Most software audits eventually reach a point after all the deployment and license data has been collected when the auditors – often employees of an accounting firm like Deloitte or KPMG, though sometimes the publishers’ own internal audit teams – present their draft audit findings to the audited business. At that stage, the auditors then usually give the business an opportunity to identify any errors in the draft findings before they are presented to the software publisher’s compliance team. However, if the audited company limits its review of the findings to factual errors, it may be missing critical opportunities to mitigate compliance exposure.
Discrepancies in deployment and license counts are only one part of the audit-findings analysis, and they often are not the most important part. When given an opportunity to provide input regarding draft findings, it is critical also to raise arguments that may be based on factors that the auditors did not consider (or that may even be outside the scope of their review). These would include things like:
- Past representations by the publisher’s or a reseller’s representatives regarding applicable use rights or license metrics
- Past “good faith” efforts by a business to comply with license rules, notwithstanding what may be failures to comply with more technical requirements
- The audited company’s non-use of products found to be deployed on its servers
- Projected plans for increasing or diversifying the audited company’s deployments of the publisher’s products, any of which may be adversely affected by burdensome audit findings
- Financial hardship
Arguments based on the above factors are “equitable,” in the sense that they likely have no bearing whatsoever on applicable licensing rules. The auditors may have no discretion to consider them in determining whether any changes need to be made to their draft audit findings. In addition, it may make sense for strategic reasons in some cases to withhold some such arguments until settlement negotiations commence. However, in formulating a response to the auditors’ draft findings, everything should be on the table. The audit company’s IT and legal teams need to work closely with one another to make the most of the opportunity to insist that the auditors note their arguments in forwarding the draft findings to the publisher’s compliance teams.
After that stage, the opportunities to raise new concerns regarding audit findings typically diminish substantially, and some publishers’ compliance teams will refuse to consider new issues that were not raised initially with the auditors. If an audited company has unnecessarily limited its review to mere deployment counts, then it may find itself in the position of having limited leverage to negotiate a more acceptable outcome with the publisher after the auditors leave the picture.