Top 5 Causes for Software License Noncompliance

NPI

November 08, 2019
Tags
Audit IT

Interested in learning more about NPI’s services?

Contact Us

Most enterprise software license compliance issues are unintentional. By and large, companies try to walk the line through rigorous software asset management and transparency with software vendors. Despite those efforts, however, most software audits uncover non-compliance – and the penalties associated with these compliance failures can be massive. Fees in the 7- to 8-figure range are typical.

In this post, we discuss the 5 most common causes of software license noncompliance and how companies can avoid audit failure.

Your non-production licenses somehow ended up in production.

Inadvertent misuse is a top compliance offender. Certain license types can only be used in non-production environments like development, testing or failover (these are examples of “limited-use licenses”). Companies often purchase these license types to save costs and align with then-current usage requirements, then later discover they’re being used in production environments for things like internal data processing operations.

You misinterpreted licensing-related definitions.

Licensing programs and definitions are constantly changing as new ones enter the mix. Do you know what constitutes a qualified user or device with Microsoft? Or IBM’s concurrent versus floating user? How about Oracle’s application full use license versus an embedded software license? This complex and confusing licensing “flexibility” offered by the vendors, combined with your own evolving usage needs conspire to make it easy to violate licensing terms, and make you a target for software compliance audits.

You didn’t realize product use rights have changed and now you’ve got unlicensed software.

Product use rights can change at any time and, unless you’re proactively looking for changes (many of which are buried online…), you can easily miss the details. We’ve seen this with Microsoft, Oracle and particularly SAP as they try to establish more “customer-friendly” indirect use policies.

You upgraded or downgraded your software without understanding the product use rights implications.

Which product use rights apply in an upgrade/downgrade scenario – the rights included with your original purchase, or the rights that came with the upgrade/downgrade? Depending on the vendor, it varies.

You were unaware of the software compliance implications of virtualization.

Virtualized environments are hotbeds for noncompliance. Vendors have different (and very specific) rules for how hosts and software are coupled and managed. Microsoft and Oracle licensing, for example, doesn’t always play nice with VMware and both vendors have been rumored to target joint VMware customers for compliance inspection.

One Powerful Thing You Can Do to Maintain Software License Compliance

Most enterprise customers will be audited by at least one large software vendor this year. The best defense is proactively conducting an internal self-audit – a License Position Assessment –  on your largest software estates.

We like to think of it as preventative maintenance. Rather than waiting until a vendor initiates an audit, you can proactively spot potential risk, and fix it. The ideal time to do a license position assessment is well before your next renewal or true-up, allowing yourself plenty of runway for remediation decision-making and implementation.

It’s important to understand what deployment tools the vendors use to detect noncompliance, and to have the deep licensing expertise to know how the vendor will interpret noncompliance. These are just some of the reasons companies turn to NPI’s software license audit services. We collect your actual software deployment data and compare it against your entitlements to identify usage gaps (over- or under-utilization), and provide remediation recommendations. We use vendor-side and independent data collection tools to validate findings, and are keenly aware of where specific vendors frequently misinterpret findings.

Remember, vendors partner with outside audit consultants (Deloitte, KPMG, etc.) that are financially motivated to find noncompliance, which they most often do. Enterprises should take all precautions to avoid or minimize noncompliance risk. Performing a preventive internal self–audit using the very same level of scrutiny that the vendor’s team would use – as well as similar tools and processes – is the most effective tactic.

RELATED CONTENT