Audit frights

By on
Audit frights

What to do when a software auditor knocks.

Page 1 of 2  |  Single page

Audit rights are two words that most software customers would be glad never to hear.

Major software vendors say they aren't invoked often - only when a customer is uncooperative or thought to be willfully non-compliant with their license terms.

But that doesn't mean that vendors aren't taking a very keen interest in how their licenses are used.

In the past three months, the Department of Defence and three NSW state government agencies have found themselves in the Federal Court over license disputes.

Scott & Scott LLP associate attorney Andrew Martin notes the renewed interest by software publishers in "auditing their customer bases".

"It's a pretty simple equation where the publishers are losing revenues on new software purchases," Martin says.

"[Customers] are deferring purchases, upgrades or migrations from one platform to another as the economy is still trying to get itself righted.

"As that happens our experience is that these software companies are generally looking for new revenue streams and those streams are contained in software deployments they haven't been compensated for."

Audits come in two flavours - those where a customer co-operates and those where they don't.

Co-operative customers are targeted by vendor-led consultancy programs that fall broadly under the banner of software asset management (SAM).

These incorporate some form of audit. However, if customers are found to breach software licenses, any restitution to the vendor could be characterised as non-punitive.

Microsoft and Oracle are among vendors who use this strategy, partly to sate their aversion for using the 'A' word.

"Oracle usually does not like to use the word 'audit' and instead tends to ask its customers to engage in a 'license review'," Martin said in a recent blog post.

Customers who don't play ball with the vendors typically face a more formal audit that is invoked from the license contract terms. These audits can involve having to run scripts on your network, paying back-maintenance and quite possibly legal action.

Microsoft Australia's director of license compliance and software asset management Renee Gamble says the company would "only do a handful of formal audits in a given year".

"We leverage the [formal] audit scenario really where a customer might be more willfully non-compliant or where they're not willing to work with us on the SAM program," she says.

Oracle similarly plays down the number of customers that are subjected to formal audit.

Oracle partner Red Rock Consulting's chief executive officer Jonathan Rubinsztein says customers of his company are hit with "one or two" full-blown Oracle-led audits a year.

"It's not a common occurrence... but it does happen," he says.

What's in a (Microsoft) SAM?

Gamble says Microsoft Australia embarks on "literally thousands" of software asset management (SAM) programs a year.

All of those companies are put through a "license reconciliation process" and about 95 percent are found to have some "basic form of non-compliance", Gamble says.

The nature of the SAM process - and who performs it - is determined by the customer's size.

While Microsoft has its own SAM personnel, it also contracts work to a number of third parties.

Small-to-medium businesses are often targeted by the Accordo Group, who act on Microsoft's behalf worldwide. Larger businesses might hear from iComply or Unified Logic - or the likes of KPMG if Microsoft decides to invoke a formal audit clause.

Gamble says Microsoft operates on a set of "guiding principles" when it approaches customers for participating in a SAM process.

"Fundamentally, we assume positive intent on behalf of the customer, so [when] we go into a SAM process, we don't assume there's any willful or malicious non-compliance," she says.

"But absolutely it is the customer's responsibility to be compliant and Microsoft has a right to protect our intellectual property and to get paid for that intellectual property."

The audit component of a SAM program is a mix of self-reporting and scripts. For SMBs, Microsoft supplies an assessment and planning (MAP) toolkit that is used as a "self-reporting exercise".

"We send them a licensing statement and we send them a spreadsheet so they are filling it out themselves," Gamble says.

"There's an ongoing element of trust there because we are collaborating with them."

The "larger end of town" is asked to run scripts on their networks that seek out unlicensed software, Gamble says.

"We will work with their IT teams around some scripts just to help with that data collection, and we'll also do some onsite testing as well," she says.

Gamble says that addressing compliance gaps "for the vast majority of customers [is] really... a bit of housekeeping and some good governance."

"Whatever gaps they do identify we simply ask them to address those and [we] give them better recommendations on how to manage their assets going forward," she says.

"Through the SAM process, we don't go after past use. We're not seeking retribution of damages - that would be a separate legal escalation if someone wasn't working with us.

"But as long as they're working with us on the SAM process, we simply ask them to pay for the licenses they've been using."

Oracle partner Red Rock Consulting similarly provides SAM services to its customers, as does channel partners of Microsoft Australia.

Formal audits

The consensus on formal audits - those invoked from license terms - is they are bad news.

"Typically when you're getting audited there's an expectation of non-compliance," Red Rock Consulting's Rubinsztein says.

"It's not a situation a customer really wants to be in with their key software vendor."

In a blog post, Scott & Scott LLP says that IBM's international license agreement, for example, "includes one of the most onerous audit-rights provisions that we see in standard-form license agreements".

Andrew Martin of Scott & Scott LLP says that red flags identified by Oracle may lead it to seek permission "to run a set of scripts [across the customer's] network to perform an in-depth network deployment audit".

"The mere thought ... should make even the most confident CIO squirm," he blogs.

Read on to page two for legal opinions on what to do if your vendor wants you to run their scripts.

Next Page 1 2 Single page
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?