Audits Have Become More Common
If you have received a software audit request from your software vendor or one of the industry trade groups representing software publishers, such as the Software & Information Industry Association (“SIIA”) or the Software Alliance (“BSA”) you are not alone. Software audits have become an increasingly common revenue-leakage recovery tool for software vendors. According to a survey published in January 2016 by Flexera Software in partnership with International Data Corporation (“IDC”), 64% of the 489 surveyed enterprises were audited or had a license review over the prior 18 to 24 months, 23% were audited twice in that time period, and 23% were audited three times or more. The surveyed enterprises were most frequently audited by Microsoft (61%), followed by Adobe (33%), Oracle (30%), IBM (25%), VMware (25%), Symantec (12%), Citrix (12%), HP (12%), SAP (10%), and other vendors (38%). Following the software audits, 44% of the survey participants made true-up payments to software vendors of $100,000 and more, and 29% of participants made true-up payments of $300,000 or more. Lastly, the survey showed that 86% of the participants conducted self-audits to assess compliance with software licenses at least once per year, and 32% of participants conducted self-audits three times or more per year.
How to Respond
First and foremost, don’t ignore the audit request! Upon receipt of an audit letter, whether from a software vendor or an industry trade group acting on the software vendor’s behalf, you should promptly engage with legal counsel, your IT manager and internal software management team, and any additional internal manager responsible for the product in your organization to review and understand your rights and obligations with respect to the audit and develop a plan of action. Legal counsel will review the relevant audit provision(s) to determine your contractual rights and obligations with respect to the audit.
It is critical that legal counsel coordinate all audit activities, including issuing requests for information and, to the greatest extent possible, drafting and reviewing documents and reports as part of a plan in anticipation of litigation so that any applicable work product and attorney/client privileges are maintained. After the scope of the issue is understood, your IT team should conduct an internal assessment of compliance with the software license. If you do not have a quick manner to determine the scope of use, such as through use of a software asset management (“SAM”) system, and the investigation will be time-consuming, contact the vendor and alert them that a review is underway. Following an internal determination of whether or not your organization is in compliance with the license scope, and if not, the level of non-compliance, legal counsel and the vendor relationship manager should engage in communication with the software vendor or industry trade group, as applicable, to discuss and agree on the audit scope and schedule.
After the audit scope and schedule have been agreed upon by the parties, the software vendor itself, a third-party audit firm acting on its behalf, or representatives of the industry trade group will perform the audit. If the audit is performed by a third party on the vendor’s behalf or by representatives of the industry trade group, the audited organization should negotiate and enter into a non-disclosure agreement with the applicable third party to ensure that any proprietary information revealed to the third party during or in connection with the audit process is kept strictly confidential. The auditor should, of course, have the right to disclose the audit results to their client; however, it is important that the audited organization reserve its right to review and comment on the audit findings before they are presented to the software vendor.
Following completion of the audit, if there is an underpayment, the parties typically negotiate a settlement and the audited organization makes a true-up payment. The parties may disagree about the price that applies to the true-up payment; typically the organization will ask to pay a discounted contract price, if previously negotiated, while the vendor will ask the organization to pay the current list price for the product on the theory that preferential pricing for non-compliance with the license will not have a deterrent effect. Note that industry trade organizations like SIIA and BSA typically work on a contingency-type arrangement, meaning that their fees for conducting the software audit represent a percentage of the amount of the audit settlement. As a result, these types of organizations may be more aggressive when conducting a software audit and negotiating the settlement, particularly since, unlike the software vendor, the organization most likely does not have an existing relationship with the audited party that it would be interested in preserving.
First, licensees should develop, implement, and maintain internal policies and procedures to enable them to keep track of and comply with their software license agreements and associated deployments on a regular basis (at least annually). Licensees should develop and circulate an enterprise-wide software use policy, monitor compliance, and enforce the policy. In addition, licensees should set up and maintain a SAM process, conduct regular internal audits to assess compliance with the scope of the various software licenses, and have a standard, enterprise-level protocol in place for responding to software audits. Such a protocol is key in making the software audit more streamlined and predictable. As noted above, legal counsel should coordinate all audit activities. The non-legal members of the team should be educated to understand that internal communications exchanged by the team during this process may be discoverable in litigation. All internal activities must be well coordinated so as to preserve the work product and attorney-client privileges.
Second, licensees should negotiate carefully the audit provisions in their software license agreements. While software audit rights are standard in software license agreements, these clauses are negotiable. A well-drafted audit provision will ensure that the scope of the audit is limited to assessing compliance with the license terms and that the overall audit process will be minimally disruptive to the organization. Here are tips on negotiating such provisions:
- Attempt to avoid audits altogether by replacing the auditing requirement with an agreement that the licensee will provide an annual certified compliance report upon request.
- Eliminate any ongoing rights of the software vendor to monitor the licensee’s use of the licensed software.
- Limit audits to once per year and only during the term of the license agreement.
- Limit the audit to the running of a mutually-agreed-upon software audit script.
- Limit the audit to only the licensee’s records directly related to use of the software and/or to the systems on which the software is installed.
- Ensure that the audit is conducted only during regular business hours to minimize disruption of the licensee’s business operations.
- Require that any third parties that may conduct the audit on the licensor’s behalf execute a non-disclosure agreement with the licensee on the licensee’s form prior to conducting the audit.
- Provide the licensee the opportunity to review and comment on the audit findings prior to such findings being distributed to the licensor.
- Select a reasonable time period for making a true-up payment to the software vendor following the audit.
- Include a provision for equitable settlement of non-compliance, specifying that non-compliance does not constitute infringement of the licensor’s intellectual property rights and that the settlement payment is the exclusive remedy for the non-compliance.
Last, but not least, licensees should consider including in the software license agreement an obligation on the part of the software vendor to maintain records regarding the license fees and reserve the licensee’s right to audit these records, especially if the software vendor is performing professional services under the license agreement in connection with the licensed software or if the agreement contains a most favored pricing clause.