Audit frights


What to do when a software auditor knocks.

Audit rights are two words that most software customers would be glad never to hear.

Major software vendors say they aren't invoked often - only when a customer is uncooperative or thought to be willfully non-compliant with their license terms.

But that doesn't mean that vendors aren't taking a very keen interest in how their licenses are used.

In the past three months, the Department of Defence and three NSW state government agencies have found themselves in the Federal Court over license disputes.

Scott & Scott LLP associate attorney Andrew Martin notes the renewed interest by software publishers in "auditing their customer bases".

"It's a pretty simple equation where the publishers are losing revenues on new software purchases," Martin says.

"[Customers] are deferring purchases, upgrades or migrations from one platform to another as the economy is still trying to get itself righted.

"As that happens our experience is that these software companies are generally looking for new revenue streams and those streams are contained in software deployments they haven't been compensated for."

Audits come in two flavours - those where a customer co-operates and those where they don't.

Co-operative customers are targeted by vendor-led consultancy programs that fall broadly under the banner of software asset management (SAM).

These incorporate some form of audit. However, if customers are found to breach software licenses, any restitution to the vendor could be characterised as non-punitive.

Microsoft and Oracle are among vendors who use this strategy, partly to sate their aversion for using the 'A' word.

"Oracle usually does not like to use the word 'audit' and instead tends to ask its customers to engage in a 'license review'," Martin said in a recent blog post.

Customers who don't play ball with the vendors typically face a more formal audit that is invoked from the license contract terms. These audits can involve having to run scripts on your network, paying back-maintenance and quite possibly legal action.

Microsoft Australia's director of license compliance and software asset management Renee Gamble says the company would "only do a handful of formal audits in a given year".

"We leverage the [formal] audit scenario really where a customer might be more willfully non-compliant or where they're not willing to work with us on the SAM program," she says.

Oracle similarly plays down the number of customers that are subjected to formal audit.

Oracle partner Red Rock Consulting's chief executive officer Jonathan Rubinsztein says customers of his company are hit with "one or two" full-blown Oracle-led audits a year.

"It's not a common occurrence... but it does happen," he says.

What's in a (Microsoft) SAM?

Gamble says Microsoft Australia embarks on "literally thousands" of software asset management (SAM) programs a year.

All of those companies are put through a "license reconciliation process" and about 95 percent are found to have some "basic form of non-compliance", Gamble says.

The nature of the SAM process - and who performs it - is determined by the customer's size.

While Microsoft has its own SAM personnel, it also contracts work to a number of third parties.

Small-to-medium businesses are often targeted by the Accordo Group, who act on Microsoft's behalf worldwide. Larger businesses might hear from iComply or Unified Logic - or the likes of KPMG if Microsoft decides to invoke a formal audit clause.

Gamble says Microsoft operates on a set of "guiding principles" when it approaches customers for participating in a SAM process.

"Fundamentally, we assume positive intent on behalf of the customer, so [when] we go into a SAM process, we don't assume there's any willful or malicious non-compliance," she says.

"But absolutely it is the customer's responsibility to be compliant and Microsoft has a right to protect our intellectual property and to get paid for that intellectual property."

The audit component of a SAM program is a mix of self-reporting and scripts. For SMBs, Microsoft supplies an assessment and planning (MAP) toolkit that is used as a "self-reporting exercise".

"We send them a licensing statement and we send them a spreadsheet so they are filling it out themselves," Gamble says.

"There's an ongoing element of trust there because we are collaborating with them."

The "larger end of town" is asked to run scripts on their networks that seek out unlicensed software, Gamble says.

"We will work with their IT teams around some scripts just to help with that data collection, and we'll also do some onsite testing as well," she says.

Gamble says that addressing compliance gaps "for the vast majority of customers [is] really... a bit of housekeeping and some good governance."

"Whatever gaps they do identify we simply ask them to address those and [we] give them better recommendations on how to manage their assets going forward," she says.

"Through the SAM process, we don't go after past use. We're not seeking retribution of damages - that would be a separate legal escalation if someone wasn't working with us.

"But as long as they're working with us on the SAM process, we simply ask them to pay for the licenses they've been using."

Oracle partner Red Rock Consulting similarly provides SAM services to its customers, as does channel partners of Microsoft Australia.

Formal audits

The consensus on formal audits - those invoked from license terms - is they are bad news.

"Typically when you're getting audited there's an expectation of non-compliance," Red Rock Consulting's Rubinsztein says.

"It's not a situation a customer really wants to be in with their key software vendor."

In a blog post, Scott & Scott LLP says that IBM's international license agreement, for example, "includes one of the most onerous audit-rights provisions that we see in standard-form license agreements".

