Surviving Software Audits – Understanding Causes, Prevention Strategies and Winning Audit Processes

By Frank Venezia & Steffani Lomax, Siwel Consulting

Over the past several years, a phenomenon has emerged that has a profound effect on mid to large enterprises – the rise of the software audit. The number of software audits has increased dramatically, to the point where every organization is at risk. A recent Gartner study of 228 participants who attended the 2011 “IT Financial, Procurement and Asset Management Summit,” indicated that 65% had undergone a software license audit at some point during the previous twelve months.

For organizations that are unprepared, a software audit will give rise to a painful, lengthy exercise, requiring participation by numerous resources from various organizational units and countless man-hours. In addition to the internal expense of preparing for the audit, the overwhelming majority result in a finding of non-compliance, particularly when a company is unclear on its Net License Position with the respective vendor. Achieving compliance can be costly and often requires purchasing additional licenses at list price rather than at the original negotiated discount, and paying associated retroactive maintenance costs. The net result of the audit is typically a large, unbudgeted expense impacting the profitability of the organization. Conversely, organizations that are well-prepared can actually prevent an audit.

What are the root causes of audits, and how do vendors determine which customers to target?

Business Drivers for Software Audits

There are several business drivers for audits: software piracy, the economy and revolutions in technology. The most obvious is software piracy, which is on the rise, forcing software companies to protect themselves by conducting more audits. Let’s examine the other drivers in more detail.

The Economy

Economic downturns generate the need for companies to replace income lost due to declining sales. Software companies become challenged to meet their revenue targets as their customers proceed more cautiously with buying decisions, purchasing software only as needed rather than based on anticipated future requirements. The economic downturn in 2008 fueled this business condition, which continues to exist today.

A software audit is an ideal revenue generating opportunity, an attempt to uncover “low-hanging fruit” with minimal cost and risk to the vendor.

Revolutions in Technology

Technology is changing more rapidly than ever, and these changes have created software licensing challenges. At the forefront is the adoption of virtualization, which has rendered obsolete the old concepts of server licensing, and replaced them with a multitude of factors that determine the most appropriate license type for a particular environment. Cloud computing and Software-as-a-Service (SaaS) models have also complicated measurement of software deployments, with some licenses based on number of users, some on number of devices and still others defined as “enterprise.” There are also different types of “per-user” licenses; some are based on concurrent users, others on total users.

Generally speaking, changes to contract terms and conditions lag behind innovations in technology. As new technology is introduced and implemented, the impact on software entitlements is overlooked and addressed after the fact. Software vendors want to be compensated fairly for the value their customers derive from their products, so they define and implement new licensing metrics that are by necessity more complex. So as technology advances, licensing models continually change; in fact, one leading software vendor made eight changes to license terms and conditions in less than two years.

In a climate characterized by ever-evolving technology, companies can easily spiral out of compliance without even knowing it. Software vendors then capitalize on this chaos by increasing compliance audits.

The Audit Selection Process

How is a company selected for an audit? Each of the factors previously discussed contribute to the selection process, which is based on specific metrics.

For most mid-market and larger companies, software vendors assign an account team to focus on the business and technology needs of their customer, with the ultimate goal of driving revenue. In addition to selling new software, the team’s responsibilities also include intelligence gathering. The team’s sales representatives engage with their customer to learn about any upcoming major initiatives, strategic business changes, or other triggers that could lead to the purchase of additional products and services. Examples include a virtualization initiative, server consolidation, a storage or disaster recovery project, data center relocation, a merger or acquisition, or any organizational change that would require additional technology.

A software vendor will also look at other factors and variables. Vendors weigh the ratio of software licenses to number of employees, hardware purchases and server upgrades, and long stretches with no net new licenses. A company with an upcoming contract renewal will draw keen interest. Finally, vendors will often audit the customers with the fewest controls in place for tracking and managing hardware and software assets. If an organization demonstrates uncertainty as to the number of licenses deployed for a particular product, the vendor will become more curious.

Top triggers for a software audit:
  1. Vendor account team intelligence
  2. Declining spending with vendor
  3. Unbalanced ratio of licenses to employees
  4. Upcoming contract renewal
  5. Organizational changes
  6. New technology initiatives
  7. Mergers, acquisitions or divestitures

Regardless of the specific reasons for the audit, it is critical for an organization to be ready and have processes in place that can actually prevent software audits from happening. Software vendors have the right to know if their customers are in compliance. However, it is incumbent upon the customer to prepare and potentially prevent the audit.

How to Prepare for a Software Audit

How are audits initiated and how do companies prepare?

Companies are typically notified about an impending software audit by letter. Most of the leading software vendors put a “buffer” between themselves and their customer to preserve the relationship, often by hiring one of the Big Four accounting/audit firms – PricewaterhouseCoopers, Deloitte Touche Tohmatsu, Ernst & Young or KPMG – and having them send the notification letter. The Big Four have certifications in audit methodology, so employing one of these firms establishes a formal process and adds credibility to the findings.

There is a loose consensus among licensing experts that every dollar spent with an auditor yields a $40 – $70 return. One of the Big Four expects most audits to result in a settlement of 10% of the existing install base. In other words, if a company owns 20,000 licenses of a specific publisher, the expected settlement to regain compliance will equal the value of an additional 2,000 licenses.

