Audit frights


What to do when a software auditor knocks.

Audit rights are two words that most software customers would be glad never to hear.

Major software vendors say they aren't invoked often - only when a customer is uncooperative or thought to be willfully non-compliant with their license terms.

But that doesn't mean that vendors aren't taking a very keen interest in how their licenses are used.

In the past three months, the Department of Defence and three NSW state government agencies have found themselves in the Federal Court over license disputes.

Scott & Scott LLP associate attorney Andrew Martin notes the renewed interest by software publishers in "auditing their customer bases".

"It's a pretty simple equation where the publishers are losing revenues on new software purchases," Martin says.

"[Customers] are deferring purchases, upgrades or migrations from one platform to another as the economy is still trying to get itself righted.

"As that happens our experience is that these software companies are generally looking for new revenue streams and those streams are contained in software deployments they haven't been compensated for."

Audits come in two flavours - those where a customer co-operates and those where they don't.

Co-operative customers are targeted by vendor-led consultancy programs that fall broadly under the banner of software asset management (SAM).

These incorporate some form of audit. However, if customers are found to breach software licenses, any restitution to the vendor could be characterised as non-punitive.

Microsoft and Oracle are among vendors who use this strategy, partly to sate their aversion for using the 'A' word.

"Oracle usually does not like to use the word 'audit' and instead tends to ask its customers to engage in a 'license review'," Martin said in a recent blog post.

Customers who don't play ball with the vendors typically face a more formal audit that is invoked from the license contract terms. These audits can involve having to run scripts on your network, paying back-maintenance and quite possibly legal action.

Microsoft Australia's director of license compliance and software asset management Renee Gamble says the company would "only do a handful of formal audits in a given year".

"We leverage the [formal] audit scenario really where a customer might be more willfully non-compliant or where they're not willing to work with us on the SAM program," she says.

Oracle similarly plays down the number of customers that are subjected to formal audit.

Oracle partner Red Rock Consulting's chief executive officer Jonathan Rubinsztein says customers of his company are hit with "one or two" full-blown Oracle-led audits a year.

"It's not a common occurrence... but it does happen," he says.

What's in a (Microsoft) SAM?

Gamble says Microsoft Australia embarks on "literally thousands" of software asset management (SAM) programs a year.

All of those companies are put through a "license reconciliation process" and about 95 percent are found to have some "basic form of non-compliance", Gamble says.

The nature of the SAM process - and who performs it - is determined by the customer's size.

While Microsoft has its own SAM personnel, it also contracts work to a number of third parties.

Small-to-medium businesses are often targeted by the Accordo Group, who act on Microsoft's behalf worldwide. Larger businesses might hear from iComply or Unified Logic - or the likes of KPMG if Microsoft decides to invoke a formal audit clause.

Gamble says Microsoft operates on a set of "guiding principles" when it approaches customers for participating in a SAM process.

"Fundamentally, we assume positive intent on behalf of the customer, so [when] we go into a SAM process, we don't assume there's any willful or malicious non-compliance," she says.

"But absolutely it is the customer's responsibility to be compliant and Microsoft has a right to protect our intellectual property and to get paid for that intellectual property."

The audit component of a SAM program is a mix of self-reporting and scripts. For SMBs, Microsoft supplies an assessment and planning (MAP) toolkit that is used as a "self-reporting exercise".

"We send them a licensing statement and we send them a spreadsheet so they are filling it out themselves," Gamble says.

"There's an ongoing element of trust there because we are collaborating with them."

The "larger end of town" is asked to run scripts on their networks that seek out unlicensed software, Gamble says.

"We will work with their IT teams around some scripts just to help with that data collection, and we'll also do some onsite testing as well," she says.

Gamble says that addressing compliance gaps "for the vast majority of customers [is] really... a bit of housekeeping and some good governance."

"Whatever gaps they do identify we simply ask them to address those and [we] give them better recommendations on how to manage their assets going forward," she says.

"Through the SAM process, we don't go after past use. We're not seeking retribution of damages - that would be a separate legal escalation if someone wasn't working with us.

"But as long as they're working with us on the SAM process, we simply ask them to pay for the licenses they've been using."

Oracle partner Red Rock Consulting similarly provides SAM services to its customers, as does channel partners of Microsoft Australia.

Formal audits

The consensus on formal audits - those invoked from license terms - is they are bad news.

"Typically when you're getting audited there's an expectation of non-compliance," Red Rock Consulting's Rubinsztein says.

"It's not a situation a customer really wants to be in with their key software vendor."

