A software audit may come in many forms, ranging from an offer for a free Software Asset Management (SAM) engagement to a direct audit from a software publisher or its representative organization, such as the Business Software Alliance (BSA) or Software & Information Industry Association (SIIA).
Unfortunately, many companies do not understand the implications of software audits or SAM inquiries. Software audits initiated by the software publisher or the BSA or SIIA are designed to ensure that the target company is not in violation of the software license agreements, and typically results in a penalty for non-compliance.
The following are important steps in managing and resolving simultaneous audit inquiries.
1. Identify the type of audit request.
It is important to identify any information request for network inventory and license information as an audit, regardless if the request is in the form of a SAM engagement, a direct audit, or a true-up request. It is important not to ignore any request or communication. However, it is prudent to evaluate the potential exposure first. True-ups should also be prioritized to ensure any deadlines are met.
Regardless of the type of inquiry, it is important not to share any information without a confidentiality agreement in place.
2. Streamline information and appoint an internal contact.
It is not uncommon for the audit request or SAM engagement to contact the IT department directly, which may release information without management’s oversight or knowledge. Therefore, management should appoint an internal SAM team with clear direction and oversight to ensure that any external audit requests are routed through the proper channels. A contact should be appointed to address all audit requests.
Once a contact is appointed, a specific plan should be in place for quarterly internal audits and license compliance assessments. Additionally, the plan should identify what, if any, data should be disclosed during an audit.
3. Review software license agreements for audit provisions and decline the request if appropriate.
The next step in addressing a software audit request is to review the relevant software license agreements to determine whether a software audit provision outlines specifics steps for a software audit. Some provisions require 60 days written notice, and specify that audits may not be conducted more frequently than once per year.
In this instance, if a company has been audited in the past 12 months, the targeted company may argue that it is not required to participate in the current audit and decline to cooperate. Because SAM engagements are not usually mandatory, a company is not often required to participate. However, sometimes a software publisher may escalate the inquiry to its legal department or audit team if a company repeatedly declines a SAM engagement, so it is critical to maintain an internal compliance initiative.