In our dynamic world, it is common for companies to deploy new software solutions and enhance or upgrade their hosting equipment. In the rush to solve a problem or improve efficiencies in the environment, companies often expose themselves to risks based on how the software is deployed and governed. This in turn leads to compliance issues and makes the company vulnerable to software audits. In this newsletter, we will discuss what steps you can take to prevent exposure and what you can do to respond effectively if an audit materializes.
Prevention
The easiest way to avoid problems with a software audit is to create the right framework from the beginning. This is a combination of understanding the licensing structure as well as your rights when you are audited. Here are some key steps for you to consider:
- Obtain a full understanding of the licensing model and the measured metrics for compliance. This is where contract language can get you in trouble. Pay attention to the detailed definitions. We have found that subtle language like the definition of a CPU or Core, for example, can have a huge impact on your rights as you put your software to use.
- Review the EULA (End User Licensing Agreement) in detail and understand each term thoroughly. Do this early in the evaluation and purchasing processes so you still have leverage to change important terms. Pay particular attention to the license type (e.g. user vs. concurrent user, machine versus CPU, etc.), key definitions, geographic limitations, audit obligations, and expansion rights. This is your time to mitigate risk and flag areas that need attention. By the time you are audited, it is too late.
- Get the SW provider involved in sizing your solution but beware of their desire to sell you beyond what you need (i.e. shelf-ware). Share your deployment plans, locations, hardware specs, use cases, etc. with the SW provider upfront to get their input on the entitlements that you need. Get sizing feedback in writing; this will come to your rescue when/if you get audited. We recently helped a client out of hefty fees during an audit by discovering and using an email as proof that our client’s global usage was known to the SW provider at the time of sizing the solution.
- Understand the licensing impact before initiating a change in your environment. Some EULAs are specific down to the level of serial number of the machine the license is installed on. It may be helpful to have the EULA reviewed by a specialist before your purchase; this can help you by negotiating more flexibility into the EULA and eliminating risks down the road.
- Establish processes for keeping track of your usage on an on-going basis. This is perhaps the biggest culprit in runaway costs associated with software. In most environments, policies and procedures are either not present or not followed. You will need a governance process that controls, monitors, and adjusts usage based on your evolving business requirements.
Response:
How you manage the initial interactions with a supplier and the information you share early in the process makes a significant difference in the outcome of an audit. Here is what we recommend if you get an audit request:
- Gather information and consult the contract thoroughly to understand what rights you have. You do not want to assume that the software provider’s assertions are necessarily correct as they often overlook the specific points that you may have negotiated at the time of purchase. Look at key definitions carefully and make sure you understand how they map into your environment and usage model.
- Assemble a team to ensure due diligence. Responding to an audit is not a one-person project, although only one individual should become the focal point for discussions with the software provider. Your team must be comprised of people that understand the current usage model, can identify alternate solutions for mitigating exposure, and ensure the accuracy of the information that you collect and report.
- Don’t be intimidated. Software providers are skilled at using various techniques to apply pressure such as imposing strict, unrealistic deadlines, asking to true-up at list price, imposing penalties, and pushing for multi-year back pay on support. These are all points that can be negotiated by a seasoned audit specialist.
- Never negotiate a deal based on the raw reports. In all of our audit-related engagements with clients, we have noticed that the automatic reports contain mistakes (duplicates, decommissioned equipment, users who have left the company, etc.). You need to review and scrub these reports to ensure they accurately represent your actual usage.
An audit can be very disruptive. Not only is it time consuming, but making a huge payment to settle a compliance issue can upset budgets, bring unwanted attention, and strain the relationship with your software provider.
Symphony Consulting is skilled at helping companies prevent costly audits and responding to them when they occur. If we can be of assistance, please contact us at info@symphonyconsult.com.