Print Print

How to navigate a software audit


Software providers often have the right to check on your compliance

The Internal Revenue Service isn’t the only organization that can audit your business. Your software provider has that option, as well.

When you license software, the owning company typically includes the right to request audits as part of the terms and conditions of the agreement. And sometimes a company builds regular audits into its contract — check your agreement for details.

Software audits can be triggered by a number of different factors, including:

  • Rapid growth, including through mergers and acquisitions, without a corresponding growth in licensure
  • Disgruntled employees who report you
  • Another company’s vendor who noticed a licensing problem
  • A recent hardware change
  • Random checks

Software audits are not a reason for panic, though.

“The companies are officially saying, ‘Look, we’ve spent a great deal of time, toil and sweat making this software to sell. You’re enjoying and getting value from it, so we want to make sure you’re properly licensed,’” says Scott Rosenberg, CEO and founder of Miro Consulting, a software licensing consultancy company.

Audit basics

A typical software audit is looking to make sure you utilize the correct number of licenses specified in your contract. These audits have become fairly common.

“It’s a provider’s way of keeping clients honest and ensuring their own copyrights are protected,” he says. “The sales forces of leading software publishers are also using this as a tool to shorten sales cycles and increase their bargaining power. It’s a way for them to get a client to budge on purchasing new software, especially if they’ve noticed there has been light spending activity over the years but the company has grown.”

Major software publishers such as Microsoft, Adobe and Oracle have been pursuing audits aggressively, Rosenberg says, estimating that a business has a conservative 50 percent chance of being audited each year. And if one company audits you, that does not preclude an audit by another company.

Whether you are the target of a software audit also depends on your company’s size, scope (smaller companies with fewer license needs have a lesser chance of an audit) and previous noncompliance issues; if you were audited and found at fault before, you have a higher likelihood of being audited again, says Tim LaFleur, mobility and global events manager for the International Association of IT Managers.

Providers can conduct software audits both remotely and in person.

“It’s not necessary to do it in person, like a financial audit where you have someone camping out in your office for weeks at a time,” Rosenberg says. “With today’s technology, much of the correspondence can be done by way of email through Microsoft Word, Excel, PowerPoint and Adobe PDF documents.”

Ultimately, software audits are about recovering and driving revenue, Rosenberg says. If your provider discovers an inconsistency, it typically grants the company a window of time to reach a settlement and remedy the situation by purchasing the required software. Settlement costs vary depending on the severity of the breach. 

Navigating a software audit

An audit typically begins with a letter from the software publisher citing its contractual rights to conduct it, Rosenberg says. Often, it will specify an area of the software it wants to examine, but this is not always the case.

“Keep in mind that it is not an official audit unless the software publisher indicates on its letterhead that it is conducting an audit and notes who is conducting it,” Rosenberg says. “Some software publishers will come in and say, ‘Hey, we’d like to do a SAM (software asset management) review, which will be easy and painless.’ They won’t call it an audit. But afterward, you get a letter saying you are out of compliance and need to pay the publisher in 30 days. If you run into a request for an audit like this, you can say no, but it probably means that someone will inevitably come in to audit you.”

Once you are notified of a software audit, the worse thing you can do is admit guilt, LaFleur says. He recommends replying politely but matter-of-factly. And don’t overshare; only provide the information requested.

“People freak out because they know they’re not compliant and immediately ask for forgiveness,” LaFleur says. “That will put you on the frequent audit list. Simply acknowledge the request and provide the necessary data.”

If you are noncompliant, don’t start trying to hide anything; that will only make you look bad.

“It is a good time to start getting your house in order, but your software publisher may not take kindly to you if it looks like you just cleaned a lot,” Rosenberg says. “It’s like when the state trooper sees you hit your brakes; it’s an admission of guilt. You can argue around it, but they’ve probably already got you on the radar.”

The easiest way to navigate a software audit is to hire a software-licensing consultant, he says. This person should have experience in the field and understand licensing rules.

An attorney is not necessary, although if you have an in-house attorney, you should notify that person about the audit.

“This is not a criminal investigation,” Rosenberg says. “It’s merely an investigation to ensure the organization is in compliance with the contract and software rules and regulations. Ultimately, if you are found noncompliant, you will reach a settlement. In our 13 years, we have not had one client who sought to remedy the situation in a court of law. It’s just not necessary.” 

Proactive steps ensure a clean audit

LaFleur advises businesses to check their contract to see the number of licenses allowed and not overextend that number. In addition, make sure you’re using the software in accordance with its terms and conditions.

“If you purchase something that is meant to be used internally for document creation and you make it available for public usage, you’re going to be in trouble,” LaFleur says.

He also recommends adopting a solid software tracking program that monitors how many licenses your company has, which machine they are on and who uses the machines. Having a tracking program allows you to quickly show your vendor your compliance in the event of an audit.

The program should also conduct a self-audit at least once a year, Rosenberg says. These audits can catch a problem in its infancy and allow you to correct it before a provider swoops in. It can also alert you to a need for more or fewer licenses so you’re only paying for what you actually use.

In addition, LaFleur says it is critical to examine the initial contract and negotiate terms.

“Many businesses don’t realize they can ask for some wiggle room in the contract,” he says. “Negotiate simple things, such as that only the vendor can audit you — not an outside party. Also make sure that if you are found in noncompliance, you can purchase the required software at your contracted price, not the list price. Taking these steps up font will make your life a lot easier.”