If your company licenses computer software—as almost all companies do—the software vendor or licensor likely has the contractual right to audit your use of the licensed software. These audits, if they are not handled correctly, can cause serious disruption to your organization.
Nearly all software used by businesses today is licensed through a contractual arrangement. For example, a company might buy a license from Microsoft, Oracle, or any other software vendor to use its products and applications. These license agreements usually provide the software vendors the right to audit your company’s use of the software to ensure your company is using the license consistently with the license terms. For example, your license agreement might only allow you to install the software on 400 devices; if a vendor discovers during an audit that the software is installed on 500 devices, it will demand payment for the additional 100 devices.
Software audits are becoming increasingly common, and it is important for companies to have procedures in place to protect themselves from aggressive vendors. A recent study conducted by technology services firm Technologent, Inc. revealed that 65 percent of organizations were subject to a software license audit in 2016 alone, and 23 percent of organizations were audited at least three times during 2016. By contrast, just a few years earlier, only 53 percent of organizations were subject to an audit during 2012 and 2013, according to a report by Cherwell Software, LLC. Vendors ramped up these compliance checks because 75 percent of software vendors believe their software is being overused in violation of the licensing agreements (Technologent, Inc.).
Ensuring compliance with license agreements and responding to audit requests
Software license agreements are enforceable contracts. It is important to establish policies and procedures to ensure compliance with the agreements. In our experience, it is rare that a company intentionally violates its license agreements. Rather, complex licensing terms, growing organizations, changing service delivery models, and the difficulty of counting deployments often lead to unintentional overutilization. Unfortunately, unintentional violations still result in significant exposure. For example, in addition to contractual liability, the Copyright Act provides for statutory damages of up to $30,000 ($150,000 if willful) per infringement, as well as the recovery of attorneys’ fees. Moreover, a software vendor could seek injunctive relief ordering you to remove the company’s software from your systems in short order, which could cause significant operational disruption. Whether or not you are audited, compliance with software licenses is important and in the best interest of your organization.
However, software audits, designed to gather information about software usage within an organization, are often the mechanism that bring these issues to a company’s attention. A software audit sometimes begins with seemingly innocent requests from the software vendor for data, access to your company’s systems, or verification of the extent of your organization’s use of the software. Often, the requests are directed to an IT employee who is told that broad disclosures are required under the licensing agreement. These requests are sometimes characterized as free “asset management” services packaged with the license. Sometimes the vendor offers to compile a license usage report for the company if it turns over its software usage data. Other times, the vendor will try to intimidate the licensee into compliance by using threatening language.
Non-compliance affecting the bottom line
If the response to the audit request is not handled properly, vendors can leverage complex license terms and software usage reports into large payment demands that are often significantly inflated. In 2016, almost half—44 percent—of organizations paid $100,000 or more to software vendors because of non-compliance discovered through an audit, and 20 percent of organizations paid $1 million or more because of an audit (Technologent, Inc.). These unexpected and unbudgeted expenses can have major financial implications for an organization. Additionally, non-compliance with software licenses can result in allegations of piracy and copyright violations, which if proven can result in steep statutory penalties.
It is important for organizations to anticipate audits and handle them carefully by seeking experienced, expert counsel. Our Information Technology Practice Group at Lewis Rice LLC helped a client navigate an audit in which the vendor demanded $5 million from our client for its alleged noncompliance with the license agreement. Our team challenged the methodology that the software vendor used to quantify the alleged excessive usage. Investigation revealed that the software company used the wrong licensing documentation and applied the wrong criteria to measure usage, resulting in a vastly overinflated demand for payment. Ultimately, diligent investigation and analysis concluded with the client paying only 7 percent of the $5 million sought by the vendor, greatly reducing our client’s financial exposure.
Even small businesses are not immune, as many large software vendors have outsourced audits to third parties, who conduct aggressive audits. In one instance, a client was threatened with a $2.1 million copyright infringement lawsuit arising out of a handful of off-the-shelf software installations. Our team determined that the auditor vastly inflated the extent of non-compliance by ignoring applicable suite licenses, downgrade rights, and evaluation licenses. The client ultimately paid less than 0.2 percent of the threatened amount.
Preventative measures for reducing your organization’s exposure
You can reduce exposure form the outset by implementing several straightforward processes that standardize the response to any audit notice or request for usage information by a vendor.
First, before an audit notice is even received, you should proactively gather and review your license agreements. To determine if your organization is in compliance, you must be able to count licenses and software deployments; this is more difficult than it may seem. The organization must know what to count and how usage is measured under the applicable licensing metrics. Software licenses are complex, often lengthy, and highly technical contracts laden with traps not apparent to the untrained reader. Legal or compliance personnel should review these agreements and work with IT and asset management staff to assess compliance.
Second, when you receive an audit notice from a vendor, do not rush to respond. Vendors may create a false sense of urgency by quoting contract language and repeatedly following up with IT staff under threat of short-term deadlines. It is imperative for your company to take the time to review the license agreements, consider the vendor’s motive, and develop a strategic plan to handle the audit.
Third, do not be fooled by “free services” or “consultations” offered by software vendors. Often, an audit is cleverly disguised as a vendor’s “value add” to help your organization efficiently manage and maximize the value of its licenses. These engagements are merely audits in disguise, and the vendor is merely seeking access to your records to discover inadvertent overutilization so it can demand payment from the organization based on that evidence.
Fourth, be aware that changes to your organization’s IT architecture and service delivery model can increase license usage, resulting in non-compliance. Technological advances and deployment techniques such as remote access to desktop applications, remote access via employees’ own smart devices, and indirect access through portals and other technologies can increase the number of licenses used without your organization even realizing it. Include your legal or compliance department in the early planning stages to ensure that your organization is properly licensed for the new model.
These preventive strategies are just one component of managing a software audit, but the best medicine is prevention. You can significantly reduce the risk of payment for non-compliance by skillfully negotiating the appropriate scope of license terms at the outset, implementing proper end-of-life software retirement practices, and enforcing software asset management policies and procedures throughout your organization. All of these preventive measures hinge upon a thorough understanding of the terms of the governing software license agreements, and your organization’s attorney is key to this process.
Because of the increasing digital transformation of businesses, software vendors have increased their audits of software use. Having strategies in place for handling—and aggressively countering—software audits is vitally important for businesses today.
