Audits of software licenses and assets are becoming increasingly common. Indeed, for software vendors facing declining sales of new products, audits of enterprise clients are emerging as a major revenue stream, sometimes generating millions in fines.
A wide range of events can trigger a software audit. Involvement in a merger, acquisition or divestiture is a common red flag vendors use to launch a review. Geographies and legal jurisdictions are redrawn, new users are absorbed or released, as are new software agreements and licenses. The resulting disruption and confusion frequently leads to violations of licensing terms. While some contracts contain specific language with regard to M&A activities and their repercussions, most are not very friendly or forgiving to compliance violations. And while enterprises devote significant resources to integrating people, processes and products during a merger, software licenses and compliance are often ignored.
Other common triggers include deployment of cloud or virtualization initiatives, organizational growth that isn't accompanied by additional license purchases and attrition of in-house licensing expertise. And, in some high-profile cases, audits have been initiated by disgruntled employees who blow the whistle to industry groups such as the Business Software Alliance.
Audits are likely to reveal significant licensing violations, which result from a variety of factors. Many enterprises lack the necessary tools and asset management governance structure, as well as the staff with the necessary skills. This lack of oversight invites sloppiness or downright fraud among users. Sourcing, procurement and asset management functions typically work in silos and rarely communicate, resulting in licensing disconnects. Ironically, highly secure environments such as government defense contractors can be vulnerable, as security requirements preclude licensing transparency. And, the independent "idea labs" that are becoming popular in many enterprises are likely to employ free spirits who don't feel bound by details surrounding licensing agreements.
To further complicate matters, IT asset contracts are exceedingly complicated and obtuse. Terms regarding who is or isn't authorized to use a product under a given license are vague and confusing, and when unauthorized copies of software are unwittingly shared and distributed, vendors take note. Another common tactic is to offer customers the opportunity to "sandbox" new test products, without specifying licensing terms and with the expectation that the product will end up deployed by users in violation of terms.
To further skew the playing field, software providers employ legions of attorneys specializing exclusively in understanding compliance terms, conducting audits and generating fines. The in-house or retained legal counsel of customers is, by contrast, often seriously overmatched.
The good news in all of this is that CIOs can take a number of steps to prepare for an audit and ensure compliance. In fact, rather than an exercise in stress and intimidation, an audit can actually be a positive experience that results in more favorable terms and a better relationship with suppliers.
First and foremost, be proactive. Because software compliance has traditionally been a low priority from a strategic perspective, the onus is on the CIO to define risk factors and potential vulnerabilities, and to develop a business case regarding the importance of compliance and the implications of contractual violations. Put simply, the CIO must educate the boardroom that software compliance matters.
An asset management and compliance initiative must aim to enhance internal governance and processes around software acquisition, licensing and usage. The initiative should be led by a dedicated function-either in-house or third-party-focused on instilling the requisite people, process and technology discipline. For example, educating all users on general guidelines isn't sufficient-admin rights should be limited to select users who've received special training on software licensing and distribution. This special training should instill awareness among the admin rights team of different categories of licenses as well as potential compliance traps. Procurement processes need to align with contract requirements to avoid back-channel acquisition of non-compliant software products.
Proactive preparation and effective asset management deliver a high-level understanding of the environment, as well as detailed data on assets, pricing and service levels. CIOs can leverage this knowledge to their advantage, regardless of whether or not they're subjected to an audit. Robust and granular transparency into products under license and in-use, as well as insight into costs, contract terms and options, can yield a variety of benefits. And, if and when an audit is launched, CIOs can respond with confidence to demonstrate compliance. In fact, we've seen instances where audits have revealed that software vendors were over-charging customers, resulting in significant refunds and better terms on renewals.
The bottom line is that enterprises face increasing odds of facing a software audit, and CIOs need to be aware of the stakes. Proactive preparation can help mitigate audit risks, improve enterprise management and enhance provider relationships.