Software Audits: Four Critical Tips to Reduce Software-Compliance Risk

October 2016

If your organization has not received an audit request from a software vendor, it is only a matter of time until it does. These audits, which are used by vendors to discover use of software beyond that which is contemplated by the license, typically begin with requests for data, access to your systems, or some form of verification of the extent of the organization's use of the software. Oftentimes, these requests are directed to a busy, mid-level IT employee who is told by the vendor that broad disclosures are required by the contract. If the response to the audit request is not managed correctly, software vendors can leverage complex licensing terms, well-intentioned changes to IT architecture, and off-the-cuff statements by busy IT professionals regarding the extent of software use into significant payments that are often much larger than they should be. Such unplanned, sizable payments can cause serious disruption to an organization and the budgeting process.

Fortunately, there are straightforward process changes that you can implement to reduce the risk of sizable unplanned payments to software vendors resulting from an audit.

First, if you receive an audit notice from a vendor, do not respond quickly. Take your time to carefully review the underlying contracts, consider the vendors potential competing motives, and then formulate a strategic plan for handling the overall audit process. The first important step of that approach is to carefully review all the contracts in place with the vendor. Oftentimes these are lengthy, complex and full of technical jargon and potential traps for the unwary. You may want your legal or compliance departments to handle this foundational aspect of the strategic planning for the audit.

Second, gather and review your licenses and contracts now, before the audit notice is received. To determine compliance, an organization must be able to count licenses and software deployments. However, the organization must first know what to count and how usage is measured, which requires a thorough understanding of the applicable license language.

Third, be aware of potential sources of unexpected exposure that are typically the result of well-intentioned changes to the IT architecture. Modern software deployment techniques, such as providing remote access to desktop applications via Citrix servers, allowing remote access via employees' own smart devices, and indirect access through portals and other technologies, can all drive up the number of licenses the software company may claim are required. Sit down with your attorney and carefully explain your deployment strategy so that you will understand how it will affect the number of licenses needed.

Fourth, beware of "consultants" and "free services" offered by vendors. Sometimes the audit is disguised as a free, value-added service to help an organization manage the environment with best practices. Do not be fooled. These engagements are often an audit by another name and the vendor's goal is to obtain payment from the organization based on the work of the vendor's consultant.

These steps are only a start, as managing software audits can be a lengthy process and is just one component of the software asset management lifecycle. With skilled negotiation of the license terms, proper end-of-life software retirement practices, and a robust set of asset management policies and procedures, the risk of substantial payment for non-compliance with software licenses can be significantly reduced. Your organization's attorney is a key component of this process, as all of these activities hinge upon a thorough understanding of the terms of the governing software licenses.

The attorneys at Lewis Rice have vast experience in navigating audits and all stages of the software asset management lifecycle. If you require assistance with negotiating or understanding IT contracts, assessing compliance, or responding to an audit notice, please call one of our information technology attorneys.

Finally, please save the date of Wednesday, November 9, 2016, for a panel discussion on navigating software audits at the Hilton Frontenac at 3:00 p.m. This discussion is the first of a series on managing the software asset management life cycle. Guests will have the opportunity to ask questions of our panelists, and a cocktail reception to follow. CLE credit is available. Click here to register for the event.