202107.20

Off

Software Audit Risks – What Are the Chances Your Company will be Next?

Six in Focus

There is a set of related questions our software-audit clients frequently ask us that boil down to variations on one or more of the following: Why am I being audited? What if anything did I do to cause this? How can I avoid it in the future?

Unfortunately, those questions often do not have clear answers.

Most software publishers offer little, meaningful information regarding their criteria for initiating audits of their customers. Any publisher will initiate a review if it receives information indicating that software is being used without sufficient licenses rights. However, while that model may be standard for audits initiated by BSA | The Software Alliance (“BSA”) or by the Software & Information Industry Association (“SIIA”), it likely is not the norm for the majority of publisher-initiated audits. Most publishers will tell you that their standard procedures result in all of their customers eventually being audited, and that, in effect, it is just a matter of time before your company’s name is called. This probably is true to an extent, though it does not tell the whole story.

The mere fact that some publishers run different “flavors” of audits should clue everyone in to the fact that not all reviews are conceived from the same set of circumstances. Microsoft is probably the best example of this, in that it currently audits its customers through an array of processes, including:

• Audits initiated by the BSA. These reviews almost always are based on anonymous allegations of unlicensed use and typically entail penalties that must be paid to the BSA in order to obtain releases of liability. (Note: Microsoft is not currently a member of the SIIA’s anti-“piracy” program.)

• Software Asset Management (“SAM”) engagements. Under this model, Microsoft engages a third-party vendor to offer optional license-review services at no charge to the customer. (We typically advise our clients to decline such invitations.)

• Certified self-audits. Here, the customer completes an internal review of its license position, purchases licenses to address shortfalls discovered (if any) as a result of the review, and returns a signed certificate to Microsoft confirming the completion of the process. (Unlike SAM engagements, these are not optional reviews, though no deployment information is shared with Microsoft or its vendors.)

• Verified self-audits. In this alternative, the customer provides information regarding the Microsoft products deployed in its environment and then purchases any licenses determined by Microsoft to be required based on that information. (Again, not optional reviews, but the auditors typically do not try to independently validate the deployment information.)

• Third-party audits. These are the most common types of audits where our clients ask us for assistance. Here, Microsoft typically engages an accounting firm like KPMG, Deloitte & Touche, or PriceWaterhouse to run the audit process, to collect deployment data from the customer, to validate that data (often through an on-site meeting at the customer’s location, though sometimes through a remote, web-based meeting), and to prepare a report of its findings. Microsoft then uses that report as a basis for its compliance demand.

• Third-party on-site audits. This is the audit equivalent of The Boogeyman, though it is more of a theoretical possibility than a practical risk for most licensees. Microsoft’s agreements contemplate the possibility that it could initiate an audit to take place at the customer’s location (rather than simply having an on-site validation meeting at that location). However, the very nature of such an audit in many cases would result in it “unreasonably interfering” with the licensee’s business operations, in violation of Microsoft’s audit rights. Moreover, the review would represent a level of intrusion that we likely would not advise most of our clients to accept. Nevertheless, it remains a threat that Microsoft could use to secure heightened cooperation within the scope of one of the other audit alternatives.

The very fact that Microsoft has so many ways to take a bite at the apple indicates that it likely has some methodology for prioritizing its customers for certain levels of “treatment.” While we almost certainly never will learn all of the details associated with its triage procedures, there do seem to be certain license programs or relationship events that may precipitate receipt of a notice letter (and these generally are common to all software publishers):

• SPLA. All things being equal, businesses with Services Provider License Agreements with Microsoft probably face a higher likelihood of being audited – and a higher likelihood of that audit being a third-party audit – than businesses that only have “traditional” volume-licensing agreements with Microsoft. SPLA represents a recurring revenue source for Microsoft, and it also entails third parties (the SPLA licensee’s customers) having access to Microsoft programs without those third parties having a direct, contractual relationship with Microsoft. Given that, Microsoft has a heightened interest in policing the program more heavily. New SPLA licensees should expect an audit at any time, though the risk seems to be a little higher either in the second or third year of the first SPLA renewal (SPLAs almost always have three-year terms) or sometime during the first renewal term following the first full renewal term following the last audit.

Companies with similar kinds of “commercial hosting” licenses with other publishers also should consider themselves to being at a heightened risk for audits.

• Termination of License Agreements. If you decide not to renew a recurring-renewal license agreement (like an Enterprise Agreement or a SPLA) or if you follow the process for terminating such an agreement early, then you should expect for your company to be audited, and you should prepare accordingly. Keep in mind that many publishers’ audit rights typically extend after the end of a license agreement (and in some cases, indefinitely).

• Failure to Satisfy Contractual Obligations. If your company fails to do all the things it is supposed to do under its agreements, you also should expect to receive an audit notice letter. Failure to timely submit true-up orders or update statements under Microsoft’s Enterprise Agreement enrollments is a prime example.

There also may be other risk factors specific to your company’s relationship with its licensors. If you can see any of the above or other descriptions being applicable to your company, you need to take steps to ensure that you are doing everything you can to track your software asset usage and to ensure that you have acquired or reported all license rights to cover such usage.

5on Google,Feb 10, 2024

Salma

good

5on BirdEye,May 01, 2023

Kimberly

You made the entire process so easy! Having a lawyer with Managed Service experience and really knowing our business has been a game changer! I have nothing but great things to say about you!

5on Google,Apr 21, 2023

Mari

5on BirdEye,Apr 21, 2023

Julie and Kelli have been very helpful from beginning to end of the process.

5on BirdEye,Mar 22, 2023

George

Very professional team. I highly recommend them to any MSP.

5on Google,Mar 06, 2023

J&A

5on BirdEye,Mar 01, 2023

Steve

So far, the process has been very seamless. Some minor issues with access to the tool/portal but using incognito mode seems to get us around most of that. The team has been awesome.

5on BirdEye,Feb 07, 2023

Very professional project plan.

5on Google,Nov 19, 2022

Navid

5on Google,Aug 09, 2022

Jureni

5on Google,Jul 29, 2022

Mauricio

Scott & Scott LLP's team is very professional and efficient. Their knowledge and experience are unparalleled when it comes to MTSP/software law. Be sure to use them!

5on Google,Jul 25, 2022

Val

Rob is one of the rare few that successfully operates where the technology industry, business and entrepreneurship, and the law meet, making him an excellent resource for any company working at this unique intersection. As important, he wastes no time or words identifying the root cause of an issue and providing guidance that, without asking, takes the perspective of business, technology, and the law into account before ever being offered.

5on Google,Jan 09, 2022

Brent

Excellent legal advice.

5on Google,Jan 08, 2022

David

5on Google,Dec 29, 2021

Michael

Have used Scott & Scott on a number of different issues over the past few years. They are simply excellent. You would not go wrong using them for your legal needs.