smartspend™ bulletin

Preparing for a Software License Audit

Are you ready to be audited by your enterprise software vendors? If not, it’s time to prepare. The frequency of vendor audits is skyrocketing. Fortunately, there are steps enterprises can take before and during an audit to ease compliance concerns and minimize unexpected license fees and penalties.

Chances are most enterprises will undergo a major IT vendor audit in the near future. Cloud computing and the proliferation of mobile devices throughout the enterprise has fundamentally transformed how businesses integrate, access, consume and pay for information technology. Add virtualization and frequently changing product use rights to the equation and this new landscape is a recipe for non-compliance.

Vendors’ decisions to audit more customers, more frequently is not without justification. Many companies – if not most – are unintentionally out of compliance with their licensing agreements. The corporate IT ecosphere is growing and it has become more difficult to track and monitor software license usage. KPMG has reported that 52 percent of software vendors surveyed felt their losses incurred through unlicensed use of software equaled more than 10 percent of their company’s revenue. It’s no wonder that the likes of Microsoft, SAP, Oracle and others levy seven–figure penalties on their largest enterprise customers.

Another major factor driving audit activity is the migration of traditionally on-premise vendors to the cloud. During the transition, there is typically a dip in revenues as purchases shift from one–time perpetual license fees to annual subscription fees. Audits are a meaningful revenue stream to fill the gap.

IT and sourcing executives should take heed. If you haven’t undergone a major software audit recently, expect one soon. For vendors, it’s no longer a matter of contractual compliance—it’s a profit center.

UNINTENTIONAL NON–COMPLIANCE — HOW DOES IT HAPPEN?

Few enterprises willingly engage in rampant, non–compliant license use. So, how is it that most companies today would be found out of compliance if they underwent a major software audit? The most common reasons are:

  • You bought software for one reason, now you use it for another.

    Certain license types, such as limited use licenses, can only be used in non–production environments like development, testing or failover. Companies often purchase these licenses over full use licenses to obtain a pricing discount. Then, months or years later they discover their limited use licenses are being used for production use purposes like internal data processing operations.

  • No one told you the product use rights changed.

    Product use rights can change at any time, and the rate of change is growing among larger IT vendors. For example, during recent contract negotiations and audits, SAP and Oracle are asking some clients to purchase additional licenses for third–party application access. A business with 100 Salesforce.com licenses that need to access information from SAP may now be required to buy 100 additional licenses. It’s only been in the last few years that the vendors have begun to interpret “indirect access” this way and attempted to enforce it with clients.

  • Your definition is different from the vendor’s.

    Licensing programs and definitions have changed dramatically over the last several years. What constitutes a qualified user or device (Microsoft)? What about a concurrent user or a floating user (IBM)? What’s the difference between an application specific full use license or an embedded software license (Oracle)? Any misinterpretation can unwittingly throw a customer out of compliance.

  • You upgraded your software. Or maybe you downgraded.

    If you upgrade or downgrade your software, which product use rights apply—the rights that came with your original purchase, or the rights that came with your up/downgrade? How will your support and maintenance agreement be impacted? Well, it varies and it can be confusing, depending on your vendor. Here is a headache–inducing example from Microsoft’s Volume Licensing Blog:

Let’s continue using the same example above with SharePoint 2013 Server licenses purchased on an Agreement/Enrollment started in December 2012. With these licenses, let’s say you also purchased Software Assurance (SA) coverage, which aligns to the term of your Agreement/Enrollment. If during the term of your SA coverage, a new version of SharePoint Server is released and you decide to install/upgrade to the newest version – the PUR currently available when the new version is released will apply to your use of the new version. Please note that if you have rights to a new version via SA coverage, and choose not to upgrade your software, you may choose to use the new PUR, or continue to use the PUR you were originally required to. However, if you upgrade your software, you will be required to use the new PUR as outlined above (unless the Product List says otherwise)….In some cases, customers buy a license through a Volume License program for current versions of products with the specific intent on downgrading to a prior version of that product. When this is the case, you must use the PUR in effect on the Agreement/Enrollment start date for the version you licensed – not the version you will downgrade to and deploy or run.

  • Virtualization.

    Virtualized environments are hotbeds for unintentional non–compliance as each vendor has very specific rules around how hosts and software are coupled and managed. For example, let’s say you have two physical Microsoft Windows Servers (2012), with two virtual sessions running on each. Using VMware’s tools, you move one virtual session from one server to the other. Soon thereafter, you want to move it back again. Unfortunately, Microsoft doesn’t allow “server mobility” beyond the first move. The virtual session can move one time (in this case from the first server to the second), but is then stuck on the second server for 90 days. In this instance, this is ground for non–compliance as Microsoft requires a new license to run three (rather than two) virtual sessions on one machine.

  • You unknowingly purchased software licenses from an ISV.

    More companies are turning to independent software and technology vendors for complex, industry—specific IT solutions (e.g., diagnostic equipment in healthcare, production floor technologies in manufacturing). In some cases, these solutions contain third party software that isn’t disclosed to the buyer and, therefore, isn’t on your asset management radar screen.

  • You don’t have a formal process and tools for distributing, licensing and managing licenses.

