Top 10 Software Audit-Crazy Suppliers

Author: Steven Zolman

man in bubbleThere is a perfect storm of sorts brewing for Independent Software Vendors (ISVs) resulting from (i) increasing demands for new license revenue, (ii) aggressive competition from disruptive suppliers, and (iii) a significant migration away from software licensing to subscription cloud-based solutions.  As a result, ISVs are scouring the market for revenue injections wherever they can find them.  The mission today for the big market software players is less about innovation and ‘delighting the customer’, and more about protecting the revenue streams of their business, and nothing is more important to them than the golden goose egg of annual maintenance and support income, which is largely derived from the sale of new software licenses.  If you’re a software company and want to boost your annual maintenance and support streams and you are not hitting your organic targets for the sale of new licenses, a very effective historic way to squeeze more money out of your existing customers is to unleash a wave of audits, designed to convert the huge risk of a potential organizational liability into additional license income – which in turn – yields more annual maintenance and support service annuity income.

Due to many policies from the ISVs including (i) the bundling of unlicensed software with paid for versions or upgrades, (ii) confusing license grants, (iii) restrictive usage rights, (iv) indecipherably complex governing language (the interpretation of which is changing), (v) the lack of supplier governance on the installation of unlicensed software, and (vi) the increasingly confrontational and often litigious nature of software auditing, ISVs have turned compliancy actions into a huge influx of new license revenues, and in times of decreasing software revenues from organic means, this has proven to be an effective channel for driving substantially more business.  As a result, you should expect to see this trend not only continue, but intensify.

To make matters worse (and to be fair), clients have not proven to be very effective with the tools and processes required to quickly determine rightful entitlements, discover usage, measure usage against entitlements, and prevent or remediate over-licensing situations before they become problematic.  Furthermore, handshake agreements, and contractual provisions that were once measured with a certain real-world bias, are no longer interpreted as favorably for customers.  The trend in the industry has been more aggressive (even predatory) audit behavior, and therefore larger and more outrageous assertions from suppliers in regards to supposed non-compliance via the most liberal (and often wildly incorrect) interpretation of the contract, the license grant, and the usage limitation.  To this end, this is a new market reality, and clients need to be prepared.

Below we outline the most “Audit-Crazy” suppliers and their primary methods of interrogating your business.  If a lot of your suppliers are on this list it’s not all bad news, as we give you some valuable insights on preparing ahead of time and tactics on how to fight back to change the narrative.  For NET(net), just defending yourself is not always good enough; sometimes you have to stop being the nail, and become the hammer.

We would love to hear from you.  Please tell us about your own experiences with audits in the comments section below.

So, Who Performs Software Audits the Most?

The Top 10 Most Audit-Crazy Suppliers Are:

#10. Symantec

Symantec often directs their audit team to take direct aim at identifying potential license / compliancy issues within their customer base and typically charges license shortfalls found at list price regardless of any past volume licensing discounts. While industry groups such as the Business Software Alliance (BSA) often lead these audits on behalf of the ISVs, companies like Symantec want more control over who and when to audit specifically to drive revenue, and consequently lead the effort at conducting audits themselves. In our experiences with Symantec, it isn’t a question of if, but when you’ll face an audit. Any user count intensive software, or backup software (either server or capacity based), is at great risk of getting out of compliance given the high potential for variability over time.

#9.  VMware

VMWare has built strong licensing controls into their software, so it’s not the most difficult supplier with which to effectively manage software compliance; their standard End User Licensing Agreement (EULA) provides for audits no more than once per year, with a penalty (fee) to apply if a license gap exceeds 5%, or if the customer “materially failed to maintain accurate records of Your use of the Software”. Generally, VMWare does not audit customers frequently; one survey indicated that only five percent of companies experienced an audit from the company within the last two years, but audits have been on the rise as virtualization software faces increasing competition, becomes more commoditized in the industry, and VMware looks to boost slumping sales.

#8.  Attachmate

Not the largest of these suppliers, and not the one that you think of first with an auditing demand, however in a clear attempt to ramp up slumping license sales, Attachmate has shown itself to be catching up with the tactics of the others, leveraging cleverly (some would say deceptively) worded contractual provisions and usage grant limitations resulting in increased first reported exposures. If you haven’t done so lately, take a close look at your Attachmate installation (and contract) in comparison with your entitlements and straighten out your license position before Attachmate comes knocking on your door.

#7.  McAfee

McAfee’s audit terms are a bit stricter than most supplies. Although they will not audit more than once per year, they do have the right to require a “system generated report verifying your Software deployment, such request to occur no more than two (2) times per year”.  Also, McAfee reserves the right to use “technological features of the Software that prevent unauthorized use and provide Software deployment verification”.  Translated, that means that McAfee retains the right to a “kill switch” on its software, and uses embedded technology to audit compliance.

