Software audits have become an unfortunate but necessary revenue stream for most suppliers today. And who can really blame them? It usually works! Just as governments have now come to rely on revenue from things like speeding and parking tickets, so to have software companies come to rely on software audits to move the needle on revenue or generate fear, using pressure and leverage to create opportunities for new licensing revenue.
The reasons are well known, and really haven’t changed significantly in the last few years:
- Competition from disruptive suppliers
- Migration away from perpetual licensing to subscription-based cloud solutions
- Advancements in technology that enable a smaller number of physical units (processors, servers, et al), to process a larger amount of data
An effective way for suppliers to squeeze more money out of their existing customers is to unleash a wave of audits, designed to convert the huge risk of a potential organizational liability into additional license income – which in turn – yields more annual maintenance and support service annuity income. Oracle became so notorious for this, they had to change the name of their LMS audit group to something less nefarious sounding like ‘Software Investment Advisory’ Group. Same employees, same mission…catch clients out of compliance and pounce. Don’t be fooled by this re-branding. You can read more about that here.
Supplier policies are of course written to lay the ground work for audits later. You may have seen some of these first hand:
- Confusing license grants and provisions
- Bundling of unlicensed software with paid for versions or upgrades
- Restrictive usage rights and unreasonable limitations
- Complex and obfuscated governing language
- Lack of oversight by supplier on installation of unlicensed software
- Lack of controls by supplier on over-deployment of licensed software
- Confrontational audit process
To make matters worse (and to be fair), customers themselves have not proven to be very effective with the tools and processes required to quickly determine rightful entitlements, discover usage, measure usage against entitlements, and prevent or remediate over-licensing situations before they become problematic. This has become such a widespread issue, NET(net) created an entire practice around this called Audit Armor & Defense, and that group’s been busy.
Below we outline the most “Audit-Crazy” suppliers and their primary methods of interrogating your business. If a lot of your suppliers are on this list it’s not all bad news, as we give you some valuable insights on preparing ahead of time and tactics on how to fight back to change the narrative.
For NET(net), just defending yourself is not always good enough; sometimes you must stop being the nail and become the hammer.
The Top 10 Most Audit-Crazy Suppliers Are:
McAfee's audit terms are a bit stricter than most supplies. Although they will not audit more than once per year, they do have the right to require a "system generated report verifying your Software deployment, such request to occur no more than two (2) times per year”. Also, McAfee reserves the right to use "technological features of the Software that prevent unauthorized use and provide Software deployment verification". Translated, that means that McAfee retains the right to a "kill switch" on its software and uses embedded technology to audit compliance.
Not the largest of these suppliers and not the one that you think of first with an auditing demand, however in a clear attempt to ramp up slumping license sales, Attachmate has shown itself to be catching up with the tactics of the others, leveraging cleverly (some would say deceptively) worded contractual provisions and usage grant limitations resulting in increased first reported exposures. If you haven’t done so lately, take a close look at your Attachmate installation (and contract) in comparison with your entitlements and straighten out your license position before Attachmate comes knocking on your door.
Symantec often directs their audit team to take direct aim at identifying potential license / compliancy issues within their customer base and typically charges license shortfalls found at list price regardless of any past volume licensing discounts. While industry groups such as the Business Software Alliance (BSA) often lead these audits on behalf of the ISVs, companies like Symantec want more control over who and when to audit specifically to drive revenue, and consequently lead the effort at conducting audits themselves. In our experiences with Symantec it isn’t a question of if, but when you’ll face an audit. Any ‘user count’ intensive software or backup software (either server or capacity based), is at great risk of getting out of compliance given the high potential for variability over time.
VMWare has built strong licensing controls into their software, so it's not the most difficult supplier to effectively manage software compliance; their standard End User Licensing Agreement (EULA) provides for audits no more than once per year, with a penalty (fee) to apply if a license gap exceeds 5%, or if the customer "materially failed to maintain accurate records of your use of the Software". Generally, VMware does not formally audit customers very frequently, but the threat of an audit and/or allegations on non-compliance is frequently used to force its customers to consider entering into or renewing an ELA which often results in excessive costs.
Autodesk is widely used by designers, architects, and engineers among others in the automotive, manufacturing, and various other industries. The terms associated with its use are perhaps some of the most restrictive and punitive in the industry and can quite easily result in civil litigation, if the process isn’t well-managed. Common areas with the highest risk include over deployment of software usually caused by invalid serial numbers, which are required to be disclosed upon an audit demand from Autodesk, its law firm, or the BSA, or SIIA. Unlike some of the other suppliers on this list, Autodesk and their engineering software competitors are quick to threaten civil litigation based on copyright infringement if customers do not cooperate.
