Many software publishers have discovered that auditing their customers can result in increased revenue. Publishers initiated hundreds of audits in 2013, and many unsuspecting audit targets learned that audit resolutions can be extremely costly. In many cases, the auditors approach the technology team and get responses quickly, before the team involves legal counsel or other resources. To avoid overpaying as a result of an audit, companies need to establish an audit response plan and communicate it to all of the employees that may receive the audit notice. Failing to have an audit protocol in place in advance of an audit can result in unanticipated five- or six-figure settlements.
I. Software Audits are Increasing
Software publishers interested in generating additional revenue often develop comprehensive software audit programs designed to review their customers’ compliance with software licenses. http://www.ey.com/Publication/vwLUAssets/ Software_asset_management_survey/$FILE/IT%20 COMPLIANCE%20WITHOUT%20TEARS.pdf. The software publishers’ justification for initiating an audit is generally an audit provision in the main or supplemental license agreement. What many companies do not realize is that it is possible to negotiate the terms of the audit provision at the time of the license purchase. But, it is extremely difficult to negotiate new terms after a company receives an audit notice.
Software audits are usually conducted by the publisher itself, third-party audit firms, or in limited instances, the publisher allows the audit target to conduct its own audit. Technology professionals that receive audit notices frequently provide the publisher or auditors with information without realizing the legal or financial implications of their response.
II. Responding to Audits Can be Costly
Publishers regularly contact their customers, and many professionals that receive the first contact from the publisher or auditor about a software audit do not realize that an audit request is fundamentally different from other types of information requests. Often, the technology professionals treat the audit request like a routine or minor inquiry. If there is a long-standing relationship between the publisher and its customer, the professional that receives the audit request may believe that the company will be treated like a trusted partner.
This is not the case. In software audits, the auditors are not impartial—they work for the publishers. The auditors will interpret all data in the light most favorable to the publisher. The auditors often seek information to which they are not entitled, use pre-audit agreements to expand the scope of the audit, and employ questionable tactics like extrapolation. Before conducting their own investigations and often before notifying anyone else in the organization, professionals that receive audit notices respond with raw data. In many cases, after the technology team receives a demand from the publisher for payment of tens of millions of dollars in licensing fees, penalties, and interest, then executives learn about the matter for the first time.
To help reduce the risks of an unexpected software audit expense, companies need to ensure that everyone is prepared for the audit before a publisher gives notice. Having an Audit Response Plan can go a long way toward preparing for an audit. The plan should outline the process everyone should follow upon commencement of an audit and identify an executive audit sponsor, preferably in the legal department. The audit sponsor should require the team to work together to conduct an internal investigation assessing the potential exposure before the auditors collect any data.
III. Audits Need to Be Escalated within an Organization Immediately
The first step that recipients of audit notices need to take is to consult the Audit Response Plan and notify the executive sponsor. The executive sponsor should work with the legal team or outside counsel to address a number of pre-audit issues, including the scope of the audit, the timing, concerns about data collection, and remedies at the conclusion of the audit. In some instances, the auditors will allow the target to prepare a self-audit report, which can save a great deal of time.
Before any material is presented to the auditors or publishers, the executive sponsor will want to ensure that the auditor or the publisher has the appropriate confidentiality agreement in place to protect any of the company’s information that may be disclosed as part of the audit. Publishers often object to the inclusion of audit-specific confidentiality terms, particularly when there is a non-disclosure or confidentiality provision in the license documents. However, depending on the audited company’s business (e.g., health care or financial services), such an agreement may be required before an audit can commence.
Once the appropriate agreements are in place, and the materials have been provided to the auditors, it is critical that the company review the audit for accuracy. Ideally, all objections should be made before auditors transfer the final license review information to the publisher. After the publisher receives the completed data, it is difficult to present objections.
Finally, the company may want to review the potential exposure related to the audit early in the matter to identify an appropriate reserve to resolve the audit. Failure to involve legal and financial executives early in the audit to conduct an internal investigation and evaluate potential exposure can result in an unpleasant surprise if a software publisher makes a large financial demand.
