Know Your Software Audit Rights

Author: Steven Zolman

NET(net) posed the question on Twitter one day: “How does the Software & Information Industry Association (SIIA) have the authority to audit software license use?”  In thousands of license transactions, we’ve never given them that right.  Learn your software audit rights in this blog.

We were looking for some insight that we might have missed.  In the world of contracts, your license grant will actually call out specific provisions regarding who has the ability to audit your license usage (if any ability is so granted).  In the world of contract law, the term “standing” is used to show who actually is allowed to raise a particular issue (via the courts, etc.).  Therefore, the SPA/BSA/SIIA (SIIA is their current incarnation) (or any other third-party “enforcer”) doesn’t necessarily have the legal right to ever come in and audit the usage of your software license unless there’s specific language in the license agreement that allows for such audits, which is rare.

Even general audit language is probably safe enough to prevent the SIIA from knocking on your door one day. Typical audit provisions include:

• explanation of who can come to audit (it usually says that the supplier has the right to audit)
• time-frame of any audits (NET(net) is typically very clear to limit audits to no more than 1 time per calendar year)
• notice for audits (even bad audit language usually says that the supplier has to provide notice to the licensee (generally 30   days) of their intent to conduct an audit)
• who besides the supplier can come audit (if 3rd parties are allowed, we usually limit the third party to a “big-four”   accounting firm and have NEVER been challenged on this limit)

The result is that even with not-so-favorable audit language, we simply don’t see how the SIIA has any right to come in to your organization and perform an audit, let alone try to sue a licensee for license violations (again, any license that has “no third-party beneficiary” language in it could be used to very clearly show that the SIIA doesn’t have any rights with respects to the license).

Additionally, it’s been suggested that there are two other routes to allow such an audit: the “source” (the licensee’s employee who reports a violation) and the potential for an assignment of audit rights. As it relates to the source person, unless they’re also the person in the company who can authorize someone to come in and conduct an audit that will likely consume a significant amount of internal time, that individual likely doesn’t have the proper standing to commit an organization to such an endeavor – so we find this very unlikely.  In fact, Clarence Villanueva over on the Forrester Licensing Blog just discussed IBM’s audit tactics in detail, which includes berating the customer until they consent.

As it relates to the assignment of audit rights, the potential does exist, and contracts that have poor assignment language could potentially allow the supplier to assign their rights to someone else (and, in fact, it appears that the SIIA attempts to use an assignment of rights in this manner). So it’s conceivable, but we’ve never seen the language used in that way, and always construct agreements that make this impossible.

At the end of the day, the lessons are these:

1. Have strong audit language which clearly states whether or not an audit is allowed, who can perform the audit, what notice and other provisions are required, on what time basis they can audit, and what the results would mean

2. Have clear assignment language which prevents EITHER party from assigning the agreement without the other party’s prior written consent (not to be unreasonably withheld, if you so choose)

OK – so you’ve done the prior two things and the SIIA comes knocking (physically or with a letter requesting/demanding an audit).  What do you do?  Simple.  Deny them access – in writing.  They’ll threaten, similar to the Big Bad Wolf, to huff and puff and to blow your house down.  But if you’ve got things properly documented, the SIIA simply doesn’t have the legal right to audit.  It doesn’t matter whether the supplier they’re supposedly auditing for is a SIIA member.  These are just clubs.  They take (membership) money from the supplier community and use that to fund their auditing services.  Once you realize that it’s a club, and if you’re not a member, you don’t have to obey their same membership rules, it takes on a whole new meaning.  It doesn’t matter if they claim to have permission.

Now, regardless of everything we’ve just told you, we also firmly believe that you should always be 100% compliant with your contractual obligations.  So use some form of license management tool to know that you’re only using what you’re licensed to use.

NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.

NET(net) helps clients in nearly every industry and every geography grapple with these issues every day.  If you are currently being audited, are worried about being audited, have concerns about your license agreements and/or your potential exposure to compliancy actions, contact us today at, email us at, or visit us online at

Post a Comment

Your email is kept private. Required fields are marked *