"I still see a steady stream of enterprises, who I thought would have known better, finding that they have compliance problems because they didn't check out what was going on and read the agreement to see how it would handle [virtualization]," he said.
Vendors have long licensed software based on hardware metrics like servers or processors, and license agreements tend to assume the application will be permanently assigned to a specific physical asset, Jones wrote in a report released earlier this year.
But applications running inside virtual machines "usually cannot be permanently associated with the resources supporting them," he wrote. While license agreements often let customers transfer licenses to different machines, they don't typically allow "the continual, frequent reassignment that a customer wants to perform to make full use of virtualization."
Customers should consider moves such as switching to a "named user" licensing model or an unlimited usage agreement, according to Jones' report.
Whatever precautions customers take, they are in preparation for the inevitable, according to Colon.
Miro Consulting tells its clients "to assume they're going to be audited in a formal or informal way in the next one to three years by Oracle," he said. "It's just a fact."
Oracle and other vendors did not respond to requests for comment on their auditing practices.
But many audits emanate from vendor-backed groups like the Business Software Alliance (BSA), which offers whistleblowers up to US$1 million for valid reports of software copyright violations.
The majority of BSA's tips -- about 2,500 each year -- come from current or former employees at companies where alleged wrongdoing occurs, according to its Web site, which keeps a running tally of the settlements paid by offenders.
Only about half of the whistleblowers ask for a reward, according to the BSA. "People want to do the right thing. When they see this happening, especially on a larger scale, people think it's wrong," said Jodie Kelley, general counsel and vice president of anti-piracy.
In most cases, the BSA asks companies to conduct self-audits of their software assets, and attempts to reach a settlement if any noncompliance is found. While the BSA may file suit if a deal can't be reached, it would prefer not to take that step, Kelley said."Litigation is expensive on both sides."
If a company receives a letter requesting a self-audit from the BSA, the document and its contents should be closely held, according to Scott.
"You never know who is cooperating with the BSA, or who internally may have a relationship with the disgruntled employee," he said.