Audit findings result in demand letters (in lieu of formal charges and litigation) for treble damages (settlements are calculated at list prices times three). Like many of the other suppliers on this list, Autodesk’s EULA is difficult to understand and has several restrictive provisions. One such provision is the non-transferable license, meaning that if a company is acquired or divested the Autodesk licenses are unauthorized without Autodesk’s express, written consent. Autodesk (i) has some of the most powerful enforcement rights of any supplier on this list, (ii) uses the BSA and others more freely than most, (iii) approaches audit actions from a position of copyright infringement and civil (and sometimes even criminal) litigation, (iv) uses the treble damages clause to significantly inflate their opening positions in settlement demands, (v) diligently pursues customers they suspect to be violating their agreement, and (vi) is commonly found to be more litigious than most of the other suppliers on this list. As a result, any client facing an audit of their engineering tools providers such as Autodesk should take it very seriously and should consult with experienced professionals before proceeding.
Adobe is well known as one of the most frequent auditors in the software business. Adobe is also a bit unusual in its approach to auditing, in that they do not outsource to third parties such as the Business Software Alliance (BSA), instead performing their own audits. Their reputation as an auditor is generally pretty good, with clients reporting that the Adobe team was willing to work with the organization to help ensure compliance and proper product use; as distinct from simply being on a cash-grabbing mission. However, Adobe products are very diverse and complex, and have undergone many changes to names, editions, bundles / suites, and licensing models, so most large organizations will have a confusing mess of different terms and products to sort out (not to mention the "free" products such as Adobe Reader, which have very specific usage rights that many organizations unknowingly violate).
SAP has been increasingly earning a reputation as a brutal auditor for many of the same reasons as the others on this list. What makes them special, is that in addition to complex licensing policies as others have, SAP adds to complexity in the following ways: a) variety of access privileges with an array of limited use definitions, b) a confusingly intricate and seemingly subjective definition of “engine metrics”, c) over 70 types of standard user access classifications and d) the compliance of SAP license estates have proven to be hugely difficult to determine and manage.
Adding to the problem is the belief that the SAP audit tools are accurate (many times they are not). Resulting from an SAP audit, the ISV has no obligation to provide any discounts on software required to remediate non-compliance and they can backdate maintenance charges to the initial date of detected installation. This is unquantifiable organizational risk and can create a huge potential liability. With the significant expansion of SAP’s product catalogue over recent years (including new compliance concerns about ‘indirect access’), and the homogenizing of the contractual agreements of SAP’s acquired entities (almost always resulting in more restrictive interpretations of previous license grants, usage limitations, and provisional contract language), clients find immense complexity in understanding SAP licensing policy, and therefore find it exceedingly difficult to manage their SAP license estate.
SAP seemingly sees no need to simplify its licensing rules, or alter its auditing process, because it has successfully been generating incremental revenue due to these issues.
IBM has developed one of the most comprehensive, confusing, and confrontational audit programs in the history of the technology business. Any unlicensed software discovered (whether or not it is currently or has ever been executed) is charged at full list price, including the annual back maintenance (plus penalties) associated with previous year’s ‘use’, since the date of detected installation. Part of the problem, however, is that of course the IBM software licenses do not have any governance on the number of installations and clients can therefore deploy the same license many times bringing them (technically) out of compliance even if their total entitlements do not exceed their deployed counts.
To make matters worse, IBM uses a bevy of contractual documents to govern the entitlements and use of its software. These documents can easily create confusion for the customer, as they each carry with them their own set of potentially conflicting terms and conditions. Also, special policies for things such as backup and disaster recovery entitlements and usage grants are often not specifically detailed in any of these documents, rather are only found on the unilaterally controlled IBM website subject to change at any time with or without customer consent; let alone approval. Further, it takes an expert to fully understand the licensing rules regarding sub-capacity deployments involving logical partitions, measured usage, and virtual workloads among various and sundry other IBM specialized pricing programs. As a result, not only are these aggravating circumstances to an audit, they also significantly increase the risk clients must face when trying to manage their IBM license estate.
Particularly problematic, is IBM's rules around virtualization that require the use of their own monitoring software (ILMT) to validate the use of sub-capacity licensing (paying for the consumption on fractional virtual machines versus the entire physical server): problem being, that most clients only learn of this requirement after they are audited and found to be out of compliance with the terms and conditions of their Passport Advantage agreement, and demands are made by IBM to pay for full capacity regardless of how much capacity was actually used (even if the client is well within the sub-capacity licensing limitations). This one trick alone happens all over the world and has cost our clients hundreds of millions of dollars. IBM claims to ‘reach out’ to its customers to ensure they fully understand sub-capacity licensing rules and procedures, but we have yet to find one client who says this assistance was offered prior to receiving a big audit bill. Most clients have never even heard of ILMT and claim that no one from IBM ever explained this requirement. Technically, this is usually not the case as IBM generally notifies the ‘contact person’ for the Passport Advantage agreement, but rarely does the notified person know the implications of the notice, nor do they know what to do with it. IBM does keep records of these communications and can and do provide you with this information upon request.
