Episode 10 of the SoftwareSpend podcast looks at how to prepare for and defend a software licence audit.
Software licence audits are becoming a major source of revenue for large and small software vendors alike. Whilst the software vendors are continuously becoming more and more expert at conducting licence audits, customers lag behind. This podcast aims to redress that balance, providing proven advice on preparing for and defending software licence audits with enterprise software vendors.
On 28 April 2015, I attended the ITAM Review’s IBM and SAP software licensing seminar in London. The advice given by the various speakers at this seminar was mainly in relation to compliance with the licensing rules of these two large vendors. Among the many speakers, Eric Chiu from HW Fisher & Company and Mark Bartrick from Forrester Research had heaps of excellent advice on IBM and SAP in particular, but also advice on licence compliance with software vendors generally. In this podcast I have attempted to summarise this advice and combine it with my own experience of negotiating software licensing agreements and defending licence audits.
I hope you find this summary useful. Please comment below this post, or on the SoftwareSpend group on LinkedIn. You can also reach out to me at christiaan@SoftwareSpend.com.
Get the summary slides on: Preparing for and defending an Audit
Negotiating The Licence Agreement With A View To Audits
When negotiating a software licence agreement, the clearer and more descriptive you can be the better. As you are negotiating and drafting the contract, imagine you are reading that contract having just been notified of a licence audit. Better still, get people who have nothing to do with the contract or the software to read it. If it is not clear to them, then you still have work to do. It should be crystal clear what is being licensed, how many licences are required by whom, where and for how long. Don’t leave anything open to interpretation.
The three areas of the software agreement you need to be especially clear about in preparation for a potential licence audit are:
- Licence grant language (this is after all the right you are buying)
- Licence metrics and definitions of those metrics
- List of licensed products (usually in an exhibit to the agreement)
Any audit or compliance claim is going to revolve around these three elements of the agreement.
Licence Grant Language
Don’t confuse “buying software” with ownership. The concept of purchasing software is misleading. The only thing you are actually buying is a right of use. Even if you receive the software on a physical medium like a DVD, you are not allowed to do whatever you like with it. What you can do with the software is defined in the licence grant section of the software licensing agreement. Our licensing expert, Lora Valtcheva, and I explain this is detail in the podcast on licence grants.
It does not matter what the sales guy says you can use the software for when he is trying to sell you the software. All that matters is what is written in the licensing agreement. Make sure it covers your needs.
Negotiate Licensing Metrics You Can Actually Measure
Make sure that the licensing metrics proposed by the supplier are metrics that make sense in your organisation. If the licence metrics do not make sense, i.e. if you can’t measure them, then propose your own metrics. Software vendors will be flexible if you insist on it. You need to be forceful. Argue that you want to be respectful of their licensing concerns and, therefore, you want to be able to measure compliance with the agreement.
Watch Out For “INDIRECT ACCESS”
Software is being used in ever more complex environments. The software may make up part of a wider system which is then accessed by an app or an online portal etc. There have been several horror stories recently of SAP and others claiming that anyone accessing a company’s web portal qualify as a “user” of the software under the software licence agreement. This concept is referred to as “indirect access”.
I would recommend that you define this in your software licence agreement and make it clear that this type of incidental contact with the software vendor’s product and does not constitute usage of the software under the agreement, and, consequently, does not need to be licensed.
Negotiating The Audit Clause
Negotiate to remove the audit clause altogether. If you have never tried this before, you might think that software vendors will not accept it. That is the general view of those who licence software, but this is not only perfectly possible, it is fair and avoids undesirable disruption for both sides.
Make the argument that you want a trusted partnership with the software vendor and that audits are not (or should not be) either party’s core business. Do you get searched when you leave a newsagents shop having spent good money on the products they sell? This would only happen if you were dressed in rags and were looking shifty. Good customers should be trusted and the relationship between you and the software vendor should be founded on trust.
When you are about to cut a purchase order to the software vendor, they should agree to no audits for the length of the term of the licence or maintenance and support term.
