by Bruce Harpham

How to manage the risks and costs of software compliance

Feb 24, 2016
ComplianceEnterprise Applications

Software compliance can be a tricky – and expensive – challenge for most IT leaders. Luckily, tech solutions let you manage software assets.


In large enterprises, purchasing and administering software has never been more difficult. Unlike chairs or stationery, software contracts and licenses come in a variety of forms. At one end of the spectrum, small software vendors typically use simple licenses and pricing. At the other end of spectrum, many large enterprise software vendors use complex contracts to define multi-million dollar deals.

License complexity per se is not the only challenge. In recent years, a growing number of software vendors have engaged in audits, enforcement actions and other activities that cause anxiety and large bills for IT departments in the Fortune 500 and beyond. Several options are available to manage software contract compliance including legal advice, specialized consulting and technology. Major IT buyers and vendor managers tend to use a combination of these approaches to reduce risk.

The dollars and cents of software contract compliance

Failing a software license audit is far from a hypothetical problem. According to Flexera, a software asset management company, software “license true ups” (i.e. paying for the gap between what a company uses and their license) regularly clears the $1 million mark.

  • Cost Reduction Opportunities. The British government reduced IT spending by $124 million U.S. (£85 million) by renegotiating contracts in 2014-2015. Software license reviews can be triggered by the user and deliver cost reductions. 
  • Oracle in the News. A July 2015 report in Fortune states that Oracle sales staffs are being incentivized to sell certain products aggressively. Related reports of aggressive software audits and license reviews have meant large, unexpected bills for Oracle customers. 
  • The Unused Software Opportunity. A survey of 300 IT decision makers by 1E found that 28 percent of software in the enterprise has gone unused in the past 90 days. This suggests an opportunity to scale back software especially for vendors that use a “per seat”/per user license model.

Managing software licenses is comparable to managing an investment portfolio. Underperforming assets that play no clear role are candidates for elimination. There is no reason to wait for a determined software audit representative to review an organization’s portfolio. Instead, leading companies regularly review their IT portfolios to make optimization decisions on their own. 

Get legal advice before you respond to a software audit

With multi-million dollar contracts and penalties on the line, calling in legal experts is often a smart move. Julie Machal-Fulks, partner at Scott and Scott LLP – a technology focused law firm in Southlake, Texas — has served a number of clients in software contract and audit matters. Assisting IBM’s customers facing audits and similar challenges has been a recent area of focus.

[Related: Cybersecurity much more than a compliance exercise]

“I have seen cases where IBM is seeking millions of dollars in fees. Fortunately, I have seen negotiated settlements between IBM and their end customers that reduce those amounts,” Machal-Fulks says. “Monitoring tools provided by software publishers are sometimes required in order to receive discounts. However, installing and operating this software is difficult. In those cases, the vendor finds out that the customer has not used the tool. This discovery leads to a discussion about paying additional fees. It is difficult for users to fulfill these requirements even when they wish to do so,” she says.

“Software audits often come in different forms. For example, I have seen software audits from vendors come across as information requests or reviews. When a company responds to these requests without specialized advice, there is a lost opportunity to control costs. I worked with one client on such a request recently where we could have negotiated a limit to scope of the audit. Unfortunately, that discussion did not take place and the audit is now applicable to the client’s operations around the world,” Machal-Fulks says.

Timing makes a major difference in seeking legal advice. “Once data is released to the vendor, the user’s ability to negotiate and adjust the scope of the audit is reduced,” says Machal-Fulks. Knowing when to involve legal experts is a matter of a professional judgement. Using the organization’s spending authorization as a guideline is helpful. For example, if the organization requires executive approval on contracts over $100,000, then one can make a case to involve legal experts in those situations.

Building a software asset management program

IT managers seeking to benchmark their approach against best practices have several options. The ISO 19770-1:2012 standard (known as the “SAM Standard”) lays out a framework to manage software assets. “The ISO standard is helpful yet it can be difficult to understand,” says Rodger Correa, Director of Program Coordination for the Americas at the Business Software Alliance (BSA). “BSA has published resources to guide IT staff through the software asset management process,” he says.

For organizations with complex software arrangements, seeking a third party review may be helpful. “The Verafirm process provides a third party review and certification of an organization’s software asset management process,” Correa says. “We launched this program in Asia first and it has been very popular in India and Thailand,” he says.  The only downside to this program is the cost and duration – the certification process takes six to twelve months depending on the situation/

Selecting a technology solution to manage software assets

IT departments seeking technology solutions have a variety of options available to them. “Technology tools help but they do have important limitations,” says Scott and Scott’s Machal-Fulks. “The software solution cannot design the strategy or the interaction with the software publisher,” she explains.

Factor in the following considerations when considering a software asset management platform.

  • Cloud service compatibility. The flexibility of cloud services and products frustrate traditional governance approaches, so look for a product that covers these functions. 
  • Large Software Vendor compatibility. The greatest risk and potential costs come from mismanaging software from the world’s largest software vendors. Identify the organization’s major software vendors by spend analysis (e.g. focus on top 3 highest spend vendors) and/or criticality (e.g. the finance system or order fulfillment system). 
  • Compatibility to procurement and contract management applications. Ariba and other applications are becoming a popular way to manage suppliers in the corporate world. Integrating with those packages will give the organization better oversight and control.

Sustaining effective governance over IT software is an evolving struggle. Using outside experience and resources is a proven way to reduce the risk.