sponsored

How to Survive a Nasty Software Vendor Audit

VendorAudits
stock

When software vendor auditors push too far, enterprise technology leaders must be prepared to push back.

In an extreme case, the food company Mars (best known for Snickers and M&M’s candies) filed a lawsuit petitioning the court to order Oracle’s auditors to back off. Following the initial “license review” order from Oracle in September 2014, Mars spent more than a year negotiating the scope of the audit and license procedures – providing Oracle with more than 233,000 pages of documentation, at its own expense. Mars said the burden of the audit was far out of proportion with the requirements of the contract.

Mars dropped the lawsuit in December 2015—indicating that it ultimately reached a settlement. In another license dispute that bubbled over into court, SAP sought $600 million from beverage conglomerate AB InBev for “indirect access” to its systems via interfaces with other software. In a recently announced settlement, the parties appear to have agreed to a much lower number.

While business leaders would prefer to keep license disputes out of court, these cases are reminders that software audits, however routine, have the potential to turn ugly.

Today, more than two-thirds of businesses receive at least one audit request each year, according to Gartner, and some organizations report that they’ve been audited by as many as four different vendors in the same 12-month period.

“Software vendors don’t audit randomly,” says Craig Guarente, CEO of Palisade Compliance, an independent compliance advisory company. “These audits generate huge amounts of revenue for them. If you’re being audited, it’s because they think there’s money.”

And there usually is. Software companies want to ensure that businesses aren’t pirating software, exploiting single-user software, or infringing on copyrights, for example—all legitimate interests. Vague language in many contracts and “soft” interpretations of licensing, however, make it easy for vendors to nail customers for non-compliance.

In fact, 75 percent of enterprises are found to be out of compliance with their software contracts, and 20 percent of them end up paying a whopping $1 million or more in license true-ups, according to a report from software asset management company Flexera.

“[Software vendors] purposely make [audits] complicated to manage and expensive,” says Robert Scott, managing partner at law firm Scott & Scott. “They prey on ambiguity and make it so difficult to be a customer from a compliance burden perspective.”

When vendor software audits turn ugly and worst-case scenarios become a reality, CIOs need a game plan to minimize the damage. Here’s where to start.

1. Perform your own audit

Barry Sookman, senior partner with law firm McCarthy Tetrault, represented a business in the midst of a software audit during which its vendor claimed that it was owed tens of millions of dollars. After performing its own internal audit, the business found a significant discrepancy between the numbers.

“We did [an audit] based on our interpretation of the methodology that was required under the license and found that maybe there were a couple of thousands of dollars that were owed,” he says.

Performing an internal audit—ideally prior to the start of the vendor’s audit—helps determine a baseline for what to expect, says Martin Thompson, CEO and founder of the Campaign for Clear Licensing and The ITAM Review.

“If you have a high-profile vendor that’s notorious for auditing, you need to nail down which of their products you have and how these products are licensed,” he says. This exercise gives you an indication of how you’re compliant or not—information that you can use to build your case during settlement negotiations, he adds.

When you perform the internal audit, it’s important that you use the same processes and tools that the auditors will use, whenever possible, Scott says. Because many software license disputes center on the quantity of deployments, the data you use to arrive at analyses should be the same.

2. Look for mistakes

Never let an auditor’s report go unchallenged, Palisade’s Guarente says. Look for discrepancies that you can use to build your case to negate or lower the settlement. Very rarely will the report coincide with your own audit findings. Guerente says he’s seen instances in which customers have reduced their settlement by up to 90 percent by challenging the auditors’ findings.

“There’s no incentive for vendors to do audits really well. If they screw up an audit and give you bad information, it costs you more money, which benefits them,” he says.

In particular, pay attention to counting, Scott recommends. Look for assumptions they have made in developing their analysis and what rules were applied in counting things like users or processors.

“You could count up the deployments on a product in a number of different ways. Did they count it in a way that yields the least amount of compliance or the most?” he says.

These mistakes might manifest in what wasn’t counted too; take note of that and any licensing language that you can interpret differently, Guerente says. Poking holes in their interpretations, methods, and findings will impact your settlement’s bottom line.

3. Drive settlement negotiations

In a recent case Scott litigated, the client failed to demonstrate in writing all of its objections to the audit findings, which the judge found improper. The judge’s position, Scott said, was that if someone accuses you of having compliance gaps, it’s your obligation to document your rebuttal.

Taking control of settlement negotiations and putting your rebuttal in writing is key to getting what you want, Scott says.

“Where most CIOs get bogged down is in pinpointing what’s wrong about the audit report instead of devising their own affirmative count and proposed resolution,” he says. “In these negotiations, information asymmetry and the burden of proof work against the target and in favor of the vendor. You need to take the reins, calculate your numbers, and tell them what’s wrong with what they did. Put your numbers on the table and lay out your proposal.”

You might acknowledge, for example, that you disagree with their numbers with the exception of X, Y, and Z. You found that those pieces totaled this amount, so you’re offering that figure to resolve the issue.

4. Negotiate future terms

Once you reach a settlement, shift gears to focus on protecting the organization in the future, Thompson says. This includes negotiating an audit forbearance, typically of one to three years, during which the vendor agrees not to audit you.

You also want to rectify any ambiguity in your contract, Scott adds. “A lot of cases now are turning on geographic scope where licenses are limited to the United States, but the software or feature has been installed overseas without knowing that there’s a restriction,” he says. “You need to request revisions to your contract to reflect your use case in instances where the contract doesn’t permit it.”

Other areas where you might want to propose amendments include: under what circumstances the vendor can audit you; what the effects of those audits could be; and requesting a change from an unfettered right to audit every year to auditing only if they have reasonable suspicion to do so, Scott says. This is also an appropriate time to negotiate clauses for price protection, the circumstances under which the vendor can turn off the service, and who pays if a data breach occurs, for example.

If aspects of the deal are one-sided, this is the time to negotiate changes, Scott says. “You want to create a more balanced relationship where there’s some give and take. When you settle a current deal, you want to be thinking about avoiding the next dispute.”

Throughout the audit process, CIOs need to remember that vendors want to settle and, in a majority of cases, do, Sookman says. No one wants to resort to litigation.

“The key is information and finding ways to chip away at [the auditors’] arguments, the audit findings, and the interpretation of the licenses,” he says. “These are all things that can really help to bring down a scary settlement.”

For more great insight, read Four Best Practices to Reduce the Pain of an Oracle License Audit.

_____________________________________

About Kristin Burnham

kristin burnham