License audits: Preparing now can ease the pain
Oracle licensing consultant Eliot Arlo Colon still remembers the enormous global publishing company that was "so darn confident" it would breeze through an upcoming software license audit unscathed.
But once the company actually dusted off its E-Business Suite contract, it got an ugly surprise.
Contrary to long-standing internal belief, the publisher's custom licensing agreement only authorized North American use of the ERP (enterprise resource planning) package, not worldwide, according to Colon, president of Miro Consulting in Woodbridge, New Jersey. The company was on the hook for "tens of millions of dollars" in licensing fees, although the issue was ultimately settled for less than that amount, Colon said.
There's little hard evidence that vendors are conducting more audits than usual in recent months, observers and industry analysts say. But even so, given that the last thing a cash-strapped IT shop wants these days is a hefty, unexpected bill for license noncompliance, now might be a good time to prepare for one in hopes of minimizing the damage.
"Proactive is better than reactive when it comes to software audits," said Robert J. Scott, a Dallas attorney who specializes in software audits. Companies should strive to be in "an audit-ready mode," he added.
"You need a systematic process for evaluating what's on your computers and what you've purchased," performed on a quarterly basis if possible, Scott said. Also, "you've got to do so with an analytical rigor sufficient to certify the results as true and accurate in a legal context. If you can't get to that point, you've got a big problem."
Of course, sometimes audits can have good results, turning up the fact that a company is over-licensed, giving an opportunity to get rid of shelfware or transfer licenses to more useful applications.
While he gets "a steady stream of requests" for help from clients who have been found to be noncompliant, over-licensing is a "much bigger" problem than under-licensing these days, said Forrester Research analyst Duncan Jones.
There are many ways to get at the truth, some more expensive than others. Vendors such as Acresso sell SAM (software asset management) applications for monitoring compliance, and outfits like Miro Consulting can conduct "friendly" audits and compliance reviews.
But in many cases, customers should start with basic housekeeping, taking steps like storing all their software contracts in a single place, said Ray Wang, a partner with the analyst firm Altimeter Group. "Most companies have them in file cabinets that span multiple locations."
Another crucial preemptive step customers can take is to limit their use of virtualization until they fully understand the licensing implications, according to Jones.
"I still see a steady stream of enterprises, who I thought would have known better, finding that they have compliance problems because they didn't check out what was going on and read the agreement to see how it would handle [virtualization]," he said.
Vendors have long licensed software based on hardware metrics like servers or processors, and license agreements tend to assume the application will be permanently assigned to a specific physical asset, Jones wrote in a report released earlier this year.
But applications running inside virtual machines "usually cannot be permanently associated with the resources supporting them," he wrote. While license agreements often let customers transfer licenses to different machines, they don't typically allow "the continual, frequent reassignment that a customer wants to perform to make full use of virtualization."
Customers should consider moves such as switching to a "named user" licensing model or an unlimited usage agreement, according to Jones' report.
Whatever precautions customers take, they are in preparation for the inevitable, according to Colon.
Miro Consulting tells its clients "to assume they're going to be audited in a formal or informal way in the next one to three years by Oracle," he said. "It's just a fact."
Oracle and other vendors did not respond to requests for comment on their auditing practices.
But many audits emanate from vendor-backed groups like the Business Software Alliance (BSA), which offers whistleblowers up to US$1 million for valid reports of software copyright violations.
The majority of BSA's tips -- about 2,500 each year -- come from current or former employees at companies where alleged wrongdoing occurs, according to its Web site, which keeps a running tally of the settlements paid by offenders.
Only about half of the whistleblowers ask for a reward, according to the BSA. "People want to do the right thing. When they see this happening, especially on a larger scale, people think it's wrong," said Jodie Kelley, general counsel and vice president of anti-piracy.
In most cases, the BSA asks companies to conduct self-audits of their software assets, and attempts to reach a settlement if any noncompliance is found. While the BSA may file suit if a deal can't be reached, it would prefer not to take that step, Kelley said."Litigation is expensive on both sides."
If a company receives a letter requesting a self-audit from the BSA, the document and its contents should be closely held, according to Scott.
"You never know who is cooperating with the BSA, or who internally may have a relationship with the disgruntled employee," he said.
If customers decide they want to resolve the matter out of court, they should get it in writing that any documents they produce are for settlement purposes only, preventing the vendor from using them in the course of a lawsuit, Scott said.
There is little to be gained from willingly providing more information than the auditors are demanding in an effort to be conciliatory, according to Scott.
"Clients who take the position, 'We're going to show them everything. We'll be fair, they'll be fair to us?' Once they deliver the materials ... they report a Jekyll and Hyde kind of experience [from the vendor]," he said.
The best defense against an official audit may be to conduct one proactively before any letter arrives.
If a self-audit turns up major problems, companies can alert their usual sales contact at the vendor, who could set things right at the most reasonable cost, according to Forrester's Jones.
One thing that never makes sense is an attempt to hide noncompliance issues.
For one thing, such actions are "morally wrong," Jones said. Secondly, if a company is caught in the act of such concealment, "other vendors are going to descend upon you," he added.