Be Not Afraid: Calculate Your Real Risk of a Software Audit
Oct 6, 2012 5:00 AM PT
The words "software audit" can strike fear into even the most unflappable business executive's heart. Just as the sight of a police cruiser on the freeway compels all but the most foolhardy to slow down immediately, for most organizations the mere possibility of a vendor audit prompts a flurry of anxious activity and more than a few sleepless nights.
Software license compliance is becoming all the more complicated as organizations shift to new technology platforms and software delivery models that involve mobile devices and virtualized environments. While these innovations dramatically increase business productivity and reduce costs through more optimal use of hardware resources, traditional license models are difficult to interpret in these paradigms, and they create licensing risk exponentially greater than that seen in conventional desktop environments.
It's particularly worrying in entrepreneurial or startup settings. Although they are generally quick to embrace technology innovations that stoke customer growth and investor confidence, they are often short on IT and administrative resources.
On the principle that people want to read about break-ins rather than security systems, the media ratchet fear levels by publishing statistics suggesting that software audits are all but inevitable, along with anecdotal tales of high-stakes lawsuits leading to disaster.
It is widely understood that in challenging economic times, software publishers look to license audits to help augment their revenue streams. This makes sense, especially if rumors are correct that for top software publishers, audits recoup an average of US$80 for every dollar spent on the audit process itself. Whether such claims are exaggerated or not, business software users might well be taking a nervous look over their shoulders, given the ongoing financial uncertainties associated with a still-shaky global economy.
Statistical Evidence Shows...?
Reporting on its annual software audit survey, Gartner heralded the fact that of 228 participants who attended its 2011 IT Financial, Procurement and Asset Management Summit, 65 percent had undergone a license audit in the previous 12 months. Before you start worrying about whether you are going to be one of the unfortunate 65 percent this year, let's take a step back.
Companies attending this conference are mostly very large enterprises with healthy, if not staggering, IT budgets. Due to their nature, they are more likely to attract an audit than the much larger marketplace of small to mid-sized organizations.
Although the prospect of widespread audits makes for great headlines, it's safe to say that startups, niche players and smaller businesses are likely to remain under the radar. However, it's also worth noting that major software vendors actively monitor companies that are experiencing rapid growth. In this scenario, organizations are often distracted by other priorities and can easily drift out of compliance.
Audits cause a tremendous drain on IT and financial resources and are a major distraction for companies just emerging from the starting gate and trying to focus on their near-term business plan.
Unfortunately, neither industry statistics nor the those who exploit them are much help as IT managers evaluate their own probability of being audited -- and they're even less help when it comes to assessing the likelihood of getting through the experience unscathed.
You May Be Audited If...
So forget about the headlines. Instead, set aside some time to evaluate your exposure to some of the triggers commonly known to increase the likelihood of an audit:
- Company growth without a corresponding growth in licensed software. Yes, the big software vendors are watching you as you rise.
- Acquisition of, or merger with, another company. Even if your organization has a sterling record of license compliance, what about your newly absorbed counterpart?
- A change in hardware platforms that may result in compliance issues.
- The introduction of mobile devices into the asset pool. A software portfolio heavy in per seat/per machine license models is particularly at risk.
- Independent software vendor (ISV) suspicion that your company has no license management tools or processes in place.
- Disgruntled employee(s) who may decide to file an anonymous piracy report with the BSA or SIIA.
If you've gone through the list above and recognize the presence of one or more of these triggers in your company, the single most important follow-up question is this: What is the probability you would survive an audit if a software publisher were to come knocking?
Given that you have limited control over when your company might come under the audit spotlight, every attempt should be made to focus on the aspects you can take charge of by establishing careful asset management practices:
- establish a cross-functional team that's responsible for overseeing decisions, processes, and record-keeping related to the purchasing and deployment of licenses;
- develop and communicate strong software usage policies to educate employees about the consequences of noncompliance, and discourage behavior that might put the organization at risk;
- implement a reputable software asset management tool that can reconcile application inventory and usage data with license details to provide an accurate, dynamic snapshot of your organization's license position.
These practices will help you avoid panic, and ensure you're in the strongest possible position if and when the dreaded audit letter arrives.