Top 10 Software Audit-Crazy Suppliers
Author: Steven Zolman
There is a perfect storm of sorts brewing for Independent Software Vendors (ISVs) resulting from (i) increasing demands for new license revenue, (ii) aggressive competition from disruptive suppliers, and (iii) a significant migration away from software licensing to subscription cloud-based solutions. As a result, ISVs are scouring the market for revenue injections wherever they can find them. The mission today for the big market software players is less about innovation and ‘delighting the customer’, and more about protecting the revenue streams of their business, and nothing is more important to them than the golden goose egg of annual maintenance and support income, which is largely derived from the sale of new software licenses. If you’re a software company and want to boost your annual maintenance and support streams and you are not hitting your organic targets for the sale of new licenses, a very effective historic way to squeeze more money out of your existing customers is to unleash a wave of audits, designed to convert the huge risk of a potential organizational liability into additional license income – which in turn – yields more annual maintenance and support service annuity income.
Due to many policies from the ISVs including (i) the bundling of unlicensed software with paid for versions or upgrades, (ii) confusing license grants, (iii) restrictive usage rights, (iv) indecipherably complex governing language (the interpretation of which is changing), (v) the lack of supplier governance on the installation of unlicensed software, and (vi) the increasingly confrontational and often litigious nature of software auditing, ISVs have turned compliancy actions into a huge influx of new license revenues, and in times of decreasing software revenues from organic means, this has proven to be an effective channel for driving substantially more business. As a result, you should expect to see this trend not only continue, but intensify.
To make matters worse (and to be fair), clients have not proven to be very effective with the tools and processes required to quickly determine rightful entitlements, discover usage, measure usage against entitlements, and prevent or remediate over-licensing situations before they become problematic. Furthermore, handshake agreements, and contractual provisions that were once measured with a certain real-world bias, are no longer interpreted as favorably for customers. The trend in the industry has been more aggressive (even predatory) audit behavior, and therefore larger and more outrageous assertions from suppliers in regards to supposed non-compliance via the most liberal (and often wildly incorrect) interpretation of the contract, the license grant, and the usage limitation. To this end, this is a new market reality, and clients need to be prepared.
Below we outline the most “Audit-Crazy” suppliers and their primary methods of interrogating your business. If a lot of your suppliers are on this list it’s not all bad news, as we give you some valuable insights on preparing ahead of time and tactics on how to fight back to change the narrative. For NET(net), just defending yourself is not always good enough; sometimes you have to stop being the nail, and become the hammer.
We would love to hear from you. Please tell us about your own experiences with audits in the comments section below.
So, Who Performs Software Audits the Most?
The Top 10 Most Audit-Crazy Suppliers Are:
Symantec often directs their audit team to take direct aim at identifying potential license / compliancy issues within their customer base and typically charges license shortfalls found at list price regardless of any past volume licensing discounts. While industry groups such as the Business Software Alliance (BSA) often lead these audits on behalf of the ISVs, companies like Symantec want more control over who and when to audit specifically to drive revenue, and consequently lead the effort at conducting audits themselves. In our experiences with Symantec, it isn’t a question of if, but when you’ll face an audit. Any user count intensive software, or backup software (either server or capacity based), is at great risk of getting out of compliance given the high potential for variability over time.
VMWare has built strong licensing controls into their software, so it’s not the most difficult supplier with which to effectively manage software compliance; their standard End User Licensing Agreement (EULA) provides for audits no more than once per year, with a penalty (fee) to apply if a license gap exceeds 5%, or if the customer “materially failed to maintain accurate records of Your use of the Software”. Generally, VMWare does not audit customers frequently; one survey indicated that only five percent of companies experienced an audit from the company within the last two years, but audits have been on the rise as virtualization software faces increasing competition, becomes more commoditized in the industry, and VMware looks to boost slumping sales.
Not the largest of these suppliers, and not the one that you think of first with an auditing demand, however in a clear attempt to ramp up slumping license sales, Attachmate has shown itself to be catching up with the tactics of the others, leveraging cleverly (some would say deceptively) worded contractual provisions and usage grant limitations resulting in increased first reported exposures. If you haven’t done so lately, take a close look at your Attachmate installation (and contract) in comparison with your entitlements and straighten out your license position before Attachmate comes knocking on your door.
McAfee’s audit terms are a bit stricter than most supplies. Although they will not audit more than once per year, they do have the right to require a “system generated report verifying your Software deployment, such request to occur no more than two (2) times per year”. Also, McAfee reserves the right to use “technological features of the Software that prevent unauthorized use and provide Software deployment verification”. Translated, that means that McAfee retains the right to a “kill switch” on its software, and uses embedded technology to audit compliance.
SAP has been increasingly earning a reputation as a brutal auditor for many of the same reasons as the others on this list. Namely, in addition to complex licensing policies, a variety of access privileges with an array of limited use definitions, a confusingly intricate and seemingly subjective definition of “engine metrics”, and over 70 types of standard user access classifications, the compliance of SAP license estates have proven to be hugely difficult to determine and manage. Adding to the problem is the belief that the SAP audit tools are accurate (many times they are not). Resulting from an SAP audit, the ISV has no obligation to provide any discounts on software required to remediate non-compliance, and they can backdate maintenance charges to the initial date of detected installation. This is unquantifiable organizational risk and can create a huge potential liability. With the significant expansion of SAP’s product catalogue over recent years (including new compliancy concerns about ‘indirect access’), and the homogenizing of the contractual agreements of SAP’s acquired entities (almost always resulting in more restrictive interpretations of previous license grants, usage limitations, and provisional contract language), clients find immense complexity in understanding SAP licensing policy, and therefore find it exceedingly difficult to manage their SAP license estate. SAP seemingly sees no need to simplify its licensing rules, or alter its auditing process, because it has successfully been generating incremental revenue due to these issues.