Limit The Scope Of An Audit
In the licence agreement, limit the scope of any future audits as much as you possibly can. Limit it by operating system, by geography, by business unit, by whatever makes sense in your situation. Always exclude test/development environments – software vendors should accept that usage of their software for testing and development should be free (unless the software is for the purposes exactly that).
Avoid leaving the vendor with a wide open audit clause which allows them to come in and pry into everything and anything at any time and as often they want. Negotiate to limit the scope as much as you can.
Who Will Conduct the Licence Audit
Agree in the licence agreement who will conduct the audit. Ideally this would be you doing a self audit. However, if you can’t get that, then aim for a mutually agreed third party. Try to include a lengthy time period for agreeing which third party will be assigned. The more time delays you build into the process the more time you will have to check your compliance and rectify any non-compliance before the auditors actually turn up on your doorstep.
Require Confidentiality Agreements And Security Controls Before Accessing Data
Require that anyone accessing data as part of the audit sign a confidentiality agreement and meet your organisation’s security checks before any data can be shared or visits can be made by the auditors to your premises. Again this is a restriction which will helps to give you control over the process and may enable you to delay the commencement of the audit.
Agree Who Will Pay For The Audit
Software licence audits can be costly affairs, especially if third party auditors like Deloitte are involved. Use this to your advantage by requiring that the software vendor pay at least 50% of the costs. Furthermore, only agree to pay your share if you are found to be non-compliant by more than a significant percentage. It is important to get this percentage included. Software vendors will happily propose contract language which states that you will only pay if you are non-compliant. Don’t ever agree to this. They will always find something that makes you non-compliant no matter how small (and if they don’t a fabricated interpretation of a contract term putting you in non-compliance is not beyond the ethics of many a software vendor).
Use the argument that audits are being used more and more as a sales generation tool by software vendors; as a loyal, honest and profitable customer, why should you pay for this?
If you achieve contract language which states that the software vendor will pay unless you are found to be in non-compliance in excess of significant percentage, then there is a disincentive for the software vendor to launch an audit. The software vendor will want to be fairly sure that you are in non-compliance by more than that percentage, or at least by more than the cost, before initiating.
When The Software Audit Notification Letter Arrives
When the dreaded audit letter comes, you need to act fast. Put in place a team to manage the audit and make it known throughout the organisation that all communication with the software vendor should be channelled through this team. I discussed this extensively in an earlier blog post and podcast on “Responding to Software Audits and Compliance Claims”. The key is to be as many steps ahead of the software vendor as possible.
Respond Immediately And Take Control Of The Audit Process
First and foremost, respond to the audit letter expressing your willingness to cooperate and proposing a meeting, or conference call, to begin the process. Time is everything, the more you can drag things out the better you can understand your position, prepare and attempt to resolve any compliance issues.
Although your response to the audit letter should be immediate (and should be sent by registered mail), it is only a stop gap measure. You want to negotiate all aspects of how, when and by whom the audit will be conducted. Firstly to obtain concessions from the software vendor, and , secondly, so as to delay the process.
In fact, you may want to take note of the software vendor’s key dates and plan to stretch the process out so that it culminates at a financially sensitive time. You will then have more negotiation leverage to reduce the settlement fee (i.e. pay a lower amount in return for resolving the issue within the software vendor’s financial year). See this post on how to use the software vendor’s financial year sensitivities to your benefit in software negotiations.
Understand Your Contract Language, Entitlements And Software Usage
As soon as possible, you want to get as accurate an understanding as possible of your:
- contract language (especially regarding the licence grant);
- entitlements (the quantity and types of active licences);
- usage (what is being used, where, by whom and for what purpose).
Get a clear picture of the extent of any non-compliance. However, if things appear to be in good shape, that is not a reason to comply with the audit request and just let the software vendor in. If you do that, it will not be long before you regret it. Defend your position that an audit is not required and only provide information on how compliant you are as you negotiate concessions from the software vendor.
