Top Three Early Strategic Steps in Enterprise Software Audits
No one likes to be audited. In most cases, there is little that a business can do at the outset of an audit to avoid licensing exposure, if that business has historically inadequate software asset management processes. However, there are steps that all audited companies usually can take – regardless of which publisher is conducting the audit – to help contain the risks and introduce a little predictability into the audit process.
1. Confirm you really need to participate. Different software publishers have different flavors of license reviews, and not all of those flavors require cooperation by licensees. Microsoft is the best example. Many companies licensing Microsoft products receive proposals to participate in Microsoft-funded Software Asset Management (“SAM”) engagements with third-party reviewers to confirm their current license positions. Invitations to participate in SAM engagements can be very insistent and facially may even appear to be audit notifications. However, SAM engagements typically are optional exercises in which a company has no contractual obligation to participate. Unless a company receives a letter referencing a licensor’s audit rights and identifying the agreements to be audited, that company should be hesitant to move forward with any license review. Even though an engagement may be optional, the risks are not. For example, Microsoft typically will treat any licensing shortfalls in a SAM engagement as the basis for a required license purchase, with the only things missing from a real audit being the pricing penalties and the requirement to pay for the audit (in the event of material non-compliance).
2. Verify the audit scope…or not. Pay close attention to the audit-notice letter. To which legal entity is the letter addressed? Does the letter indicate that legal affiliates are to be included in the review? Does it define a geographic audit scope? Does it identify certain license agreements or certain products to be audited and not others? Does it define a relevant product-usage time period to be incorporated in the review? If the answer to any of the above questions is “No,” then the company should work closely with legal counsel to confirm its audit-related obligations and to make a decision regarding whether it makes sense to confirm any or all of those points in writing before proceeding with the review. In some cases, it may be very important to explicitly define the scope of the audit. In others, it may make more sense to not volunteer information that may not be common knowledge, especially where the audit notice letter or the license agreement is ambiguous. However, in all cases, it is important to ask these questions internally in order to ensure that all team members know what information they should and should not be sharing with the auditors.
3. Memorialize the right to review. Many enterprise-level software audits are conducted by third-party reviewers, typically large accounting firms such as Deloitte, KPMG or PwC. It is always critical to ensure that an appropriate non-disclosure agreement is negotiated and signed before giving any third party access to information that it otherwise may have no right to receive. However, equally critical in software-audit cases is confirmation that the audited company will have a reasonable opportunity to review any draft findings in order to ensure not only that they contain no prohibited confidential information, but also to ensure that the findings are accurate and consistent with applicable licensing obligations. Many auditors may be hesitant to make broad prior-review commitments in an NDA, but audited businesses should do their best to confirm at least some kind of review period in writing. While the accounting firms typically do share and invite feedback regarding draft findings reports as a matter of practice, you do not want to be caught in the position of being unpleasantly surprised in the event that those practices change.