By Julie Korostoff and Joseph DiCioccio
Audits Have Become More Common
If you have received a software audit request from your software vendor or one of the industry trade groups representing software publishers, such as the Software & Information Industry Association (“SIIA”)1 or the Business Software Alliance (“BSA”)2 you are not alone. Over the past five years,3 software audits have become an increasingly common revenue-leakage recovery tool for software vendors. According to a survey published in December 20124 by International Data Corporation (“IDC”),5 64% of the 334 surveyed enterprises were audited or had a license review over the prior 18 to 24 months, 36% were audited twice in that time period, and 10% were audited more than three times.6 The surveyed enterprises were most frequently audited by Microsoft (51%), followed by Oracle (27%), IBM (24%), SAP (22%), Adobe (19%), Symantec (12%), and other vendors (24%). Following the software audits, more than half of the survey participants made true-up payments to software vendors of $100,000 and more, while the remaining participants made true-up payments of $300,000 or more.7 Lastly, the survey showed that almost half of the participants conducted self-audits to assess compliance with software licenses at least once per year, and 25% of participants conducted self-audits more than three times per year.8
How to Respond
First and foremost, don’t ignore the audit request! Upon receipt of an audit letter, whether from a software vendor or an industry trade group acting on the software vendor’s behalf, you should promptly engage with legal counsel, your IT manager and internal software management team, and any additional internal manager responsible for the product in your organization to review and understand your rights and obligations with respect to the audit and develop a plan of action. Legal counsel will review the relevant audit provision(s) to determine your contractual rights and obligations with respect to the audit.
It is critical that legal counsel coordinate all audit activities, including issuing requests and, to the greatest extent possible, drafting and reviewing documents and reports as part of a plan in anticipation of litigation so that any applicable work product and attorney/client privileges are maintained. After the scope of the issue is understood, your IT team should conduct an internal assessment of compliance with the software license. If you do not have a quick manner to determine the scope of use, such as through use of a software asset management (“SAM”) system, and the investigation will be time-consuming, contact the vendor and alert them that a review is underway. Following an internal determination of whether or not your organization is in compliance with the license scope, and if not, the level of non-compliance, legal counsel and the vendor relationship manager should engage in communication with the software vendor or industry trade group, as applicable, to discuss and agree on the audit scope and schedule.
After the audit scope and schedule have been agreed to by the parties, the software vendor itself or a third-party audit firm on its behalf will perform the audit or representatives of the industry trade group will perform the audit. If the audit is performed by a third party on the vendor’s behalf or by representatives of the industry trade group, the audited organization should negotiate and enter into a non-disclosure agreement with the applicable third party to ensure that any proprietary information revealed to the third party during or in connection with the audit process is kept strictly confidential. The auditor should, of course, have the right to disclose the audit results to their client; however, it is important that the audited organization reserve its right to review and comment on the audit findings before they are presented to the software vendor.
Following completion of the audit, if there is an underpayment, the parties typically negotiate a settlement and the audited organization makes a true-up payment. The parties may disagree about the price that applies to the true-up payment; typically the organization will ask to pay a discounted contract price, if previously negotiated, while the vendor will ask the organization to pay the current list price for the product on the theory that preferential pricing for non-compliance with the license will not have a deterrent effect. Note that industry trade organizations like SIIA and BSA typically work on a contingency-type arrangement, meaning that their fees for conducting the software audit represent a percentage of the amount of the audit settlement. As a result, this type of organizations may be more aggressive when conducting a software audit and negotiating the settlement, particularly since, unlike the software vendor, the organization most likely does not have an existing relationship with the audited party that it would be interested in preserving.
First, licensees should develop, implement, and maintain internal policies and procedures to enable them to keep track of and comply with their software license agreements and associated deployments on a regular basis (at least annually). Licensees should develop and circulate an enterprise-wide software use policy, monitor compliance, and enforce the policy. In addition, licensees should set up and maintain a SAM process, conduct regular internal audits to assess compliance with the scope of the various software licenses, and have a standard, enterprise-level protocol in place for responding to software audits. Such a protocol is key in making the software audit more streamlined and predictable. As noted above, legal counsel should coordinate all audit activities. The non-legal members of the team should be educated and understand that internal communications exchanged by the team during this process may be discoverable in related litigation and should to the extent permissible coordinate their activities so as to preserve the work product and attorney-client privileges.
Second, negotiate the audit provisions in your software license agreements. While software audit rights are standard in software license agreements, these clauses are negotiable. A well-drafted audit provision will ensure that the scope of the audit is limited to assessing compliance with the license terms and that the overall audit process will be minimally disruptive to the organization. Here are tips on negotiating such provisions:
- Attempt to avoid audits altogether by replacing the auditing requirement with an agreement that the licensee will provide a certified compliance report upon request.
- Strive to eliminate any ongoing rights of the software vendor to monitor the licensee’s use of the licensed software.
- Limit audits to once per year and only during the term of the license agreement.
- Limit the audit to the running of a mutually-agreed-upon software audit script.
- Limit the audit to only the licensee’s records directly related to use of the software and/or to the systems on which the software is installed. 6. Ensure that the audit is conducted only during regular business hours to minimize disruption of the licensee’s business operations.
- Require that any third parties that may conduct the audit on the licensor’s behalf execute anon-disclosure agreement with the licensee on the licensee’s form prior to conducting the audit.
- Provide the licensee the opportunity to review and comment on the audit findings prior to such findings being distributed to the licensor, and on the time period for making a true-up payment to the software vendor following the audit.
- Include a provision for equitable settlement of non-compliance, specifying that non-compliance does not constitute infringement of the licensor’s intellectual property rights and that the settlement payment is the exclusive remedy for the non-compliance.
Last, but not least, licensees should consider including in the software license agreement an obligation on the part of the software vendor to maintain records regarding the license fees and reserve the right to audit these records, especially if the software vendor is performing professional services under the license agreement in connection with the licensed software or if the agreement contains a most favored pricing clause.