Know When to Say When in Response to Auditors’ Requests for Information
Software audits can be intensely frustrating ordeals for businesses to navigate. Many publishers will go to great lengths to cajole their customers with assurances of amicability and license-optimization opportunities, but most IT managers know that the reality of audits in almost all cases is anything but friendly and fraught with pitfalls. However, the first things that audited companies can do to mitigate their exposure is review the applicable software licenses and gain an understanding regarding just what the auditing entity is in a position to demand.
Audit clauses in licenses for popular software often are written to be ambiguous with regard to exactly what the licensee is required to provide in the event of an audit. Microsoft’s standard audit language is representative:
Customer must keep records relating to the Products it and its Affiliates use or distribute. Microsoft has the right to verify compliance with the license terms for the Products, at Microsoft’s expense…Verification will take place during normal business hours and in a manner that does not interfere unreasonably with Customer’s operations. Customer must promptly provide the independent auditor with any information it reasonably requests in furtherance of the verification, including access to systems running the Products and evidence of licenses for Products Customer hosts, sublicenses, or distributes to third parties.
Lawyers love the word “reasonable.” What constitutes “unreasonable” interruption with business operations or “reasonable” requests for assistance depends on how one defines the term, and Microsoft counts on its customers’ audit-related anxiety to push for as broad an interpretation of those terms as it can. As a result, it often will request that licensees use specified audit toolsets and server scripts to gather audit data, more or less without regard to the burden that those or other requests place on the company’s IT team. However, ambiguity is a two-edged sword.
Companies need to know when to say: “Enough!” In almost every enterprise-level audit, there comes a point where an auditor’s demands cross the fine line separating auditing from fishing, and it is critical to be able to recognize that point. The keys to successfully doing so include:
- Knowing and understanding the license metrics applicable to the products deployed on the company’s computers,
- Confirming the audit requirements defined in the license agreement, and
- Regularly and frequently referring back to those audit requirements every time the auditors request information purported to be relevant to licensing those products.
When the auditors cross the line, the audited company needs to be prepared to dig in its heels. At that point, it should articulate its rationale for resisting further data mining, again citing back to the license agreement, and should demand that the auditors demonstrate why further disclosures would be relevant or necessary. The assistance of legal counsel, who should have been involved from the beginning, often is critical in these discussions, though it sometimes makes sense for the attorneys to participate behind the scenes.