Andrew Martin of Scott & Scott LLP says that red flags identified by Oracle may lead it to seek permission "to run a set of scripts [across the customer's] network to perform an in-depth network deployment audit".

"The mere thought ... should make even the most confident CIO squirm," he blogs.

Read on to page two for legal opinions on what to do if your vendor wants you to run their scripts.

Get confidentiality

Martin recommends using a lawyer to shore up "two flavours of confidentiality" before handing license data or network information over to a software vendor.

One flavour is the "typical confidentiality agreement [that] any information that you find on our network is ours, and you have absolutely no right to use that information in any way outside the terms of this agreement," he says.

Martin says it is also important to limit the use of information gleaned from self-reporting or by automated scripts.

"The second flavour of confidentiality is that [the vendor] can come and examine this information and we can use it going back and forth on this negotiation, but if this comes to a point where we have to go in front of a court or in front of an arbitrator, none of this information is admissable," Martin says.

Alan Arnott, a technology lawyer with Sydney firm Arnotts Lawyers, agrees that caution should be exercised in formal audit situations.

"If the vendor is seeking to carry out an audit which is above what they're entitled to do, then the [customer] should seriously consider refusing the audit," he says.

"If there is a dispute around the scope of the audit it might have to be brought before the court for either equitable injunctive relief or other appropriate relief in the circumstances."

Arnott says that customers facing a scripted audit "should argue that it isn't reasonable for an audit to be carried out on sections of the network where there is no possible relevant data for the software developer or company to actually audit".

"What you have to understand is these software vendors carrying out audits are not police. They're not government organisations, generally. They're just another commercial entity operating off an overseas or locally based, and they don't have rights to bulldoze the front door and run in and capture everything on your desk," he says.

"A software company can only audit under the rights provided in a legal contract."

But equally, Arnott cautions against jumping into legal action against a software vendor without being "aware of the court rules relating to discovery and pre-litigation conduct".

"You need to be cognisant if considering disputing a software licensor's right to carry out an audit," he says.


Information gleaned from self-reporting and formal audits is not the only way licensing cases are mounted.

On some occasions - particularly in cases led by the Business Software Alliance (BSA) - information on alleged infringement is gleaned from informants.

"The BSA generally takes action where it has a report and substantial evidence of copyright infringement involving software owned by the member companies," BSA Australian committee co-chair Clayton Noble says.

"Usually the BSA only brings legal action where two or more vendors have software involved in the infringement, but that's not always the case - sometimes we'll bring action where there's one member who says, 'We'd like you to bring action'."

Noble says that while most of its evidence came from informants, the alliance did take member referrals on occasion.

"Sometimes the BSA does also take cases referred by a member where the member has substantial evidence but for whatever reason prefer BSA to bring action," he says.

Noble says the BSA takes action on the evidence supplied by an informant only where the alliance's members agree that it's the right course.

For example, if the accused customer is involved in a SAM process with the vendor, the BSA may be called off the case.

"The members in the end control the actions by the BSA," Noble says.

Oracle were asked to contribute to this story but referred questions to Red Rock Consulting, citing that they were in a "quiet period". Calls and emails to IBM to participate were not returned.

Have you participated in a SAM process, been told to run scripts on your network, or had a formal audit clause in your contract invoked? What happened?

Copyright © . All rights reserved.

Audit frights
Top Stories
Optus admits to three big data breaches
More than 300,000 customers affected.
Is your lawyer smarter than IBM's Watson?
Sparke Helmore CIO Peter Campbell expects machine learning to take a chunk out of law firm profits. But he’s far from downcast.
Australia passes data retention into law
Mammoth last-ditch effort by Greens, indies knocked back.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
Xero now includes an inventory function built-in
Mar 26, 2015
Xero has added inventory and other major new features to the latest release of its cloud ...
Apple reveals its new MacBook
Mar 13, 2015
Replacing the MacBook Air as Apple's thinnest laptop, the new MacBook comes packed with features.
Xero has released a new version of its app for the iPad
Mar 6, 2015
iPad-wielding Xero users can now take advantage of a new version of the iOS app for the cloud ...
Microsoft is offering Azure for Disaster Recovery to Australian SMBs
Feb 10, 2015
If you haven't talked to your IT provider about disaster recovery, it might be worth discussing ...
The 2015 Xero Roadshow is on: here are the locations and dates
Feb 6, 2015
The 2015 Xero Roadshow kicked off this week - see where you can attend at locations around ...
Latest Comments
Do you support the Government's data retention scheme?

   |   View results