terms and conditions. For example, there have been cases where a company has expanded overseas and had employees using software in other countries. They were under the assumption this was legal because they had ample licenses, when in fact, the licenses were only contracted to be used within the U.S., causing them to be out of compliance without even realizing it.

How Do We Prevent Non-Compliance?

There are a number of steps that can be taken to be prepared for an audit. Given the likelihood that it will happen, it’s important to at least consider taking the necessary steps for compliance.

  • Asset Management – asset management should go beyond hardware to include software licenses. A repository should be established and reconciled on a regular basis. If you are a smaller company, an Excel sheet with barcodes will suffice, as long as it is checked frequently against your assets.
  • Periodic Internal Audits – perform periodic audits to be sure that the licenses you have are enough for the employees using them and that the terms and conditions in the contract support how they are being used. Get ahead of the vendor and fix anything out of line before they become aware of the issue. Additionally, stay on top of licensing changes, and if necessary, get someone to explain to you their exact meanings.
  • Contract Evaluation – engage your organization’s legal counsel to review the contract(s) to ensure licenses are being correctly used. Find out what you can’t do with the licenses you have and evaluate if this is effective. If not, re-negotiate your contracts (you don’t have to wait until they are up for renewal to do this – a common misperception).
  • Procurement Policies, Process & Procedures – establish a firm policy for new software procurement to be sure that nothing is being purchased without the IT department’s approval and awareness. Also, be sure to communicate with employees that they cannot download unauthorized software onto their computers.

The alternative to being proactive with software compliance is being reactive. Do the best you can and hope to never face an audit. It’s an approach that seems to work for some, but I don’t advise it. The cost of managing your software assets is far less than the costs of an audit. In addition to compliance, properly managing your assets and how they are being used is a means to creating optimal use of your software assets. Once you know who is using what and where you can eliminate shelfware and re-negotiate your contracts to insure that every piece of software you have is being used effectively. There is no downside to effective asset management – the minimal management costs will pay off to equal cost savings down the road.

It’s not all about the vendor audits or watch dog organizations like the BSA or SIIA. The IT asset manager also has to pay attention to Internal Audits, which can be even more challenging than a vendor audit.

So I ask again – are you prepared for an audit?

About the Author

Phara McLachlan is the CEO of Animus Solutions, Inc.