From a negotiation perspective, IBM oversees some of the most contentions customer negotiations we have ever seen, refusing to take responsibility for flaws in the IBM deployment recommendations, often threatening litigation when confronted with exculpatory information and/or customer resistance and frequently refusing to concede on what can only be described as seemingly innocent mistakes and common misunderstandings, often making client executives’ blood boil. One Fortune 500 CFO, who asked to remain anonymous, told me the IBM audit action was among the worst experiences he had ever faced, and as a result, he would never buy another thing from IBM for the rest of his career if he could at all help it and would work tirelessly to eradicate them from his company if at all possible.
Oracle is the second most frequent auditing supplier on this list and one of the nastiest. It’s clear from recent articles that Oracle continues its tough tactics to wring more revenue out of its customers, but the advent of cloud has raised the stakes and the pressure. Client audit experience stories range from burned bridges, to scorched earth, to name calling, to litigation, and to fisticuffs. Oracle is constantly searching for compliance issues to push their overpriced cloud products onto clients. Their new Software Investment Advisory Group (SIA) are conducting “friendly” audits to “help” you with compliance. Stay wary of the asset information you share with your Oracle team. If you are a NET(net) Client, remember to claim your copy of our whitepaper (“Top 10 Ways to Defend Yourself from an Oracle Audit”) – a $2,000 value at absolutely no cost to you. Why? Because we’re on your side. You’re welcome.
In the past few years Microsoft has established a global initiative around Software Asset Management ("SAM"); ostensibly to support Microsoft customers in setting up and maintaining strong internal controls and processes to stay in compliance with its licensing agreements. Microsoft has stated they intend to "help" volume licensing customers via annual "SAM Engagements". Translated, this means that every Microsoft volume customer should expect an audit effort from Microsoft (or, via one of their Partners / resellers), at least annually and definitely just before the renewal of an Enterprise Agreement.
It's important to understand that the volume agreement language specifies that Microsoft can initiate an audit at any time; this directly contradicts most customers' understanding of the annual "True-Up" feature of most Microsoft Enterprise Agreements ("EAs"). However, the annual SAM engagements sneakily get around any contractual restrictions with clever language that leaves customers believing they are being audited, but in fact the SAM engagement, legally speaking, is a voluntary cooperative effort. Nevertheless, our clients have experienced all the pain and frustration associated with an audit, regardless of what name it goes by. Our advice: run your business with the understanding that you will be audited at least annually. Contact us for support regarding specific methods to establish and maintain compliance while controlling costs and protecting yourself legally.
Do you have enough knowledge about Microsoft licensing? Take this quick quiz and find out:
A surprising entrant into the audit hall of shame is Salesforce.com. As a cloud solution, Salesforce.com has complete information about the deployment so what would there be to audit? Salesforce.com often provides customers custom terms which are provided in paper form, meaning there are no systematic constraints that enforce what the customer has purchased. More often than not, the customer’s operational team either doesn’t know or otherwise doesn’t enforce the limitations in their environment to be compliant. Salesforce.com allows this situation long enough for the customer’s use of its solutions to be firmly embedded before threatening or formally triggering an audit. When Customers are forced to react they often feel that they have limited recourse. Proactively managing your Saleforce.com environment and agreements is the best defense in addition to having professional representation to assist with navigating the threats.
A notorious audit perpetrator who had slipped into relative obscurity in recent years has re-emerged as a threat to any one who is, or was, a customer. "Going forward, we must focus on translating our strengths into results," said CEO Sanjay Brahmawar in a recent interview. Interesting that he is a former IBM executive (#3 on our list). This was said after Software AG “reported a 1 percent decline in revenue and flat operating profit in the fourth quarter 2018.” As a business strategy, you’d expect them to tout new products, new approaches, or something new. Not much mention of any of that except for talk of acquisitions. Reading the tea leaves, they have hired an army of enforcement staff to terrorize existing customers and especially those that have let any element of their support agreements lapse. If your company still uses SoftwareAG’s products, you would be wise to prepare for an audit because it isn’t a matter of if you will be audited, and in all likelihood it will be soon.
While Workday is not currently pursuing its customers in the form of named audits per se, their sales team is aggressively monitoring their customer base for information in the public domain that could indicate a company may be under-licensed for its current employee counts. This information will frequently come back to haunt you via substantial price increases at renewal time or unfavorable pricing on new titles you may be looking to acquire.
Celebrating 16 years, NET(net) is the world’s leading IT Investment Optimization firm, helping clients find, get and keep more economic and strategic value. With over 2,500 clients around the world in nearly all industries and geographies, and with the experience of over 25,000 field engagements with over 250 technology suppliers in XaaS, Cloud, Hardware, Software, Services, Healthcare, Outsourcing, Infrastructure, Telecommunications, and other areas of IT spend, resulting in incremental client captured value in excess of $250 billion since 2002. NET(net) has the expertise you need, the experience you want, and the performance you demand. Contact us today at firstname.lastname@example.org, visit us online at www.netnetweb.com, or call us at +1-866-2-NET-net to see if we can help you capture more value in your IT investments, agreements, and relationships.
NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.