by Jeff Muscarella

7 hidden compliance risks to avoid before your next software audit

Jun 24, 2015
CIOComplianceIT Governance

Intentional non-compliance in the enterprise is very rare. Yet most enterprises wouldn’t 'pass' a major IT vendor audit thanks to seven hidden compliance risks.

software audit
Credit: Thinkstock

IT vendors are turning up the heat on licensing audit activity, especially on enterprise customers. A survey from 1E reveals that the average number of software vendor audits is now four per year. For 10 percent of U.S. companies surveyed, the number jumps to between 11 and 15 per annum.

It’s not just the volume that’s on the rise; it’s also the intensity. For many vendors, the “tone” of auditing activities has shifted from let’s-make-this-right to downright aggressive. Take recent changes to IBM’s audit clause. As noted by Gartner, the vendor has removed language saying audits will be conducted in a way that minimizes disruption to the customer’s business activities.

The change in attitude stems in part from the growing pains happening as traditional on-premise software vendors find their footing (and adjust to different revenue patterns) in the cloud. For some, it’s a matter of expediting adoption of new cloud services. Penalties for a non-compliant customer may be waived if the client upgrades to cloud services. For others, it’s an effort to supplement declining on-premise license and maintenance revenues.

The problem with non-compliance is that it’s typically obscured. Few enterprises knowingly engage in improper license use – but most would be found out of compliance if they underwent a major IT vendor audit. The most common reasons are:

1. You bought software for one reason, now you use it for another. Certain license types, such as limited use licenses, can only be used in non-production environments like development, testing or failover. Companies often purchase these licenses rather than full use licenses to obtain a pricing discount. Then, months or years later they discover their limited use licenses are being used for production use purposes like internal data processing operations.

2. No one told you the product use rights changed. Product use rights can change at any time, and the rate of change is growing among larger IT vendors. For example, during recent contract negotiations and audits, SAP and Oracle have begun to ask clients to purchase additional licenses for third-party application access. A business with 100 licenses that need to access information from SAP may now be required to buy 100 additional licenses. It’s only been in the last few years that vendors have begun to interpret “indirect access” this way and attempted to enforce it with clients.

3. Your definition is different from the vendor’s. Licensing programs and definitions have changed dramatically. What constitutes a qualified user or device (Microsoft)? What about a concurrent user or a floating user (IBM)? What’s the difference between an application-specific full-use license or an embedded software license (Oracle)? Any misinterpretation can unwittingly throw a customer out of compliance.

4. You upgraded your software/hardware. Or maybe you downgraded. If you upgrade or downgrade your software, which product use rights apply – the rights that came with your original purchase, or the rights that came with your up/downgrade? How will your support and maintenance agreement be impacted? Well, it varies and it can be confusing, depending on your vendor. Did you recently upgrade mainframe or server hardware?  Often, that means additional MIPs or cores that will also be require to buy software licenses for whether you use them or not.

5. Virtualization. Virtualized environments are hotbeds for unintentional non-compliance as each vendor has very specific rules around how hosts and software are coupled and managed. For example, let’s say you have two physical Microsoft Windows Servers (2012), with two virtual sessions running on each. Using VMware’s tools, you move one virtual session from one server to the other. Soon thereafter, you want to move it back again. Unfortunately, Microsoft doesn’t allow “server mobility” beyond the first move. The virtual session can move one time (in this case from the first server to the second), but is then stuck on the second server for 90 days. In this instance, this is ground for non-compliance as Microsoft requires a new license to run three (rather than two) virtual sessions on one machine.   

6. You unknowingly purchased software licenses from an ISV. More companies are turning to independent software and technology vendors for complex, industry-specific IT solutions (e.g., diagnostic equipment in healthcare, production floor technologies in manufacturing). In some cases, these solutions contain third party software that isn’t disclosed to the buyer and, therefore, isn’t on your asset management radar screen.

7. You don’t have a formal process and tools for distributing, licensing and managing licenses. Large enterprises often engage in checkbox license management. They invest in software asset (or license) management tools that provide limited auditing capabilities and limited visibility into license usage, and call it a day. Unfortunately, effective management of software licenses requires dedicated people and processes that ensure a 360-degree view and control over how licenses are purchased, distributed, harvested, archived and retired. As the complexity of IT and IT contracting increases, the need for formal asset and license management programs within the enterprise will become even more imperative.

There is no reason to believe that IT vendor audit activity will lessen any time soon. The pressure for old guard vendors to quickly evolve their business to align with a cloud-first landscape is at an all-time high. License audits will continue to play a critical role in revenue generation during that evolution. Enterprises need to understand where their compliance risks are – from the obvious to the hidden.

Conducting self-audits is one great way to find and fix problems before vendors even knock on the door. Mitigation can range from purchasing additional licenses (in a planned, budgeted way), making technology changes to eliminate licensing gotchas, making usage changes to eliminate non-compliance, and considering replacement technologies for elements of the estate. I strongly recommend that enterprises do this on their own cadence for their top vendors, rather than in response to a vendor audit.