Exploit Different Incentives Within The Software Vendor’s Organisation
The auditors should not be seen as experts in licence compliance or wizards with IT asset discovery tools or anything of the sort. Whilst there may be lawyers and technical experts within an audit team, those responsible are simply sales people. They have revenue targets like ordinary sales people, they even wear the same expensive, oversized watches as sales people do. Don’t be fooled by the job title.
However, mostly they will have nothing to do with you as a customer outside of the audit process. They will not be your ongoing Account Manager. Their role is more “hunting” than “farming”. You can exploit this. Make a fuss. Complain that the audit will damage relations between your organisation and the software vendor. If you can, put all new business on hold until the audit is resolved.
You should aim to put pressure on your Account Manager to be a friendly voice for you within the software vendor’s organisation. If there is a new business opportunity or contract renewal on the horizon, opening negotiations on that could be enough to make the audit evaporate. Explore the tensions between those carrying out the audit and your regular account management.
Negotiate The Terms Of The Software Audit
Once you receive the audit notification letter, if the audit clause in your software licensing agreement has not been negotiated as described above (and let’s face it the chances are that it has not) then you can still try to restrict the scope and insist that the software vendor carries the cost even after the audit notification has occurred.
It will be harder to do this, as the software vendor may think you have something to hide. If you want to limit the scope, have a good story as to why certain areas should not be included in the audit (for example, business disruption or that the software is simply not used in that particular business unit, or on that particular operating system). The software vendor’s audit team may wish to poke their noses into precisely the areas you wish to exclude from the scope, so you need to be prepared for this and justify why the scope should be limited.
Agree On How Any Compliance Payment Will Be Calculated
Negotiate as much as you can to limit any potential settlement even before the audit process starts. For example, it is a good idea to get a written statement from the software vendor that any licences which might be required in order to address non-compliance can be purchased at your normal discounted rate and not at list price.
You should also try to get the software vendor to wave any back-maintenance fees, or at least limit these to a maximum period.
If you already have shelfware, or if excess licences are found during the audit process, then get the software vendor’s agreement that you can use this excess to resolve any non-compliance settlement. Negotiating these types of concessions before the extent of any non-compliance is known is preferable to later on in the process when there might be a large sum of money being demanded for new licences and years of back-maintenance.
Be Prepared To Be Under Pressure During The Software Audit
Throughout the licence audit process the software vendor and their auditors will be putting pressure on you. Remember, they have teams of people doing software audits day in, day out. They know what works. They constantly tweak their processes to inflict maximum pressure and discomfort.
Try to remain calm at all times and communicate with clarity and authority stating the extent to which you can comply with their demands. Never simply do as you are asked because they have a lawyer writing you nasty legalistic letters.
Ensure that you know the impact of any data sent to the software vendor BEFORE it is sent. Understand what the results of a inventory report will mean in financial terms, and how it might be interpreted by the software vendor.
Signing The Final Licence Audit Report
At the end of the process, you will be asked to sign the final report. This is the point at which the auditors will put maximum pressure on you to sign quickly, and this is also the point at which it is vital to take your time. Understand every line item in the audit report and the consequences of agreeing to it.
Negotiating A Settlement After A Licence Audit
If the audit process has uncovered licence non-compliance, then the completion of the audit will require a compliance payment comprised of new licence purchases and possibly also back-maintenance on those licences. The software vendor will present this a non-negotiable pill to be paid, but my advice (as you have probably guessed by now) would be to negotiate this. You can pull all the same levers you normally would with a software vendor.
All the concessions explained above should be sought: buying at heavily discounted prices, limiting back-maintenance, using shelfware to cover compliance costs etc.
Remember that software vendors are always looking to grow their footprint within your organisation. So one possible win-win option would be that the licences required would be granted “free of charge” and the value of those licence put towards a floating fund of money which your organisation can deploy for new licences as requirements come up. This kind of win-win solution also has the advantage of restoring the relationship after the audit, and incentivising both parties to look for growth opportunities in the future. And, of course, they still get their money.
No More Audits Please
Finally, as part of the settlement, negotiate that there will be no audits for as long a period as you possibly can.