How to Prepare for a License Auditby
Chances are, you and your clients hold some form of software license, and because of that, you are likely to receive a license audit. But are you prepared to handle one?
Certain days are just not as good as other days. Receiving an IRS notice, bad medical news, a jury duty notice, a summons, a legal service of a lawsuit, and notice of a license audit all fall into about the same category. Of all of these notices, the most likely one you will receive is a software license audit.
Publishers have discovered that many of their customers are not complying with the terms of their license agreement and, because of this, owe them money. At the end of an audit, it is typical for fines and additional licensing money to be owed to the publisher. Yes, we get to add insult to injury in this process that consumes valuable time, requires extensive documentation, and distracts from our normal day-to-day business life.
License Compliance Under Greater Scrutiny
Software theft has more severe financial penalties than asset theft. Intellectual property rights have always been a problem in the most advanced societies of the world (e.g., Dutch China patterns). Criminal prosecution of property crimes seems to have dropped off. Civil recovery seems to be more popular, with fees, fines, and asset forfeitures as typical outcomes.
The BSA Software Alliance organization has long offered “rewards” for reporting software piracy. For example, a recent ad campaign targeted IT staff as whistleblowers with a very simple message showing a picture of a diamond engagement ring: Save up to get that special someone something nice … Report unlicensed software and GET PAID. Start at nopiracy.org.
We never want anyone violating license agreements, but you should know that both legal firms and whistleblowers get paid finder’s fees and commissions for reporting software licensing noncompliance.
Complexity of Licensing Options
Software licensing is similar to airfare pricing in many ways: Its objective is to make it possible for the company/seller to maximize its revenue by segmenting its customers. There are special deals for big customers that are not available to small customers.
The terms of what is allowed for each product segment vary depending on what you bought, how much you paid, and the sales needs of the licensor. There are numerous bundles and SKUs that change frequently.
Even the “experts” struggle to explain the logic underlying the pricing strategies. Every software company writes its own contracts and license conditions, along with its End User License Agreement (EULA) and Terms of Service.
What it Takes to Deal With a License Audit
License audits seem to be more common than in the past. Approximately 20 to 25 percent of my audiences have experienced an audit in the recent past – primarily from Microsoft and Adobe Systems. Some observers believe that this is part of an individualized review to sell volume licensing.
If a license audit request is ignored, the polite request will be replaced by a certified letter in about a month. If this is ignored, we have heard of cases where the sheriff delivers a subpoena for the requested documents 30 to 60 days after the certified letter. Like IRS notices, ignoring these “requests” is a bad idea.
The audit letter may be from the publisher or from a law firm/consultant. It requests that the company run a software license inventory tool. The letter also asks for a self-certification, along with a written certification that the company has enough valid licenses to cover the licenses identified by the inventory application.
You may consider involving legal counsel in the audit process so you can later argue that the work is attorney-client work product and thus privileged. Discuss this and other legal options with a competent attorney with experience in this area.
The reports are notoriously inaccurate in reporting license usage by third-party applications (e.g., many accounting solutions show up as instances of SQL database engines). Note the deadlines on the document, and consider asking for an extension if it falls at a busy time for you (e.g., tax season, etc.).
Here’s a sample letter:
Consider engaging a consultant who holds an active Microsoft certification for software licensing programs. Remember that you will need to prove that you purchased many types of software (OEM, keycard, retail, upgrades).
Disks and manuals are generally not sufficient. Many auditors will demand documents like receipts from original PC purchases, which may not be available. If you have a legitimate OEM license, don’t forget that you can usually go back to a seller to get a copy of the original documentation years after the purchase.
Some attorneys argue that you should treat this audit as a potential litigation event. The audit letter may trigger an obligation to preserve any and all records related to the audit under the rules of civil procedure.
Willfully destroying any documents – including any output from the assessment tools – can be treated as obstruction of justice, and can result in adverse findings in court, fines, and possibly criminal charges.