IBM has developed one of the most comprehensive, confusing, and confrontational audit programs in history. Any unlicensed software discovered (whether or not it is currently or has ever been executed) is charged at full list price, including the annual back maintenance associated with previous year’s ‘use’, since the date of detected installation. Part of the problem, however, is that of course the IBM software licenses do not have any governance on the number of installations, and clients can therefore deploy the same license many times bringing them (technically) out of compliance even if their total entitlements do not exceed their deployed counts. To make matters worse, IBM uses a bevy of contractual documents to govern the entitlements and use of its software. These documents can easily create confusion for the customer, as they each carry with them their own set of potentially conflicting terms and conditions. Also, special policies for things such as backup and disaster recovery entitlements and usage grants are often not specifically detailed in any of these documents, and are found on the unilaterally controlled IBM web site, subject to change at any time with or without customer consent. Further, it takes an expert to fully understand the licensing rules regarding sub-capacity deployments involving logical partitions, measured usage, and workloads. As a result, not only are these aggravating circumstances, it also significantly increases the risk clients must face when trying to manage their IBM license estate.
Maybe only the fourth most frequent auditing supplier on this list, but certainly one of the nastiest. It’s clear from a recent article that Oracle continues its tough tactics to wring more revenue out of its customers, but the advent of cloud has raised the stakes and the pressure. Client audit experience tales range from burned bridges to scorched earth to name calling to litigation to fisticuffs. If you are a NET(net) Client, remember to claim your copy of our whitepaper (“Top 10 Ways to Defend Yourself from an Oracle Audit”) – a $2,000 value at absolutely no cost to you. Why? Because we’re on your side. You’re welcome.
Autodesk is widely used by designers, architects, and engineers among others in the automotive, manufacturing, and other industries. The terms associated with its use are perhaps some of the most restrictive and punitive in the industry and can quite easily result in civil litigation if the process isn’t well managed. Common areas with the highest risk include over deployment of software usually caused by invalid serial numbers, which are required to be disclosed upon an audit demand from Autodesk, its law firm, or the BSA or SIIA. Unlike some of the other suppliers on this list, Autodesk is quick to threaten civil litigation based on copyright infringement if customers do not cooperate. Audit findings result in demand letters (in lieu of formal charges and litigation) for treble damages (settlements are calculated at list prices times three). Like many of the other suppliers on this list, Autodesk’s EULA is difficult to understand and has a number of restrictive provisions. One such provision is the non-transferrable license, meaning that if a company is acquired or divested, the Autodesk licenses are unauthorized without Autodesk’s express, written consent. Autodesk (i) has some of the most powerful enforcement rights of any supplier on this list, (ii) uses the BSA and others more freely than most, (iii) approaches audit actions from a position of copyright infringement and civil (and sometimes even criminal) litigation, (iv) uses the treble damages clause to significantly inflate their opening positions in settlement demands, (v) diligently pursues customers they suspect to be violating their agreement, and (vi) is commonly found to be more litigious than most of the other suppliers on this list. As a result, any client facing an Autodesk audit should take it very seriously, and should consult with experienced professionals before proceeding.
Adobe is well known as one of the most frequent auditors in the software business. Adobe is also a bit unusual in its approach to auditing, in that they do not outsource to third parties such as the Business Software Alliance (BSA), instead performing their own audits. Their reputation as an auditor is generally pretty good, with clients reporting that the Adobe team was willing to work with the organization to help ensure compliance and proper product use; as distinct from simply being on cash grabbing mission. However, Adobe products are very diverse and complex, and have undergone many changes to names, editions, bundles / suites, and licensing models, so most large organizations will have a confusing mess of different terms and products to sort out (not to mention the “free” products such as Adobe Reader, which have very specific usage rights that many organizations unknowingly violate).
In the past few years Microsoft has established a global initiative around Software Asset Management (“SAM”); ostensibly to support Microsoft customers in setting up and maintaining strong internal controls and processes to stay in compliance with its licensing agreements. Microsoft has stated they intend to “help” volume licensing customers via annual “SAM Engagements”. Translated, this means that every Microsoft volume customer should expect an audit effort from Microsoft, at least annually. It’s important to understand that the volume agreement language specifies that Microsoft can initiate an audit at any time; this directly contradicts most customers’ understanding of the annual “True-Up” feature of most Microsoft Enterprise Agreements (“EAs”). However, the annual SAM engagements sneakily get around any contractual restrictions with clever language that leaves customers believing they are being audited, but in fact the SAM engagement, legally speaking, is a voluntary cooperative effort. Nevertheless, our clients have experienced all the pain and frustration associated with an audit, regardless of what name it goes by. Our advice: run your business with the understanding that you will be audited at least annually. Contact us for support regarding specific methods to establish and maintain compliance while controlling costs and protecting yourself legally.
NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.
If you have one or more of the suppliers listed above, it’s not a matter of if, it’s only a matter of when you will get audited.
Click here to get more information on Audit Defense Armor , and simply complete a form to get a bonus free whitepaper on ‘How to Defend Against an Oracle Audit’. Or complete the form below to have a NET(net) Subject Matter Expert contact you directly: