Software Audits – what’s the worst that can happen?
We are supporting an increasing number of clients who are facing huge, unexpected bills resulting from an audit into their use of software.
Software suppliers have long been aware that they are losing significant amounts of revenue from their customers who are under-licensed. However, we have witnessed an increasing trend for those suppliers to seek to capture some of that revenue, often to fund a pivot of the product set into cloud-based “as a service” offerings.
The move to virtual environments is not generally anticipated in more traditional software licences. This may well mean all use is unlicensed, particularly if legal documentation has fallen behind reality.
In response suppliers are increasing their own licensing compliance resources as well as instructing third party agents to complement these resources.
This article discusses the steps involved in a software audit from the customer perspective, suggesting helpful tips on avoiding some of the pitfalls.
The first question many clients will ask when the auditors are threatening to descend in their droves is: why is this happening? There could be a number of different reasons.
Whistle-blowers can report unlicensed software use to organisations such as the British Software Alliance or the Federation Against Software Theft. These organisations differentiate between counterfeit and under-licensed use. The report can be made anonymously and there is nothing to prevent a financial inducement being offered in return for a report which leads to a positive outcome.
Licence compliance teams will be looking at any changes in customer organisations. Merger activity, employee data and financial data numbers are all publically available information. I would expect corporates who are large users of software will be issuing press releases announcing mergers, growth in employee numbers and turnover growth. Each of these events will very probably lead to an increase in the need for licensing. Clearly this is not lost on software suppliers, whose license compliance teams will monitor such announcements and be alert to the changing need for authorised users.
Even without relationship managers being given updated information, their algorithms will provide predictions as to the likely license need. If purchasing does not match with that analysis piece then they may be due an audit.
In other instances, there may be a change in senior personnel on the customer or the supplier side, or a customer may simply come up for a random or routine use audit as part of their compliance programmes.
What should you do upon receipt of a software audit request?
The issue of software audit requests has been exploited by fraudsters. Often the request will come from an organisation or individual who you do not know, and this presents an opportunity which is open to abuse. We would always recommend that clients use information separate from the request letter to verify that it is genuine and not a scam.
If satisfied that it is a genuine request, it may be worth offering to “mark you own work” by conducting a self-audit which can be certified. That could be done by an internal team or by consultants engaged by your company. This removes a lot of the difficulties of an external audit, which are highlighted below. If suitable verification is produced then it may satisfy your software supplier that all is in order, without having to incur the expense of conducting the audit themselves.
You should consider who the supplier has proposed to conduct the audit. I typically have different levels of concern depending on the type of auditor instructed. This could be one or more of an in-house compliance team, a SAM (software asset management) consultant, IP litigator or a Big Four accountancy practice. Certainly it is not good news if an IP litigator is instructed from the outset.
Of course you should acknowledge receipt of the genuine audit request, but it must be accepted that you will have ongoing operations and you should ensure the audit can be planned into your work programme. Depending on what the audit clause in your software licence says, there may be quite a lot of room for manoeuvre.
One thing to underline – perhaps it goes without saying – you must not start deleting information which might ultimately be needed as evidence should a dispute develop. Even if you have an ongoing programme of data destruction after a set number of years, you should seek legal advice before deleting any data which may be relevant to the audit once the request has been received.
Conduct of the software audit
What does the contract say? It is important to check what the software licence actually says and what (if any) audit rights exist. It would not be unusual to discover that the documentation is incomplete. Such documentation is often updated and amended over a period of years with important commercial terms absent or signatures missing. Do not take the auditor’s interpretation of what they are entitled to do.
In preparing for the audit you should assume under-licensing, especially if your company has not been audited recently. A 2018 Flexera report found that 75% of companies are out of compliance with their software licenses. 20% of them ended up paying $1M or more in regularising the license position.
It is worth ensuring that your account manager is aware of what is going on, but it can be the case that they are forced to take a back-seat in the relationship if a significant use audit is happening. If the software being audited is firmly embedded into your business then there can be no meaningful threat to terminate your wider relationship as a result of a heavy-handed audit being carried out.
At all times you should seek to control the flow of information so that you can be able to predict exposures. This can be helped by ensuring you ask all the necessary questions in order for you to clearly understand the reasons behind all data requests. We always advise that only data that is required under the contractual obligations should be given. To avoid “mission creep”, it is important to ensure that the audit does not go beyond the letter of the strict rights afforded in the audit clause.
Some key considerations to cover off before the audit commences are:
- ensure appropriate non-disclosure and data sharing agreements are in place;
- consider the GDPR implications of granting access to third party auditors;
- clarify the lines of communication between your business and the audit team;
- address and seek to agree interpretation of licence terms that are relevant;
- agree internal resources to be allocated to support the audit; and
- agree the remit of the audit considering: which systems or platforms, level of access, duration, companies and physical locations.
In preparing for this, it is important that you are aware of the risk of adverse evidence generation. You do not want your IT team to start sending emails that may contain discussions you do not wish to be used as evidence. If you engage with your lawyers then investigation into this issue should be protected by privilege. If there was a subsequent litigation then written records made in preparation of the audit should not be disclosable.
There is another justification for not disclosing documents, which is if they are prepared in contemplation of litigation, but I doubt that work in responding to an audit request would fall within that category. You certainly do not want to have to rely on that.
Dealing with the software audit report
Although the investigation and reporting stages may take months, auditors often request a short deadline for you to agree and approve their findings. It benefits them to place you under pressure, but you should take all the necessary time to consider the report and satisfy yourself that everything is in order.
You should always be prepared to challenge assumptions made in the audit and consider contractual, technical, commercial and legal arguments when responding. Understanding the supplier’s objectives can be invaluable. Any settlement of increased licensing should be tied into future commercial deals and additional training and support packages.
If your business has been found to be operating significantly out of licence cover you should ensure that any settlement includes confidentiality provisions. You really do not want to be “named and shamed” in the next license enforcement campaign.
If you expert require assistance dealing with any aspect of software audits please do not hesitate to get in touch.
10th December 2020
So how can rights holders police the use of their content online?
13th November 2020
Intellectual property rights vs corporate social responsibility.
2nd September 2020
What are some of the common misconceptions surrounding the defences to copyright infringement?