Audit. A simple enough word, which basically means “to count.” Yet few words can evoke fear as much as this one word. No one asks their love “How do I love thee? Let me audit the ways,” nor do we tell our children to “Audit your blessings.” And while audits are not inherently unreasonable, their use should be reasonable and relevant. And due to the negative connotation of the word, many IT vendors are even couching their audit notices in “kinder” terms, characterizing the reviews as customer-benefitting and the like. But just as Shakespeare noted about misnamed flowers, an audit by any other name doesn’t change anything, and still holds risk.
Software audits are on the rise, and with most users reporting some under-licensing situations (and the requisite payment of additional license and support fees), this upward trend will only continue as more IT providers focus on this “low hanging fruit” revenue source. An increasing number of IT solutions providers are asking (or sometimes just telling) their customers to submit to an audit, albeit many times called by a different name, and taking increasingly aggressive approaches. The IT industry and the industries of its customers are taking notice, as in many cases, what is portrayed as a simple review will end up with tens or hundreds of thousands of dollars of exposure in the form of license and maintenance fees.
The request to allow an audit will oftentimes seem very benign, many times framed as an opportunity for licensees to assess their current IT usage to develop the most strategic approach forward. Everyone in your IT department should be alerted to this initiative, and be instructed to inform the proper channels if any request, no matter how benign, is received. Basically, if any discussion involves the vendor (or their representatives) doing their own review of your systems and users, instead of just asking you the same questions, it is an audit. Similarly, if the review will take several days or several weeks, it is likely an audit. Lastly, if the vendor asks for reports or to install any software on your networks to seek out and pull such information, it is an audit.
While the majority of licensing agreements will contain an audit right of the vendor (which was hopefully narrowed to reasonable scope during the negotiation of the agreement), such rights should, and hopefully do, also set forth the notice and timing requirements for any such audit, as well as restrictions on such reviews and on the use of the information derived therefrom. Unfortunately, in most cases, the audit provisions in licensing agreements haven’t been adequately negotiated, and as a result are overly broad in scope, and silent on the operational aspects mentioned above. In some cases, if the request is voluntary, the vendor will likely assert that the audit provisions simply don’t apply, given that they only cover mandatory audits. Regardless of the nature of the request (voluntary or mandatory), it is imperative to establish, prior to any review or audit, the ground rules of the audit to ascertain the scope of the audit and the use of the information, and maintain confidentiality in the process. That last point, confidentiality, is a key point, as many of these “reviews” involve a vendor and/or their representative having fairly full access to your systems and data.
To prepare yourself to respond to any type of request for a software review, just remember these 5 letters: A-U-D-I-T. Simply put:
D—Discover (Due Diligence)
Assess. As a very first step, any request should be forwarded to legal counsel or your CIO/CTO for initial consideration of the impact and benefits analysis of such a review. Sometimes the request for a review will be coupled with, or a follow-up to, a yearly true-up certification for licensing purposes. While the true-up is usually required, the follow-up review may not be mandatory.
Understand. A very key, yet oft overlooked, aspect of reviews is the scope of the review. Many licensees simply allow the vendors to look and take. But in order to adequately prepare to respond to the request, you must fully understand what is being asked, and what you are being asked to do. No software review should ever be a fishing expedition, but to the extent you allow a vendor unfettered access to your systems, whatever they find can and likely will be used against you.
Discover. Once you understand what the vendor is looking for, you should do your own due diligence to see what they may find, and if clarification of the request is needed in order to accurately respond. In many cases, this may be the first time a licensee truly reads the specific license terms in application (versus as part of the pricing discussions), and may find some ambiguity in the terms. In many cases, the ambiguity can be rectified by looking back through the notes and communications during the agreement negotiation or asking those involved in the earlier discussions. This level of clarity is a must when determining compliance with license grants.
Identify/Investigate. In this phase, you want to identify where there may be gaps in what is asked versus what you can provide, or possibly matching licensed use with permitted use, and investigating the reason for such gaps, the justification of the gaps and any appropriate mitigation.
Track. Once you have clarity on the scope of your audit, and a realistic picture of your current compliance situation, regardless of whether or not you will allow a review or audit to be conducted, you need to track both remediation efforts as well as on-going compliance efforts.
By involving the right resources on your team, by following the AUDIT system summarized above, and by taking any software review request from a vendor as a serious gesture, companies can increase their chances for a smooth and successful audit, and ensure their successful ongoing compliance efforts.