Software Raids: Surviving an Audit
Software audits are a hassle, an embarrassment, and can result in hefty fines and worse. Here’s how to prepare for, and win, an audit.
- By Scott Braden
“You don’t know when it’s going to hit you; they don’t give you a three-month
warning -- usually you’ve got like a week or two to get your stuff together.”
Brad Carpenter, Senior Information Systems Analyst and Customer Support, Lane
County, Ore. “They” are the software auditors. And in the past few years, “they”
have been relentless in enforcing software license compliance.
Why are audits increasing? In short, it’s all about money. With flat IT budgets and increasing competition in every software market, vendors need new revenue streams.
Of course, vendors realize that it’s not a good relationship-building exercise to routinely audit customers. Instead, they usually rely on the Business Software Alliance (BSA) and Software Information Industry Association (SIIA), who act as outsourced auditors. In turn, BSA and SIIA depend on two primary sources of revenue: membership fees from vendors and “settlements” from software users.
Inc. estimates that 40 percent of all midsize to large U.S. businesses
will face an external software audit by the end of 2006."
The vendor membership fees -- which can run into the millions of dollars annually
for a large company like Microsoft -- still make up the minor share of the BSA
and SIIA’s revenue, according to Robert J. Scott, an attorney specializing in
software audit defense.
But because these associations operate with a limited power of attorney from their member software companies, they can generate (and keep) their own cash by auditing software users and charging fines for non-compliance. Customer settlements can be in the hundreds of thousands or, sometimes, millions of dollars -- and can also produce unpleasant side effects, such as unwanted media scrutiny.
The BSA and SIIA don’t shy away from publicity. Both call for tips about non-compliant
businesses through radio advertising, billboards and direct mail to executives
of small and midsize companies. Now the associations and independent software
vendors are offering rewards for information that leads to a successful audit.
Software licenses are governed by contracts with vendors, and by U.S. Copyright
law. You as an individual and your company may both be at risk for civil and
criminal penalties for software license violations. Fines for corporations can
reach $150,000 for each illegally installed copy of software. As an individual,
you could be criminally prosecuted, fined up to $250,000 and even face jail
time -- up to five years.
are audits increasing? In short, it’s all about money."
There are also costs associated with the audit, negative publicity for your
company, and the aggravations of dealing with lawyers for hours, days -- sometimes
months -- on end.
And don’t think that just because you’re a mid-level IT manager, you aren’t
liable. Warns Scott: “If you’re the IT director responsible for managing software
and your pay is partially based on your budget, spending or corporate profitability,
it could be argued that you have an incentive to avoid paying for software and
are therefore personally liable for any infringement.”
Auditing, Step by Step
There are different types of audits. For most Redmond readers, a “letter
audit” is most likely. Here, a member of your senior executive team will receive
a certified letter from a law firm that reads as a formal legal notice under
U.S. Copyright law. It may also mention contract law and one or more software
license agreements that your company owns. It mentions an effective date for
the audit (which is likely to be in the past by the time the letter is received),
and a due date for you to respond, typically 30 days or so after the effective
Most letter audits result from tips, so the notification letter will describe
the specific software titles in question for the audit. To prepare for a letter
audit, you can follow these general steps:
- First, get your corporate attorney involved and make him aware of the potential
for serious criminal and civil liability. Next, consider hiring an outside
attorney for expertise, and also to be the communication channel with the
auditors. By hiring an outside attorney, your internal audit findings can
often be protected from the auditor’s prying eyes by the doctrine of attorney-client
privilege. If you conduct your self-audit with internal IT staff, or an outside
contractor not associated with an attorney, you have less defense against
the auditor getting full access to your data.
- Have your attorney send an initial communication to the auditors, acknowledging
receipt of the audit notice. Pledge cooperation, but don’t give up any rights
or information yet.
