A practical guide for preventing software audits for on-premise and cloud-based solutions
Managing IT Inventory is enormously complex. Multi-location users, Cloud-based and On-premise Software Apps, Virtualisation, Bring your Own Devices policy, Hardware changes and a multitude of daily IT operations tasks make IT Asset Management a real challenge. Software assets, in particular, have an additional layer of complexity. Because software vendors actively look-out and monitor for contractual breaches.
The vendor’s need for software audits goes as far back as 1976, when Bill Gates voiced his thoughts on the issues from that era regarding software theft in his renowned An Open Letter to Hobbyists.
The problem for businesses who get audited is that the process is extremely costly, both from a financial point of view and an IT operations management point of view. On top of exorbitant bills, customers also suffer major disruptions to their IT services.
In addition, some vendors have surpassed the point where they only want customers’ compliance. They are leveraging software audits as a method to sell more products.
Regardless of the auditor’s motives, businesses should always keep on top of their software asset management to prevent unnecessary costs. In this article we will cover best practices to ensure compliance and protect against audits. This article will first cover the current state of audits today and common triggers, and afterwards it will outline practical advice for protecting against audits.
Software audits in today’s business environment
This is a prime time for setting up rigorous practices to prevent and defend against software audits. According to Gartner, these have been constantly rising in numbers since 2009. Conducting regular audits enables vendors to maximise their revenue by billing their customers as they see fit. Corporations such as Microsoft, Oracle, Adobe, IBM and SAP consistently top the charts for most audits. In fact, 68 percent of enterprises receive at least one audit request per year.
The bills resulted from those audits are too large to be ignored. A survey by Flexera reports that 44 percent of audited enterprises have been billed upwards of $100,000, while 20 percent have paid more than $1 million. Some organisations have had to spend up to 25 percent of their software budget in dealing with license complexity alone.
These audits generally have one outcome: the customer has to pay a check. The justification for the payment ranges from a settlement over the current license disputes to the inclusion of another product into the contractual agreement.
Software vendors know that the word ‘audit’ strikes fear into its customers and leverage this presumption to close as many sales as possible. Oracle is infamous for its overly aggressive audits, its former global VP of contracts and business practices stating that the sales team in Oracle follows an ‘ABC’ mantra, an acronym which stands for Audit-Bargain-Close. When one of the largest software providers in the world has such an aggressive and disruptive technique for generating revenue, it only makes sense for clients to do anything they can to avoid an audit, set up rigorous audit management techniques, or even look at switching to other vendors.
One particularly worrying occurrence took place in 2015, when Oracle submitted an audit review to Mars. Oracle have allegedly demanded information to which it was not contractually entitled to know. Mars filed a lawsuit against them claiming that their demands were made under false pretences. Mars was accused that the non-use of software somehow constituted licensable use of software, and such the company owed Oracle. Eventually, the lawsuit was dropped and neither companies commented further.
Oracle’s ‘ABC’ mantra was something all their clients had to keep out an eye for. The vendor even went one step further to throw in a cloud solution as part of their negotiation, the acronym now spelling out Audit-Bargain-Cloud.
How did Cloud Apps change software audits?
It is a clever move on the vendor’s side to throw in a cloud solution on top of the audit, as this increases the client’s dependency on the software provider. This move also makes sense from the client’s perspective, as most enterprises are now implementing cloud-based offering. A projected 67% of enterprise IT infrastructure will include cloud solutions by 2020.
But how compliant are cloud applications from an audit perspective? Cloud solutions might be good news for clients as an end-to-end solution provided by a single vendor allows the provider to have full visibility over the access of software and data. This would mean that there would be no speculative enquiries into a client’s operations. The risk of being uncompliant would be lowered and as such, the risk of being audited would also be lowered.
However, this only stands true for a single-vendor solution. This is unlikely to happen for enterprises as the process of adopting cloud solutions would be gradual and typically includes services from multiple providers. In fact, organisations use on average five cloud solutions, and those are hard to manage without IT Inventory Management solutions. Those type of hybrid clouds add up to 45 percent of solutions. In the cases where software from one provider reside on a service provided by another vendor, the audit process would work in the same way.
Unfortunately, IT departments are looking at new services in the cloud without considering the licensing implications, which gives vendors a strong case for submitting an audit. Konary argues that merely moving to the cloud can sometimes trigger an audit.
What triggers a software audit?
Moving to the cloud is definitely an easy card that vendors can pull, as the complexity of the operations would most likely result in licensing issues even with a meticulous implementation from the client’s IT Operations and Design teams.
There are more circumstance which might draw the vendor’s attention to a business such as:
- Business growth – as a company expands, new license models may need to be adopted.
- Licensing history – if a company’s behaviour in regards to the purchase of licensing changes or if the organisation has a history of incompliance, vendors might monitor the company’s activity
Additionally, clients would need to keep an eye out for the following:
- Number of active users per service
- Indirect usage or integration of the software with a third-party product – While leveraging third-party applications to add extra functionality to your processes, organisations must be aware of the permissions and requirements for those applications. Even if using webhooks and making API calls would not propose licensing problems, using component integration services that require access to the database and backend needs to be regulated to prevent unsolicited usage.
- Purchases made by non-IT executive which clash with existing contracts.
- Bring-your-own-licence cloud models – companies that decide to employ a cloud-based platform such as Amazon’s AWS or Microsoft’s Azure will be able to migrate their licences and applications to the cloud. What they must keep in mind is to stay within the contractual terms and notify the vendors of such changes to ensure transparency.