#6.  SAP

SAP has been increasingly earning a reputation as a brutal auditor for many of the same reasons as the others on this list. Namely, in addition to complex licensing policies, a variety of access privileges with an array of limited use definitions, a confusingly intricate and seemingly subjective definition of “engine metrics”, and over 70 types of standard user access classifications, the compliance of SAP license estates have proven to be hugely difficult to determine and manage.  Adding to the problem is the belief that the SAP audit tools are accurate (many times they are not).  Resulting from an SAP audit, the ISV has no obligation to provide any discounts on software required to remediate non-compliance, and they can backdate maintenance charges to the initial date of detected installation.  This is unquantifiable organizational risk and can create a huge potential liability.  With the significant expansion of SAP’s product catalogue over recent years (including new compliancy concerns about ‘indirect access’), and the homogenizing of the contractual agreements of SAP’s acquired entities (almost always resulting in more restrictive interpretations of previous license grants, usage limitations, and provisional contract language), clients find immense complexity in understanding SAP licensing policy, and therefore find it exceedingly difficult to manage their SAP license estate.  SAP seemingly sees no need to simplify its licensing rules, or alter its auditing process, because it has successfully been generating incremental revenue due to these issues.

#5.  IBM

IBM has developed one of the most comprehensive, confusing, and confrontational audit programs in history. Any unlicensed software discovered (whether or not it is currently or has ever been executed) is charged at full list price, including the annual back maintenance associated with previous year’s ‘use’, since the date of detected installation.  Part of the problem, however, is that of course the IBM software licenses do not have any governance on the number of installations, and clients can therefore deploy the same license many times bringing them (technically) out of compliance even if their total entitlements do not exceed their deployed counts.  To make matters worse, IBM uses a bevy of contractual documents to govern the entitlements and use of its software.  These documents can easily create confusion for the customer, as they each carry with them their own set of potentially conflicting terms and conditions.  Also, special policies for things such as backup and disaster recovery entitlements and usage grants are often not specifically detailed in any of these documents, and are found on the unilaterally controlled IBM web site, subject to change at any time with or without customer consent.  Further, it takes an expert to fully understand the licensing rules regarding sub-capacity deployments involving logical partitions, measured usage, and workloads.  As a result, not only are these aggravating circumstances, it also significantly increases the risk clients must face when trying to manage their IBM license estate.

#4.  Oracle

Maybe only the fourth most frequent auditing supplier on this list, but certainly one of the nastiest. It’s clear from a recent article that Oracle continues its tough tactics to wring more revenue out of its customers, but the advent of cloud has raised the stakes and the pressure.  Client audit experience tales range from burned bridges to scorched earth to name calling to litigation to fisticuffs.  If you are a NET(net) Client, remember to claim your copy of our whitepaper (“Top 10 Ways to Defend Yourself from an Oracle Audit”) – a $2,000 value at absolutely no cost to you.  Why?  Because we’re on your side.  You’re welcome.

#3.  Autodesk

Autodesk is widely used by designers, architects, and engineers among others in the automotive, manufacturing, and other industries. The terms associated with its use are perhaps some of the most restrictive and punitive in the industry and can quite easily result in civil litigation if the process isn’t well managed.  Common areas with the highest risk include over deployment of software usually caused by invalid serial numbers, which are required to be disclosed upon an audit demand from Autodesk, its law firm, or the BSA or SIIA.  Unlike some of the other suppliers on this list, Autodesk is quick to threaten civil litigation based on copyright infringement if customers do not cooperate.  Audit findings result in demand letters (in lieu of formal charges and litigation) for treble damages (settlements are calculated at list prices times three).  Like many of the other suppliers on this list, Autodesk’s EULA is difficult to understand and has a number of restrictive provisions.  One such provision is the non-transferrable license, meaning that if a company is acquired or divested, the Autodesk licenses are unauthorized without Autodesk’s express, written consent.  Autodesk (i) has some of the most powerful enforcement rights of any supplier on this list, (ii) uses the BSA and others more freely than most, (iii) approaches audit actions from a position of copyright infringement and civil (and sometimes even criminal) litigation, (iv) uses the treble damages clause to significantly inflate their opening positions in settlement demands, (v) diligently pursues customers they suspect to be violating their agreement, and (vi) is commonly found to be more litigious than most of the other suppliers on this list.  As a result, any client facing an Autodesk audit should take it very seriously, and should consult with experienced professionals before proceeding.

#2.  Adobe

Adobe is well known as one of the most frequent auditors in the software business. Adobe is also a bit unusual in its approach to auditing, in that they do not outsource to third parties such as the Business Software Alliance (BSA), instead performing their own audits. Their reputation as an auditor is generally pretty good, with clients reporting that the Adobe team was willing to work with the organization to help ensure compliance and proper product use; as distinct from simply being on cash grabbing mission. However, Adobe products are very diverse and complex, and have undergone many changes to names, editions, bundles / suites, and licensing models, so most large organizations will have a confusing mess of different terms and products to sort out (not to mention the “free” products such as Adobe Reader, which have very specific usage rights that many organizations unknowingly violate).