- Now build your audit response team: include your CEO, CFO, CIO, legal counsel,
software asset manager and other individuals (such as departmental IT managers)
as needed. Communication is a key here; tell the executives in clear terms
what’s happening, what your plan is, and what information you’ve gathered
- Focus only on the specific software titles described in the scope of the
audit. Many automatic discovery tools will report on everything they find;
make sure your response to the audits only includes the exact titles required
by the audit. In fact, the reports and discovery data should be interpreted
by someone knowledgeable not only in the tool, but also in the specifics of
- Gather proof of purchase documentation. Auditors typically only accept dated
proof of purchase -- such as invoices and sales receipts -- that show the
name of your organization and a detailed description of the product. Most
reseller invoices are adequate. Other documentation such as manuals, packaging
or the holographic certificates of authenticity are probably insufficient.
- Review your purchase records. Dig out old invoices. Get your current and
past vendors to deliver purchase history reports.
- Taking each product defined in the audit, compare your license proofs to
the installations found. Be sure to take into account free and paid upgrades
(including those covered by maintenance and short-term promotions). Also be
sure you’re properly applying the correct licensing rules. For example, some
licenses may be governed by the terms in force when you purchased them; others
may have had terms change via maintenance or upgrade terms. That’s why in-depth
knowledge of licensing rules and dates are critical.
Keep in mind the challenges presented by software discovery tools. Regardless of which tool(s) you use to inventory your installed software, it’s impossible to discover all installations. Mobile users, workstations not logged in, and remote and home users may not show up on the inventory. To track all this down, you need someone experienced to interpret the raw data from the tool -- data which can be confusing and duplicated.
|Do not rush out and buy
licenses for compliance. Two reasons: First, the audit is typically
“as of the effective date” of the notification,
which of course is in the past. Thus, a dated sales invoice
after that effective date will do you no good in the eyes of
the auditors. Second, rushing out to buy licenses certainly
can’t help your case in settlement negotiations, or in
court if you should end up there.
If relevant to the audit, be sure to include products that a discovery tool
won’t find, such as Client Access Licenses (CALs) and licenses for remote workers
such as home/laptop users, VPN users and Citrix or Terminal Services users.
Good tools can be a lifesaver in these situations, as Carpenter found out.
“In our case, they were expecting [the requested audit information] to take
about a month and seemed surprised when we turned it around in a week. [Intel’s]
LANDesk was a timesaver and the accuracy held up. Having good, available numbers
on demand is probably the greatest thing.”
Filling the Gaps
If you have a compliance gap, communicate the details to your executives --
along with an estimate of the penalties and license fees they can expect to
pay. The BSA and SIIA each use a slightly different method of calculating their
standard fines, but you can expect to pay something on the order of two to four
times the full retail list purchase price for each fine violation. This is in
addition to your cost to purchase the correct number of licenses.
can eat you alive if you don’t have something to fall back
on, to say, ‘I know what I have in my organization.’"
Your audit report should be a simple spreadsheet that contains the product
names, cumulative installed number of copies as of the effective date, total
proofs of purchase, and the net amount over- or under-licensed for the products.
Attach supporting data such as proofs of purchase. Also, organize the supporting
materials, such as discovery tool reports and proofs of purchase, by product.
Following the audit, your attorney will send the results to the auditors. They’ll get back to you with their analysis and proposed fines (if any). Review the auditor’s analysis carefully, checking for errors and any proofs of purchase that were rejected.
Remember that this is a negotiated settlement, so you can make requests, too. Beyond the obvious monetary concerns, what else do you want to protect? For instance: You don’t want to go to court. You don’t want the results made public. You probably don’t want to consent to allowing future onsite audits to happen every few months -- or at all, if possible. Maybe you’ll be willing to consent to building an ongoing software license management program, or other compromises. Also remember during the settlement phase that non-compliance can be fixed by either buying licenses or un-installing software.
Discusses Software Compliance
|Redmond magazine interviewed
Juan Fernando Rivera, director of Software Asset Management
for Microsoft, about its approach to software audits.
Q. How is Microsoft approaching software compliance and auditing
with the Software Asset Management (SAM) program?
A. We’re following the ITIL
(Information Technology Infrastructure Library, a global standard
for IT operational best practices) definition -- all of the
infrastructure and processes that ITIL covers are necessary
for software asset management. We’re also helping draft
the new ISO 19770 standard for Software Asset Management.
The public draft was released in May, and we expect the official
version in May 2006.
We’ve revamped the Software
Asset Management Web site. The site now includes benefits,
tools and how to get started. There’s also a SAM ROI
tool to help customers understand the benefits of SAM in their
organization. And we’re adding case studies from customers
worldwide to demonstrate actual SAM implementations.
Q. How many SAM partners do you have today?
A. There are about 348 SAM partners now. [Microsoft] rolled
out the Licensing Solution Competency in October for partners.
Training is available now. To be a SAM partner you’ll
need at least two certified people on staff, plus customer
references. Since we’re re-launching the program, we’re
requiring all 348 to be re-certified. The exam is built on
the ITIL guidance, and it’s an MCP-level exam.
Q. What’s the reaction been from customers so far?
A. Most customers will know if they have a software asset
management problem, but they either don’t know how to
fix the problem, or it’s just not high on their priority
list. Besides license compliance, they may have other drivers,
such as Sarbanes-Oxley. [Ed. NoteFor more on Sarbanes-Oxley,
and the Single Admin".]
Q. What’s your advice to customers who think they have
a software compliance problem?
A. Customers should go to the Microsoft SAM Web site, check
out the free tools such as the inventory analyzer (limited
to 150 PCs) and look at the licensing terms. And they should
look for a SAM partner that can help.
Q. What are you telling the Microsoft sales force about SAM?
A. First, SAM is not about selling -- we’re not connecting
Software Assurance to SAM, for example. The field sales force
received a whole day of SAM training in July, and their instructions
are that if you find a potential compliance situation, get
a SAM partner involved to help. Microsoft’s corporate
guidance to the field is to stay away from audits. The reason
is there are too many negatives associated with auditing our
customers. We want to build customers for life.
Don’t Do It the Enron Way
Software license compliance in many organizations is one of those “yeah, we
need to do it, but other priorities are higher”-type of projects. Why should
you raise the priority now?
First, your risk of audit is increasing, says Scott, who has seen his caseload double over the past year. “Shrinking IT budgets and fierce competition among software publishers have created explosive growth in the incidence and frequency of software audits.”
In fact, Gartner Inc. estimates that 40 percent of all midsize to large U.S. businesses will face external software audits by the end of 2006.
In addition, Sarbanes-Oxley auditors are catching on to software non-compliance. In the parlance, software non-compliance is what’s known as an “off balance sheet” liability. The logic goes like this: if your company has software non-compliance, there is a negative value associated with the risk of getting caught, paying fines and so on. So in the auditor’s view, your company has a liability -- a liability to the corporation that’s not shown on any balance sheet or other public SEC filings. If that phrase “off balance sheet liability” sounds familiar, it’s because a company called Enron got in trouble for hiding liabilities “off balance sheet.”
Second, good old ROI will improve. Software compliance projects routinely have
enormous hard-dollar cost savings associated with them. When you have the tools
and processes to keep tight control of your licenses and usage, you also have
increased negotiation leverage with vendors, and the ability to avoid purchases
by re-allocating existing licenses (see “SOX
and the Single Admin” for a few handy software compliance shortcuts).
Finally (but not least importantly), you avoid the risk of penalties or jail time. Ask yourself, “Whose job is it to make sure we stay compliant?” And, “Who gets fired if we’re not compliant?”
It’s never fun to be the whistleblower; but these days, nobody gets fired for
being a stickler for compliance. As Carpenter says, “They can eat you alive
if you don’t have something to fall back on, to say, ‘I know what I have in
For more information on software compliance: