How CIOs Should Prioritize and Resolve Multiple Software Audits
A software audit may come in many forms, ranging from an offer for a free Software Asset Management (SAM), a License Verification, or a request by a representative organization, such as an outside law firm, the Business Software Alliance (BSA) or Software & Information Industry Association (SIIA).
Unfortunately, many companies do not understand the implications of responding to software audits or SAM inquiries. Software audits initiated by the software publisher, the BSA, and the SIIA are designed to ensure that the target company is not in violation of the software license agreements, and when there are compliance issues (even if they are inadvertent), those audits typically result in a penalty for non-compliance. Often the penalties are contractual in nature, but a software publisher may consider seeking copyright infringement damages as well.
The following are important steps in managing and resolving simultaneous audit inquiries.
Review software license agreements for audit provisions and decline the request if appropriate.
The first thing a company should do when it receives any request for information is review the contracts or license agreements between the parties. If the publisher has no right to audit, the strategy will be significantly different than if the publisher has the right to enter the licensee’s offices to review all usage.
Review the relevant software license agreements to determine whether a software audit provision outlines specifics steps for a software audit. Some provisions require 60 days written notice, and specify that audits may not be conducted more frequently than once per year.
If a company has been audited in the past 12 months, the targeted company may argue that it is not required to participate in the current audit and decline to cooperate. Because SAM engagements are typically voluntary, a company is not required to participate. However, sometimes a software publisher may escalate the inquiry to its legal department or audit team if a company repeatedly declines a SAM engagement, so it is critical to maintain an internal compliance initiative.
Identify the type of audit request and the perceived difficulty in responding to the audit request.
It is important to identify any information request for network inventory and license information as an audit, regardless if the request is in the form of a SAM engagement, a direct audit, or a true-up request. It is also important not to ignore any request or communication.
The next step is to evaluate the potential exposure.
Finally, regardless of the type of inquiry, it is important not to share any information without a confidentiality agreement in place.
Identify Which Audit to Prioritize.
If a company is facing multiple audits and one is a voluntary audit or is not seeking copyright infringement penalties, it may make sense to proceed with that particular audit and request the other auditors stand down. While this strategy may not always be successful, it is a smart starting point to try to mitigate damages.
However, if all of the audits are demanding penalties for copyright infringement or seeking monetary damages for prior infringement, then a company should look at several things:
- Which audit came first?
- Who is the auditing entity?
- What is the scope of the audit?
- What is the potential liability?
There are several strategies to mitigating damages by evaluating these key factors to determine how to prioritize the audits. It may make sense to proceed with the audit that incurs the least exposure. However, if a different audit has a more limited scope, a company may choose to act on that audit. If all of the audits have the same potential exposure and scope, a company may decide to complete the audit that was initiated first. Sometimes, depending on a company’s relationship with the auditor, it may negotiate a business resolution in lieu of an audit.
Streamline information and appoint an internal contact.
It is not uncommon for the auditor to direct the audit request or notice of SAM engagement to the IT department directly. In many cases, the IT department decides to respond and release information without the CIO’s or legal team’s oversight or knowledge. To try to avoid this outcome, management should appoint an internal SAM team with clear direction and oversight to ensure that any external audit requests are routed through the proper channels. A contact should be appointed to address all audit requests.
Once a contact is appointed, a specific plan should be in place for quarterly internal audits and license compliance assessments. Additionally, the plan should identify what, if any, data should be disclosed during an audit.
Budget for Settlement Payments.
The potential liability for software audits can often exceed six figures. Depending on the nature of the claims, a larger company could face seven figure settlement demands. Regardless of the total exposure, most companies do not have a budget for software settlements. It is important to discuss with the CFO once the potential liability is known to create a budget and plan for paying the settlement demand.
Sometimes a settlement can be paid in installments, which can be negotiated as part of the total settlement. However, a software publisher will likely demand a lump sum payment up front. It is important to add a line item in the budget for such eventualities.
Navigating software audits requires a number of complex decisions and planning. It is critical to do the appropriate research to ensure the best business decisions are made for the company while complying with all legal requirements. If in doubt, consult an attorney experienced in software audit matters to assist with potential copyright infringement implications.