In a blog post, Scott & Scott LLP says that IBM's international license agreement, for example, "includes one of the most onerous audit-rights provisions that we see in standard-form license agreements".

Andrew Martin of Scott & Scott LLP says that red flags identified by Oracle may lead it to seek permission "to run a set of scripts [across the customer's] network to perform an in-depth network deployment audit".

"The mere thought ... should make even the most confident CIO squirm," he blogs.

Read on to page two for legal opinions on what to do if your vendor wants you to run their scripts.

Get confidentiality

Martin recommends using a lawyer to shore up "two flavours of confidentiality" before handing license data or network information over to a software vendor.

One flavour is the "typical confidentiality agreement [that] any information that you find on our network is ours, and you have absolutely no right to use that information in any way outside the terms of this agreement," he says.

Martin says it is also important to limit the use of information gleaned from self-reporting or by automated scripts.

"The second flavour of confidentiality is that [the vendor] can come and examine this information and we can use it going back and forth on this negotiation, but if this comes to a point where we have to go in front of a court or in front of an arbitrator, none of this information is admissable," Martin says.

Alan Arnott, a technology lawyer with Sydney firm Arnotts Lawyers, agrees that caution should be exercised in formal audit situations.

"If the vendor is seeking to carry out an audit which is above what they're entitled to do, then the [customer] should seriously consider refusing the audit," he says.

"If there is a dispute around the scope of the audit it might have to be brought before the court for either equitable injunctive relief or other appropriate relief in the circumstances."

Arnott says that customers facing a scripted audit "should argue that it isn't reasonable for an audit to be carried out on sections of the network where there is no possible relevant data for the software developer or company to actually audit".

"What you have to understand is these software vendors carrying out audits are not police. They're not government organisations, generally. They're just another commercial entity operating off an overseas or locally based, and they don't have rights to bulldoze the front door and run in and capture everything on your desk," he says.

"A software company can only audit under the rights provided in a legal contract."

But equally, Arnott cautions against jumping into legal action against a software vendor without being "aware of the court rules relating to discovery and pre-litigation conduct".

"You need to be cognisant if considering disputing a software licensor's right to carry out an audit," he says.


Information gleaned from self-reporting and formal audits is not the only way licensing cases are mounted.

On some occasions - particularly in cases led by the Business Software Alliance (BSA) - information on alleged infringement is gleaned from informants.

"The BSA generally takes action where it has a report and substantial evidence of copyright infringement involving software owned by the member companies," BSA Australian committee co-chair Clayton Noble says.

"Usually the BSA only brings legal action where two or more vendors have software involved in the infringement, but that's not always the case - sometimes we'll bring action where there's one member who says, 'We'd like you to bring action'."

Noble says that while most of its evidence came from informants, the alliance did take member referrals on occasion.

"Sometimes the BSA does also take cases referred by a member where the member has substantial evidence but for whatever reason prefer BSA to bring action," he says.

Noble says the BSA takes action on the evidence supplied by an informant only where the alliance's members agree that it's the right course.

For example, if the accused customer is involved in a SAM process with the vendor, the BSA may be called off the case.

"The members in the end control the actions by the BSA," Noble says.

Oracle were asked to contribute to this story but referred questions to Red Rock Consulting, citing that they were in a "quiet period". Calls and emails to IBM to participate were not returned.

Have you participated in a SAM process, been told to run scripts on your network, or had a formal audit clause in your contract invoked? What happened?

Copyright © . All rights reserved.

Audit frights
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
Sign up to receive iTnews email bulletins

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more:,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest articles on BIT Latest Articles from BIT
Another phone with Telstra's Blue Tick: The Samsung Galaxy S5
Apr 8, 2014
Samsung's latest flagship phone joins Telstra's list of recommended handsets for customers in ...
Run an online shop? This might be worth bookmarking
Mar 28, 2014
Things like Australian safety standards are probably the last thing on your mind, but just ...
Vodafone switches on 4G in Tasmania: list of locations
Mar 28, 2014
See a list of locations in Tasmania that now have access to 4G via Vodafone's network.
Samsung Galaxy S5 on sale from Telstra next month for $912
Mar 27, 2014
It's not cheap, but if you are looking to upgrade your phone then the Samsung Galaxy S5 could be ...
What Australian workplaces actually rely on tablet computers?
Mar 14, 2014
If you're curious about where tablets are being used at work, here are three examples.
Latest Comments
Which bank is most likely to suffer an RBS-style meltdown?

   |   View results
National Australia Bank