Once the notification letter is received, a company needs to organize internally prior to responding. Organizations should immediately identify and assign an executive sponsor as well as Project Manager, who will be the single point of contact for all matters related to the audit for both the auditor as well as the internal project team.

The Project Manager should begin by engaging with the external auditor to understand the audit plan: the scope, process, whom should be involved, and any assistance that the auditor requires. They should agree on all points at the earliest possible date so that the Project Manager can allow enough time to prepare. Next, it is important to align all the relevant departments who will participate and contribute to the audit response – typically Procurement, Contracts, IT and Finance. The Project Manager must then assign a project team to prepare and organize a self-audit to gain an understanding of the current level of compliance.

The self-audit involves gathering procurement records, license deployments and contract entitlements, then reconciling software licenses entitled to licenses deployed. To reconcile properly, it is critical to understand product use rights, such as the ability to upgrade or downgrade between different versions of the software license or use the same version of a software license on multiple machines. The components of bundles and suites are constantly changing, presenting another obstacle to understanding entitlements. It is also important to know whether there are licenses deployed in the environment that are not being used or have been decommissioned. Organizations may be able to uninstall or reallocate licenses if permitted according to the contract licensing terms and conditions.

The Project Manager should estimate how long it will take to complete preparations for the vendor audit, including the self-audit. If the organization has an established Software Asset Management (SAM) program in place, this preparation will not be overly time-consuming. Conversely, if the company tends to manage their software licensing manually or on an “ad hoc” basis, the self-audit and other preparations can require significant resources and take many man-months to complete. Once the Project Manager estimates how long it will take to prepare for the external audit, he can respond to the audit request and proposed date, and try to delay if necessary. Companies are sometimes successful at getting the vendor’s proposed audit date postponed. In fact, some delays are expected by the vendors; organizational restructuring, mergers and acquisitions, divestitures and critical technology initiatives all constitute valid reasons to delay an audit.

Many organizations have found that engaging a third-party expert is the most effective way to prepare for an audit or to refute a finding of non-compliance. In one positive example, a retailer was assessed a true-up bill of $13.5 million by one of its strategic software vendors. However, after conducting due diligence and weeding out free OEM software, disaster recovery software licenses, bundles and suites, the amount assessed was reduced by $10 million, to $3.5 million.

How to Prevent a Software Audit

What are the conditions that make a software audit go badly and result in a large expense? Conversely, what conditions can maximize the chance that your company will avoid an audit, or lead to an audit that runs smoothly and results in virtually no negative impact? The company that is well-organized to manage and control its software assets is most likely to avoid an audit or ensure the greatest opportunity for a successful, painless audit. An organization that has previously experienced a bad audit and learned from the experience typically does a better job managing a subsequent audit. It often takes a painful or even traumatic experience to force a transformation.

Organizations are becoming increasingly aware of the need to establish a robust IT Asset Management (ITAM) program to manage and track their software licenses as well as their other IT assets. While some organizations have adopted practices utilizing people, process and technology to build a solid internal ITAM program, others are still floundering, waiting for an issue to develop before implementing significant changes to better manage their assets. Companies that have taken the proactive approach to ITAM have placed themselves in a position to prevent future audits. Here is the recipe for success.

  1. Manage and control all software assets: Establish a formal, repeatable process for managing the life-cycle of a software asset, from requisition to retirement. Implement processes for real-time collection of transactional data, asset tracking and compliance.
  2. Negotiate audit provisions into contract terms and conditions: Include audit terms and conditions that limit exposure by pre-defining audit methodology and reducing both the frequency and the scope of potential audits.
  3. Establish an internal process for managing audits: Assign roles, responsibilities and a process for managing audits from the time the audit letter is received to eventual settlement.
  4. Incorporate licensing expertise: Knowledge of licensing complexities and nuances is key, particularly for strategic software publishers where the organization is exposed to the most risk. Maintain a constant vigil to keep abreast of changes to licensing metrics mandated by vendors.
  5. Appear confident and in control: Giving the appearance of having complete control and confidence in managing software assets can also deter a vendor from pursuing an audit or an auditor from continuing his efforts. The auditor is tasked with finding revenue and will not waste time where it appears there is no significant opportunity.
  6. Be proactive. Engage a third party expert annually to optimize your software licenses: An ITAM expert can verify compliance by conducting or validating an internal audit, and can also ensure that your licenses are optimized.

Following these guidelines will enable an organization to be in a position of knowledge and control with the potential to actually defer or prevent an audit.

 To minimize the chance of a software audit:
  1. Manage and control all software assets
  2. Negotiate audit provisions into contract terms and conditions
  3. Establish an internal audit process
  4. Incorporate licensing expertise
  5. Appear confident and in control
  6. Engage a third-party expert to optimize licenses

Software license audits can be painful, lengthy and expensive. The good news is that there are steps you can take to prevent them, and these same measures will make you better prepared to emerge largely unscathed if an audit is unavoidable. When it comes to the dreaded software audit, you can prevent or conquer!

About the Authors

Steffani Lomax is the Vice President of Alliances for Siwel Consulting, Inc.