Software Audits on the Rise: Survival Tips

Perhaps nothing is as heart-stopping as when the IRS auditors come a knockin’, but the arrival of software vendors—with their audit checklists and licensing agreements in hand—isn’t for the faint of heart, either.

And in 2009, according to Forrester Research, companies witnessed intensified audit measures and enforcement vigilance by their software vendors.

“Not only did companies face increased software audit activity in 2009, but they also saw more causes of disputes and noncompliance claims,” writes Duncan Jones, a Forrester principal analyst in Surviving a Software License Audit. “In addition to spotting genuine under-licensing, many vendors’ audit teams seemed to want to meet their revenue targets by exploiting technicalities and loopholes.”

Among the chief causes of audit compliance nightmares noted in the report: virtualization, multiplexing (“indirect use via integrated applications still counts as use”), inactive user accounts, external use and accidental deployment.

[ Read the Enterprise Software Unplugged Blog ]

Before we start condemning the evil software vendors or contemplating the relationship implications of such audits (“We’re true partners, right?”), it’s important to note that software makers have every right to protect their intellectual property and ensure customers are complying with the terms of the license agreements, as Jones points out.

But “sometimes audits can be painful, or even terminal, for IT sourcing and vendor management leaders,” he adds.

The chief problem: Typical IT managers might be Little Leaguers up against seasoned Major League pros. “Vendor license compliance teams are skilled at spotting revenue opportunities,” Jones writes, “ranging from genuine excess usage and deployment to, in some cases, questionable interpretation of contract clauses.”

Then there are the fanatical software audit teams that can wreak havoc, Jones says, like “revenue-generating cops who hide with their radar guns in bushes at the bottoms of steep hills.” In the report, he describes rogue or third-party compliance teams that “overzealously pursue their own revenue targets outside of the main account team’s control, oblivious to how the audit team’s behavior may be damaging the long-term relationship with that customer.”

Forrester’s client stories of audit insanity, detailed in the report, offer a cautionary tale for CIOs and IT departments who don’t actively manage enterprise software license agreements and user accounts, or practice adequate software asset management (SAM). (For more, see License Audits: Preparing Now Can Ease the Pain.)

What are the most important defensive strategies for an IT leader? First, don’t avoid the audit letter that typically arrives first (because it won’t go away), Jones says. Second, demonstrate to the vendor that your company will cooperate fully with a “reasonable process” but will not be bullied or held ransom. Third, convince the vendor that your company does not represent a “good revenue opportunity” for the vendor and that your SAM controls in place prevent any risks of licensing errors, he says.

This is all critical for IT leaders because, as Jones observes, “there is little he or she can do once the compliance team has smelled blood.”

Do you Tweet? Follow me on Twitter @twailgum. Follow everything from CIO.com on Twitter @CIOonline.