    Large enterprises often engage in checkbox license management. They invest in software asset (or license) management tools that provide limited auditing capabilities and limited visibility into license usage, and call it a day. Unfortunately, effective management of software licenses requires dedicated people and processes that ensure a 360–degree view and control over how licenses are purchased, distributed, harvested, archived and retired. As the complexity of IT and IT contracting increases, the need for formal asset and license management programs within the enterprise will become even more imperative.

When is the right time for a self-audit? Most enterprise customers will be audited by at least one large software vendor this year. Conducting an internal self-audit before an official audit request arrives gives you more time to identify and remediate non- compliance, and minimize risk.

BEFORE THE AUDIT, SELF–AUDIT

If you’ve received an official audit request from your vendor, or have a sneaking suspicion you’ll receive one soon, or even if you’re looking to switch vendors—it’s imperative you conduct an internal self–audit before vendors initiate their process.

Most vendors enlist third parties to conduct audits on their behalf (Oracle is one notable exception—they have a dedicated internal auditing department). These auditing teams are typically contracted from the consulting world’s power players (Deloitte, KPMG and Accenture, to name a few). They are financially motivated to find non–compliance, which they most often do. If material non–compliance is identified, in many cases the customer is required to cover the consultant’s fees in addition to any penalties incurred. Remember—the interests of the auditors are more aligned with those of the vendor than your own. There is no such thing as a friendly audit!

With this in mind, enterprises should take all precautions to avoid or minimize the negative impacts an audit could have on their business. The most effective tactic is to conduct a preventive internal self–audit using the very same level of scrutiny that the vendor’s team would use – as well as similar tools and processes. Companies that lack the bandwidth or capabilities in–house should seek outside expertise.

At a minimum, the self–audit should involve the following activities:

  • Establish a formal license position.

    First, develop an accurate record of deployments. Then compare that to license entitlements to identify gaps. This requires a PhD in product use rights for each vendor as they are ground zero for non–compliance. Product use rights are complex, confusing (often intentionally) and are subject to change at any time. It’s important to point out that auditors perform this complex analysis in the vendor’s favor. Customers need to perform this same complex analysis in their own favor. Note: One benefit of having a formal license position at the ready is that, in some cases, a vendor will actually cancel an audit once they see the report.

  • Review and clarification of audit rights.

    Audit rights should be stipulated and agreed upon with every enterprise software vendor. They should specify how much time a company has to respond to a formal audit request, which vendor resources are authorized to audit, what tools will be used, what data has to be provided (and how soon) and how arbitration will be handled. By fully understanding audit rights prior to an official audit, companies can model their self–audit using the same rules of engagement that the vendor will use.

  • In the event of non–compliance, development of a remediation plan defining how compliance will be achieved.

    If material non–compliance is discovered during a self–audit, companies need to develop a remediation plan that takes into account their current and future software needs. Remediation can take many forms – tuning virtualization strategy, changing servers to avoid certain size “taxes,” making simple changes to eliminate unnecessary access that would drive user charges even when there is no actual usage, changing usage for certain constituencies because the cost outweighs the benefit, migrating to alternate solutions for certain constituencies, changing to alternate license types that are a better match for actual usage or, if no other alternative is practical, purchase additional licenses. Even if the outcome of a self–audit is the requirement to purchase licenses, companies have the ability to work through the funding challenges on their own cadence.

WHY ENGAGE A SELF–AUDIT SPECIALIST

In the best of circumstances, large software vendor audits are arduous and costly to the enterprise. They require time and human resources that are already stretched thin. And, when going head–to–head with vendors’ auditing teams, companies typically find themselves unable to defend their license position. Today’s IT and sourcing professionals need an ally with the vendor–specific licensing expertise, tools and proven processes that will help them optimize the outcome of a software license audit.

As a third–party auditing consultant, NPI has a deep familiarity with the myriad ways that vendors foster non–compliance. Our understanding of changing product usage rights gives us the inside track into where companies are unwittingly falling out of compliance with their licensing agreements, and where auditors are incorrectly interpreting the situation (this occurs frequently). We use the same or similar tools and processes that the vendors use, and are able to understand, summarize and present the data that emerges to vendors in the most favorable way. NPI’s self–audit specialists have expert knowledge of the full range of solutions, terms and costs that are acceptable to vendors, as well as what they are willing to concede during post–audit negotiations.

At NPI, we look at every audit from two perspectives – options for remediating current non–compliance (before the vendor finds it), and how clients can protect themselves from non–compliance in the future. We advise clients on license strategies and scenarios that are based on the enterprise’s current and future requirements. We also recommend license management processes and best practices, as well as help clients negotiate fair audit rights for future protection.

NPI helps clients achieve significant reductions in compliance penalties through remediating non–compliance before an official audit is conducted, negotiating a less costly penalty post–audit, and optimizing licensing throughout the process – some, or all, of these factors may apply in each individual audit event. The cost reductions delivered by NPI are material, often exceeding 25 percent and, in some cases, reaching 90 percent. At a time when vendors are auditing more than ever before, this impact goes beyond financial measures. It’s a proven tactic for reducing risk across the IT organization, and protecting the capital and human resources that are otherwise committed to business operations and innovation.