BSA/SIIA Audits and Software Publisher-Initiated Audits Differ in Important Ways

While the over-arching concept underlying a software audit initiated by a publisher like Microsoft or IBM is the same as that in an audit initiated by the BSA | The Software Alliance or the Software & Information Industry Association (SIIA) – a comparison of software entitlements to software deployments in an effort to identify any licensing gaps – the similarities between those two types of audit investigations mostly ends there. Here are three important differences:

• Audit Basis
Audits initiated by the BSA or the SIIA are based on an underlying allegation that the targeted business has used software without a license. The auditing entity is pursuing its members’ rights to seek damages arising from infringement of the copyrights in the unlicensed or under-licensed software products. By contrast, publisher-initiated audits in many cases commence merely on the basis of the publishers’ contractual audit rights and the fact that it was a targeted business’ “turn” to undergo an audit.  This means that the scope of the audit and the manner in which it is resolved are defined by the terms of the license agreement(s). It is critical in publisher-initiated audits for the targeted business to familiarize itself with the agreements setting forth those rights in order to have insight into the audit practices it should and should not be willing to accept.

• Data Validation
In BSA and SIIA audits, the auditors accept the audit information on the basis of the representations the targeted business eventually will make in the settlement agreement that the audit materials are complete and accurate. By contrast, auditors in publisher-initiated audits almost invariably will implement a data-validation process after the deployment data has been gathered. That process in most cases consists of an on-site meeting where the auditors will travel to the company’s location, typically for a day or less, to query a sample of systems identified in the audit data to confirm that the deployment and configuration information shown for those systems matches what was provided in the data. In most cases, the validation meetings are fairly administrative in nature and not a cause for controversy. However, there may be an ongoing dispute regarding the scope of the audit, and it remains important to guard against over-reaching by the auditors.

• License Metrics
Finally, it is important to keep in mind that publisher-initiated audits typically require a close attention to the details of the publishers’ licensing rules. In BSA and SIIA audits, the analysis rarely goes deeper than a comparison of gross installation counts to gross entitlement counts, with little to no inquiry into how products are being used. By contrast, publisher-initiated audits require an intimate familiarity with sometimes ambiguous and inscrutable licensing rules that accompany a client’s agreements with the publisher. The audited business must be familiar with how the license agreements are structured, where the applicable licensing rules are located, and how the different products are intended to be licensed. It also is critical to understand how the publisher will calculate any settlement demands based on the auditors’ findings, since those calculations are not always clearly described in the parties’ agreements.