What may trigger a software audit?

software audit

Every organization that purchased software licenses will – at some point – go through a software compliance audit. Such audit may either be performed by the software publisher itself (e.g. Oracle, SAP, IBM) or by a third-party company (e.g. KPMG, Deloitte, Ernst & Young, PWC) at the software publisher’s request.

Each signed software license agreement includes some sort of audit clause stating that (usually) once per year the software publisher can perform a compliance verification – it doesn’t necessarily mean it will happen every year. Still, when they receive the audit letter, many end user organizations wonder: why did we got selected for this audit? Understanding this upfront helps you predict if and when a software audit may be performed at your organization.

The objective of this article is to provide you an outside in view on why end users are usually selected for software audits. If you’re going through an audit or just want to get a full understanding of your compliance position, reach out to us and let’s have a talk about your license management.

Purchase date > 3 Years

Many software publishers’ licensing model is depending on the hardware specifications of a (physical) server. Think for example about “per CPU”, “per Processor”, “per Socket” licensing models. Many organizations (especially commercial ones) change their hardware every 3-4 years. Due to the developments in the hardware industry (newer servers having more CPUs, Cores, Sockets), a change in hardware also results in a change related to the license requirements of an end user. If an end user did not purchase licenses for a period longer than 3 years, this indicates a possible risk of non-compliance.

Termination of support maintenance

Many software publishers collect a big part of their revenue from the ongoing renewal of the support maintenance agreements. These agreements usually include the right to make use of the latest versions of software programs and technical support. When an end user terminates a large part of its recurring support maintenance fees, the software publisher may start doubting if the termination of the support maintenance fees has been done in a complete and accurate manner.

In addition, especially if the support agreements are fully terminated, the software publishers will want to determine if there is a way to bring back this support revenue stream. Performing an audit to validate if their customers are not making use of versions of the software programs that they are actually not entitled to use is then the easiest thing to do. This, since the audit right remains in place, even if the support agreements are terminated.

Changes in the IT infrastructure

Next to changing the hardware infrastructure, many end user organizations may put through other changes in their IT infrastructure. Think for example about the introduction of virtualization technologies (e.g. VMware, Sun Solaris Zones), or setting up new datacenters (e.g. for DR purposes or as a result of natural expansion of the business) or deciding to phase out a specific solution and to replace it with a similar solution from another publisher.

Different publishers have different licensing terms you need to comply with, if and when specific virtualization technologies are being used. Similarly, the setup of a new DR solution may or may not require additional licenses. But is it part of your practice to evaluate if you need to license the software if you install it? Or if you actively use it? Or to check what are the licensing rules you need to comply with for different software publishers? If you move to another software publisher, what is the easiest way for a software vendor to get some more revenue out of a customer that is already planning to phase out anyway? Right, an audit is the easiest way to collect this (last) revenue.

Growth in number of employees

All software publishers have access to public information (e.g. your annual report, your corporate website) where they can usually find details on the number of employees. In case this number increased substantially, then this also means that there is more usage of software programs within your company. If your organization is not obtaining additional licenses for such use, the software publisher will evaluate if they should start an audit to determine themselves if there is actually no additional growth in terms of usage. Many software publishers also have an “employee based” licensing model. If and when your organization publishes its annual report, you can be assured that the auditors will start looking into your report as well. 

Mergers and acquisitions

All license agreements are at all times restricted to a specific legal entity (or a group of legal entities as defined in the Customer Definition). In case of a merger or acquisition, your legal entity structure changes. As a result of this change, you would need to assess if your software providers allow such change as well.

Many publishers only allow the software to be used by a specific number of legal entities; therefore, in case of a merger or acquisition, such change will require a new (commercial) agreement. This apart from the fact that a merger or acquisition would typically result in an increased number of employees and/or increased number of servers on which the software programs are deployed. Software publishers therefore wait 6 months to 1 year to start an audit after a merger or acquisition has taken place, especially if no new (commercial) agreement has been put in place. This to make sure that the acquired or merged company has been integrated from an IT perspective, resulting in the biggest risk of non-compliance.

Agreement expiration

A number of your software agreements will be perpetual. But many agreements have a limited life-spam (e.g. Microsoft Enterprise Agreement, Oracle Unlimited License Agreement). Once the expiration date of the agreement is near its end, the end user organization is expected to start discussions with the software publisher to renew the agreement. But in order to sign a new agreement, it’s in the interest of the software publisher to have a clear view of the actual deployment position. If they find a compliance issue as a result of this “baseline”, it’s the best position for the software vendor to start the negotiations.

Failing your obligations

Let’s say you license Microsoft software through an Enterprise Agreement, then you should know you are subject to an annual True Up. This means that you need to report to Microsoft any extra licenses you may need. Not complying with this obligation, hence not reporting anything, will more likely trigger an audit. A zero True Up form can raise questions as well about your inventory and headcount. If your responses do not match with your licensing claim, you might expect a software audit to follow.

Support tickets for unlicensed programs

Many software publishers offer the possibility to log a support ticket for any technical issues. It often happens that end user organizations forget that this information is being used internally by the software publisher to determine if everything is in line with what they know about your licensing situation. It’s not uncommon that your technical staff (or outsourcer) raised a support ticket for a product, which is then validated against your available licenses. If and when a technical support ticket is raised for an unlicensed product, you will definitely get questions from the publisher, which in the end may result in an audit.

Trainings for unlicensed programs

Many software publishers offer specific technical trainings for the installation and/or use of the software programs for which they sell licenses and/or subscriptions. This can be done either by the software publishers themselves or by their partners. If an end user signs up for trainings of specific programs, this is usually an indication that there is an interest within the organization to start using the software. If the commercial representatives are not able to sell these programs but the publisher has the feeling that the end user is still using the software, an official software audit will be the next step.

Private equity firm takes over the software publisher

Many software publishers have been acquired by private equity firms. Think for example about publishers like Quest Software and Tibco. A private equity firm usually wants to make sure that they have a return of their investment within the shortest possible timeframe. Combine this with the fact that an acquisition of a software publisher typically results in a situation in which the new company does not have a clear view of what the actual contractual agreements and deployment positions are within its end user organization, and the ingredients of why you are selected for an audit are known.

Do you want to assess your situation?

Having a certain understanding of why you may become selected for an audit helps you to determine what challenges you may be facing in the (near) future. Performing internal software compliance reviews for your most important software publishers helps you identify and remediate any risks before the actual audit takes place. Should you require any support in preforming such internal audit, don’t hesitate reach out to us.