- Mobile applications – some applications which are free for personal use licenses for work purposes.
- New business practices – policies such as bring-your-own devices are problematic in terms to acquiring the optimal number of licences. As the number of devices can vary per user, including mobile devices such as smartphones and tablets, the number of licenses becomes problematic. Device configuration is even more difficult to maintain by the IT department in the case of remote workers who are using VPNs to connect to the organisation’s network.
Auditors know that they have an advantage when they have a deeper understanding of contractual agreements. This allows them to confidently step into grey areas and bill their customers larger amounts without them even questioning it. Such grey areas are:
- Select software companies intentionally offer products that do not have license keys, such that it would be easier for clients to copy and proliferate, creating an opportunity for the vendor to up-sale.
- Some software companies do not have complete records of software sold through associated reseller channels, making the case for launching an audit
- Third parties who intend to conduct an audit may not be contractually allowed to do so
- Geographic restrictions may affect the licensing compliance for international organisations
- Vendors that undergo name changes create confusion over licensing rights
How can organisations avoid software audits?
So far, we’ve covered what a software audit is, how they impact a business, how cloud solutions are subject to being audited and the common triggering events for audits. Those offer us a solid understanding for creating a plan to prevent audits.
Given the current audit environment and recognising the importance of proactive compliance and preparation, organisations can employ the following practices to prevent audits:
- Adopting a Software Asset Management Program.
- Hiring a licensing specialist.
- Educating staff and mitigating risks.
- Managing software vendors.
Adopting a Software Asset Management Program
Software Asset Management (SAM) programs offer a wide range of features that can help organisations of all sizes to keep on top of managing their software resources.
These types of programs are most useful for keeping track of large number of licenses across multiple types of platforms. These include;
- Ensuring the number of licenses in use are in line with the number of licenses bought
- Reassigning, removing or adding licenses to meet demand
- Managing licensing across the entire IT estate, from desktop and datacentres to virtualized machines and cloud platforms
- Reporting on the number of licenses, price and vendors used in order to identify optimisation opportunities
Software Asset Management programs not only drastically reduce the risk of becoming uncompliant and risk being audited. They also enable better resource management and lower the risk of human errors. Rather than multiple license specialists manually keeping track of the assets using rudimentary tools such as spreadsheets, a single license manager can have a holistic view of the whole estate and user her time to make business-relevant decisions rather than keep busy with administrative work.
Hiring a specialist
In terms of lowering the risk and cost of audits, additional expertise in an organisation constitutes an invaluable asset. These specialists can come in one of two forms: a vendor or product-specific licensing specialist, or a Governance and Licensing Manager. These specialists need to work closely with the IT Operations Management team to ensure the compliance practices are cascaded across the teams successfully.
A vendor or product-specific licensing specialist is typically an outsourced contractor who can ensure that the client is not breaching the contractual agreement with the vendor, as well as challenge the software providers when they are running audits. In some instances, a specialist can reduce the bill submitted by the vendor by 95%. For example, after an auditor delivered a bill of $2.8 million to one of Adobe’s customers. However, a licensing expert has managed to detect a mistake in the auditor’s reasoning, managing to dial down the bill to an incredibly low $76,000.
On the other hand, a Governance and Licensing Manager is a full-time employee with a good understanding of an organisation’s overall compliance status. He is up to date in regards to the vendors and solutions employed, as well as the organisation’s culture and operations. Governance and Licensing Managers also have great knowledge of contractual agreements and the responsibilities of both parties. An example of a licensing manager solving an audit raised by Adobe consists in her noticing an inconsistent language between the signed license agreement and the supporting documents that were part of the agreement.
Education and risk mitigation
One of the main factors in managing software assets poorly is human error. The good news is that this is easily preventable through staff training and education, as well as risk-mitigating practices. In addition, training and risk mitigation are also extremely useful in managing audits as well, not just preventing them.
Here are some practices which can be implemented through staff training and education
- Contractual clarity and protection – having a thorough understanding of the contractual agreement with the vendor is going to enable the client to set up and enforce internal policies to prevent breaches. An example would be employing an IT Inventory Management system to keep track of the available number of licenses available.
- Data integrity – training employees across all levels of the business to keep records of what software is used and how it’s being used will enable transparency for accurately keeping track.
- Business continuity – in the case of the software vendor submitting an audit request, rigorous processes should be in place to avoid disruptions to IT operations. Such practices would include having a plan for training the IT Operations Management team to deal with enquiries from vendors.
- Risk identification – Having a good view of planned changes, new software or migration.
To reduce the risk of a vendor launching an audit request, organisations need to learn how to play the software provider’s game. Eliminating the vendor lock-in mentality and adopting the mantra of ‘the client is always right’ will empower organisations to secure better deals.
These are a few tips for improving the relationship dynamics between the vendor and client:
- Deciding between single-vendor or multiple-vendor solutions – While single vendor solutions might work out to be more expensive and with lesser functionality, the increased transparency is going to drastically reduce the speculation from the vendor’s side that can prompt them to launch an audit. On the other hand, a single-vendor solution will increase a company’s operations on the software provider, so it’s up to the organisation to decide which solution suits them best.
- Cost associated to switching vendors as opposed to renewing contract – Software providers leverage the fact that switching providers is a costly operation for clients to the point where they charge unreasonable amounts just because they know their client’s dependency. In the long-term, it might be more cost-efficient for organisations to switch providers, eating the up-front cost associated with the change.