#1.  Microsoft

In the past few years Microsoft has established a global initiative around Software Asset Management (“SAM”); ostensibly to support Microsoft customers in setting up and maintaining strong internal controls and processes to stay in compliance with its licensing agreements. Microsoft has stated they intend to “help” volume licensing customers via annual “SAM Engagements”.  Translated, this means that every Microsoft volume customer should expect an audit effort from Microsoft, at least annually.  It’s important to understand that the volume agreement language specifies that Microsoft can initiate an audit at any time; this directly contradicts most customers’ understanding of the annual “True-Up” feature of most Microsoft Enterprise Agreements (“EAs”).   However, the annual SAM engagements sneakily get around any contractual restrictions with clever language that leaves customers believing they are being audited, but in fact the SAM engagement, legally speaking, is a voluntary cooperative effort.  Nevertheless, our clients have experienced all the pain and frustration associated with an audit, regardless of what name it goes by.   Our advice: run your business with the understanding that you will be audited at least annually.  Contact us for support regarding specific methods to establish and maintain compliance while controlling costs and protecting yourself legally.

NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.

If you have one or more of the suppliers listed above, it’s not a matter of if, it’s only a matter of when you will get audited.

Click here to get more information on Audit Defense Armor , and simply complete a form to get a bonus free whitepaper on ‘How to Defend Against an Oracle Audit’.  Or complete the form below to have a NET(net) Subject Matter Expert contact you directly:

4 Comments

  1. Steve says:

    The Movere application in use by MS seeks to scan for and collect over 100 data points per application in use by a customer. Most of the data points have nothing to do with licensing. The so called is a profiling opportunity for MS on each customer’s use styles. This is a real security risk in providing such data on how an application is configured create huge security risks.

  2. Phil Merson says:

    Over the years we have been involved in many, many audits for all of the Top 10 Most Audit-Crazy Suppliers on behalf of customers all over the globe.

    It always seems to come as a shock to these large organizations that the software vendors have the audacity to inflict time consuming audits on them.

    We call it Audit Armageddon as when one strikes others tend to follow in their foot steps creating a huge volume of work.

    So why don’t organizations recognize this as a risk? I think they do but they probably don’t know how big the risk is until “BAM” an audit letter arrives and they are unprepared for the time it takes and the un-budgeted spend that usually comes out of the engagement to pay for the unlicensed software being used.

    It is time to wake up, this isn’t going away, in fact in the US we are seeing a large increase in audit activity.

    So get prepared, understand where you are in your Software Asset Management maturity, do a gap analysis to confirm your concerns, and allocate the resources upfront to get your organization in a compliant position to be rewarded by large savings on the flip side when the software vendors turn up. If you have factual information you can show them to prove to them they are wasting their time you will one of the few that are in a very satisfying position to show them the door on their way out.

  3. Brett says:

    My horror story is with Attachmate in 2015. At the time I was Director over IT Asset Management. To give perspective the organization in question spanned 5 states, has over 78,000 employees, 34 large campuses and 506 clinic sized locations. This equated to over 120,000 end user devices and hundreds of servers.

    The organization was going through a major effort to replace or upgrade from windows XP. Part of that plan was to increase the number of thin client deployments which meant moving a lot of software to a virtual environment.
    The asset team provided executive leadership white papers, executive summaries, and risk analysis related to issues with compliance in moving software from thick client installs to a more virtual environment.

    Leaders pretty much said that the Asset Team would just have to do clean up after the project was over as they didn’t want compliance to complicate, add cost, or slow the project. They were “accepting the risk”. (Saved that email).

    Sure enough shortly thereafter Attachmate came in via a third party audit company. They were not rude, but they were on a mission. It was quickly identified that groups had been created in the virtual world with certain bundles of software available to anyone that was added to the group. The asset team had started to work with the engineering to set up software in groups and have people added to the groups for software that they needed instead of throwing people in a group that had a multitude of different software programs that they may or may not need.

    The initial finding was $3 Million + for licenses, interest, and fees. The majority of those costs and compliance issues centered in the virtual environment. Hundreds of people were dumped into these groups who had ZERO need for any Attachmate software without a single license being ordered. My boss didn’t bother asking how it happened which saved me the time of trying to politely say, “I told ya so.”

    If there is anything anyone can take away from my experience is to pay extra attention to software suppliers who are on the Top 10 Software Audit-Crazy Suppliers (Zolman, 2015). Ensure that only those people have access to the software that need it and that you’re compliant with the terms and conditions of the software as you move from a thick client environment to a thin.

    • Thanks for your comment Brett… you’re not the first to get burned by Attachmate. Times of transition, like the one you are describing, are the most common element in the many similar client stories we have heard, and in some cases lived.

      Your comments about them ‘being on a mission’ particularly resonates with me as this is the most common feedback we get. Clients have told us that the experience is very targeted – ‘they knew what they were looking for’, ‘they went straight for the timeline around our migration’, ‘they knew there was a pot of gold at the end of that conversion rainbow’.

      In general, there’s not much protection for clients in their agreements on the temporary use licenses, and whether or not a licensee actually needs the software isn’t given much consideration at all. As a result, the financial penalties can feel even more punitive because most of it could have been avoided.

      Good advice on (i) good software asset management practices, (ii) staying in compliance with your contractual agreements and licensing and usage grants, among other provisions, and (iii) being on high alert with those on the list of common offenders.

Post a Comment

Your email is kept private. Required fields are marked *