Software Raids: Surviving an Audit

Software audits are a hassle, an embarrassment, and can result in hefty fines and worse. Here’s how to prepare for, and win, an audit.

“You don’t know when it’s going to hit you; they don’t give you a three-month warning -- usually you’ve got like a week or two to get your stuff together.” Brad Carpenter, Senior Information Systems Analyst and Customer Support, Lane County, Ore. “They” are the software auditors. And in the past few years, “they” have been relentless in enforcing software license compliance.

Why are audits increasing? In short, it’s all about money. With flat IT budgets and increasing competition in every software market, vendors need new revenue streams.

Of course, vendors realize that it’s not a good relationship-building exercise to routinely audit customers. Instead, they usually rely on the Business Software Alliance (BSA) and Software Information Industry Association (SIIA), who act as outsourced auditors. In turn, BSA and SIIA depend on two primary sources of revenue: membership fees from vendors and “settlements” from software users.

"Gartner Inc. estimates that 40 percent of all midsize to large U.S. businesses will face an external software audit by the end of 2006."

The vendor membership fees -- which can run into the millions of dollars annually for a large company like Microsoft -- still make up the minor share of the BSA and SIIA’s revenue, according to Robert J. Scott, an attorney specializing in software audit defense.

But because these associations operate with a limited power of attorney from their member software companies, they can generate (and keep) their own cash by auditing software users and charging fines for non-compliance. Customer settlements can be in the hundreds of thousands or, sometimes, millions of dollars -- and can also produce unpleasant side effects, such as unwanted media scrutiny.

The BSA and SIIA don’t shy away from publicity. Both call for tips about non-compliant businesses through radio advertising, billboards and direct mail to executives of small and midsize companies. Now the associations and independent software vendors are offering rewards for information that leads to a successful audit.

Risk Factor
Software licenses are governed by contracts with vendors, and by U.S. Copyright law. You as an individual and your company may both be at risk for civil and criminal penalties for software license violations. Fines for corporations can reach $150,000 for each illegally installed copy of software. As an individual, you could be criminally prosecuted, fined up to $250,000 and even face jail time -- up to five years.

"Why are audits increasing? In short, it’s all about money."

There are also costs associated with the audit, negative publicity for your company, and the aggravations of dealing with lawyers for hours, days -- sometimes months -- on end.

And don’t think that just because you’re a mid-level IT manager, you aren’t liable. Warns Scott: “If you’re the IT director responsible for managing software and your pay is partially based on your budget, spending or corporate profitability, it could be argued that you have an incentive to avoid paying for software and are therefore personally liable for any infringement.”

Auditing, Step by Step
There are different types of audits. For most Redmond readers, a “letter audit” is most likely. Here, a member of your senior executive team will receive a certified letter from a law firm that reads as a formal legal notice under U.S. Copyright law. It may also mention contract law and one or more software license agreements that your company owns. It mentions an effective date for the audit (which is likely to be in the past by the time the letter is received), and a due date for you to respond, typically 30 days or so after the effective date.

Most letter audits result from tips, so the notification letter will describe the specific software titles in question for the audit. To prepare for a letter audit, you can follow these general steps:

  • First, get your corporate attorney involved and make him aware of the potential for serious criminal and civil liability. Next, consider hiring an outside attorney for expertise, and also to be the communication channel with the auditors. By hiring an outside attorney, your internal audit findings can often be protected from the auditor’s prying eyes by the doctrine of attorney-client privilege. If you conduct your self-audit with internal IT staff, or an outside contractor not associated with an attorney, you have less defense against the auditor getting full access to your data.
  • Have your attorney send an initial communication to the auditors, acknowledging receipt of the audit notice. Pledge cooperation, but don’t give up any rights or information yet.
  • Now build your audit response team: include your CEO, CFO, CIO, legal counsel, software asset manager and other individuals (such as departmental IT managers) as needed. Communication is a key here; tell the executives in clear terms what’s happening, what your plan is, and what information you’ve gathered so far.
  • Focus only on the specific software titles described in the scope of the audit. Many automatic discovery tools will report on everything they find; make sure your response to the audits only includes the exact titles required by the audit. In fact, the reports and discovery data should be interpreted by someone knowledgeable not only in the tool, but also in the specifics of software licensing.
  • Gather proof of purchase documentation. Auditors typically only accept dated proof of purchase -- such as invoices and sales receipts -- that show the name of your organization and a detailed description of the product. Most reseller invoices are adequate. Other documentation such as manuals, packaging or the holographic certificates of authenticity are probably insufficient.
  • Review your purchase records. Dig out old invoices. Get your current and past vendors to deliver purchase history reports.
  • Taking each product defined in the audit, compare your license proofs to the installations found. Be sure to take into account free and paid upgrades (including those covered by maintenance and short-term promotions). Also be sure you’re properly applying the correct licensing rules. For example, some licenses may be governed by the terms in force when you purchased them; others may have had terms change via maintenance or upgrade terms. That’s why in-depth knowledge of licensing rules and dates are critical.

Keep in mind the challenges presented by software discovery tools. Regardless of which tool(s) you use to inventory your installed software, it’s impossible to discover all installations. Mobile users, workstations not logged in, and remote and home users may not show up on the inventory. To track all this down, you need someone experienced to interpret the raw data from the tool -- data which can be confusing and duplicated.

Do not rush out and buy licenses for compliance. Two reasons: First, the audit is typically “as of the effective date” of the notification, which of course is in the past. Thus, a dated sales invoice after that effective date will do you no good in the eyes of the auditors. Second, rushing out to buy licenses certainly can’t help your case in settlement negotiations, or in court if you should end up there.

If relevant to the audit, be sure to include products that a discovery tool won’t find, such as Client Access Licenses (CALs) and licenses for remote workers such as home/laptop users, VPN users and Citrix or Terminal Services users.

Good tools can be a lifesaver in these situations, as Carpenter found out. “In our case, they were expecting [the requested audit information] to take about a month and seemed surprised when we turned it around in a week. [Intel’s] LANDesk was a timesaver and the accuracy held up. Having good, available numbers on demand is probably the greatest thing.”

Filling the Gaps
If you have a compliance gap, communicate the details to your executives -- along with an estimate of the penalties and license fees they can expect to pay. The BSA and SIIA each use a slightly different method of calculating their standard fines, but you can expect to pay something on the order of two to four times the full retail list purchase price for each fine violation. This is in addition to your cost to purchase the correct number of licenses.

"They can eat you alive if you don’t have something to fall back on, to say, ‘I know what I have in my organization.’"

Your audit report should be a simple spreadsheet that contains the product names, cumulative installed number of copies as of the effective date, total proofs of purchase, and the net amount over- or under-licensed for the products. Attach supporting data such as proofs of purchase. Also, organize the supporting materials, such as discovery tool reports and proofs of purchase, by product. Post-Audit Considerations

Following the audit, your attorney will send the results to the auditors. They’ll get back to you with their analysis and proposed fines (if any). Review the auditor’s analysis carefully, checking for errors and any proofs of purchase that were rejected.

Remember that this is a negotiated settlement, so you can make requests, too. Beyond the obvious monetary concerns, what else do you want to protect? For instance: You don’t want to go to court. You don’t want the results made public. You probably don’t want to consent to allowing future onsite audits to happen every few months -- or at all, if possible. Maybe you’ll be willing to consent to building an ongoing software license management program, or other compromises. Also remember during the settlement phase that non-compliance can be fixed by either buying licenses or un-installing software.

Microsoft Discusses Software Compliance
Redmond magazine interviewed Juan Fernando Rivera, director of Software Asset Management for Microsoft, about its approach to software audits.

Q. How is Microsoft approaching software compliance and auditing with the Software Asset Management (SAM) program?

A. We’re following the ITIL (Information Technology Infrastructure Library, a global standard for IT operational best practices) definition -- all of the infrastructure and processes that ITIL covers are necessary for software asset management. We’re also helping draft the new ISO 19770 standard for Software Asset Management. The public draft was released in May, and we expect the official version in May 2006.

We’ve revamped the Software Asset Management Web site. The site now includes benefits, tools and how to get started. There’s also a SAM ROI tool to help customers understand the benefits of SAM in their organization. And we’re adding case studies from customers worldwide to demonstrate actual SAM implementations.

Q. How many SAM partners do you have today?

A. There are about 348 SAM partners now. [Microsoft] rolled out the Licensing Solution Competency in October for partners. Training is available now. To be a SAM partner you’ll need at least two certified people on staff, plus customer references. Since we’re re-launching the program, we’re requiring all 348 to be re-certified. The exam is built on the ITIL guidance, and it’s an MCP-level exam.

Q. What’s the reaction been from customers so far?

A. Most customers will know if they have a software asset management problem, but they either don’t know how to fix the problem, or it’s just not high on their priority list. Besides license compliance, they may have other drivers, such as Sarbanes-Oxley. [Ed. Note—For more on Sarbanes-Oxley, read “SOX and the Single Admin".]

Q. What’s your advice to customers who think they have a software compliance problem?

A. Customers should go to the Microsoft SAM Web site, check out the free tools such as the inventory analyzer (limited to 150 PCs) and look at the licensing terms. And they should look for a SAM partner that can help.

Q. What are you telling the Microsoft sales force about SAM?

A. First, SAM is not about selling -- we’re not connecting Software Assurance to SAM, for example. The field sales force received a whole day of SAM training in July, and their instructions are that if you find a potential compliance situation, get a SAM partner involved to help. Microsoft’s corporate guidance to the field is to stay away from audits. The reason is there are too many negatives associated with auditing our customers. We want to build customers for life.

— S.B.

Don’t Do It the Enron Way
Software license compliance in many organizations is one of those “yeah, we need to do it, but other priorities are higher”-type of projects. Why should you raise the priority now?

First, your risk of audit is increasing, says Scott, who has seen his caseload double over the past year. “Shrinking IT budgets and fierce competition among software publishers have created explosive growth in the incidence and frequency of software audits.”

In fact, Gartner Inc. estimates that 40 percent of all midsize to large U.S. businesses will face external software audits by the end of 2006.

In addition, Sarbanes-Oxley auditors are catching on to software non-compliance. In the parlance, software non-compliance is what’s known as an “off balance sheet” liability. The logic goes like this: if your company has software non-compliance, there is a negative value associated with the risk of getting caught, paying fines and so on. So in the auditor’s view, your company has a liability -- a liability to the corporation that’s not shown on any balance sheet or other public SEC filings. If that phrase “off balance sheet liability” sounds familiar, it’s because a company called Enron got in trouble for hiding liabilities “off balance sheet.”

Second, good old ROI will improve. Software compliance projects routinely have enormous hard-dollar cost savings associated with them. When you have the tools and processes to keep tight control of your licenses and usage, you also have increased negotiation leverage with vendors, and the ability to avoid purchases by re-allocating existing licenses (see “SOX and the Single Admin” for a few handy software compliance shortcuts).

Finally (but not least importantly), you avoid the risk of penalties or jail time. Ask yourself, “Whose job is it to make sure we stay compliant?” And, “Who gets fired if we’re not compliant?”

It’s never fun to be the whistleblower; but these days, nobody gets fired for being a stickler for compliance. As Carpenter says, “They can eat you alive if you don’t have something to fall back on, to say, ‘I know what I have in my organization.’”


comments powered by Disqus

Subscribe on YouTube