The Microsoft Assessment and Planning (MAP) Toolkit is an agentless, automated, multiproduct planning and assessment tool for quicker and easier desktop, server, and cloud migrations. MAP provides detailed readiness assessment reports and executive proposals with extensive hardware and software information, and actionable recommendations to help organizations accelerate their IT infrastructure planning process, and gather more detail on assets that reside within their current environment.
MAP also provides server utilization data for Hyper-V server virtualization planning, identifying server placements, and performing virtualization candidate assessments. Learn more here.
There are some “don’ts” of a license audit:
- Don’t destroy any information.
- Don’t lie, ever!
- Double-check your data before you provide it to the auditor/requester. Keep the original copies of all of your documents for your records.
- Don’t hesitate to ask for more information to verify the legitimacy of the audit if you think it’s warranted.
- Don’t trust that the auditor is better at reading the reports than you are.
- Don’t accept the reports without checking them in detail. Many accounting and CPA firm applications include database servers that show up incorrectly on many of the audit tools.
- Don’t ignore deadlines, letters, or other correspondence.
- Don’t misrepresent the types of licenses that you have and how many are used.
There are resources to help you prepare for an audit in advance. Consider having a software installation policy for your organization. Many sample information security and tech-related policies are available from www.sans.org in the Security Policy Project. These are free.
The Business Software Alliance (BSA.org) offers a list of resources on their website, including: http://www.bsa.org/anti-piracy/tools-page. Content on this page includes: sample policies, publisher resources for software assessment management (SAM), and links to third-party asset management tools.
Audit Guidance Checklist
We hope you are never subject to a license audit, but you should prepare as if you can be audited on any day. A few final items of guidance:
Keep a separate file of invoices for all hardware and software purchase to back up your “proof of purchase.” These should be maintained in addition to, and separately from, the accounting department’s files.
Using volume licensing minimizes the pain of audit and maximizes IT flexibility. If your software publisher offers a volume license agreement, consider it even if it looks like the hard costs will be higher.
Expect a software audit once every three years. Expect to be caught by license agreement terms you did not understand. For example, remote access on Microsoft RDS requires a separate CAL.
Beyond that, each use of Microsoft Office requires a separate license in this situation. This could mean you need Office for your laptop in the office, one on the RDS server, one for your desktop at home, and one for use on your tablet. Yes, that would be four licenses required for you, one user.
Remember, OEM licenses can’t be used in any other fashion than on the machine where the purchase was made. You can’t virtualize or copy this license.
For management purposes, I refer to them as “fake” licenses because they can’t be used in ways that allow you to optimize and manage your IT, and they can’t be upgraded except within 60 days of purchase from the OEM. Some auditors are reasonable, and some are completely unreasonable, just like tax auditors. Who knows what your luck of the draw will be.
Different sources (Microsoft, distributors, resellers) will give different answers to licensing question, even when two or three calls are made to the same source on the same day. Document every answer, day, time, and person you speak with on any software license. You’ll probably need it someday.
Please note that licensing requirements and rules change frequently. This article is guidance valid at the time written. Remember that you need to comply with the license effective the day you execute the agreement.
Further, most license agreements change on their annual renewal date, and you are then subject to the terms and conditions effective at that time. We suggest you keep a PDF version of the license agreement on file because anything stored on the web is dynamic, subject to change, and difficult to document.
Randy Johnston is a well-known technology expert, consultant, trainer and speaker. He will be speaking at the upcoming Accountex USA 2016 event, Nov. 15-18 in Las Vegas.The original post appeared on the Sleeter Group blog. AccountingWEB and Accountex have partnered to bring you this content as we share a belief in the furtherment of the profession through greater insights.
Randy Johnston is a nationally recognized educator, consultant, and writer with over 40 years experience in Strategic Technology Planning, Accounting Software Selection, Paperless, Systems and Network Integration, Business Continuity and Disaster Recovery Planning, Business Development and Management, Process Engineering and outsourced managed...