Oracle licensing consultant Eliot Arlo Colon still remembers the enormous global publishing company that was "so darn confident" it would breeze through an upcoming software license audit unscathed.
But once the company actually dusted off its E-Business Suite contract, it got an ugly surprise.
Contrary to long-standing internal belief, the publisher's custom licensing agreement only authorised North American use of the ERP (enterprise resource planning) package, not worldwide, according to Colon, president of Miro Consulting in Woodbridge, New Jersey. The company was on the hook for "tens of millions of dollars" in licensing fees, although the issue was ultimately settled for less than that amount, Colon said.
There's little hard evidence that vendors are conducting more audits than usual in recent months, observers and industry analysts say. But even so, given that the last thing a cash-strapped IT shop wants these days is a hefty, unexpected bill for license non-compliance, now might be a good time to prepare for one in hopes of minimising the damage.
"Proactive is better than reactive when it comes to software audits," said Robert J. Scott, a Dallas attorney who specializes in software audits. Companies should strive to be in "an audit-ready mode," he added.
"You need a systematic process for evaluating what's on your computers and what you've purchased," performed on a quarterly basis if possible, Scott said. Also, "you've got to do so with an analytical rigor sufficient to certify the results as true and accurate in a legal context. If you can't get to that point, you've got a big problem."
Of course, sometimes audits can have good results, turning up the fact that a company is over-licensed, giving an opportunity to get rid of shelfware or transfer licences to more useful applications.
While he gets "a steady stream of requests" for help from clients who have been found to be noncompliant, over-licensing is a "much bigger" problem than under-licensing these days, said Forrester Research analyst Duncan Jones.
There are many ways to get at the truth, some more expensive than others. Vendors such as Acresso sell SAM (software asset management) applications for monitoring compliance, and outfits like Miro Consulting can conduct "friendly" audits and compliance reviews.
But in many cases, customers should start with basic housekeeping, taking steps like storing all their software contracts in a single place, said Ray Wang, a partner with the analyst firm Altimeter Group. "Most companies have them in file cabinets that span multiple locations."
Another crucial pre-emptive step customers can take is to limit their use of virtualisation until they fully understand the licensing implications, according to Jones.
"I still see a steady stream of enterprises, who I thought would have known better, finding that they have compliance problems because they didn't check out what was going on and read the agreement to see how it would handle [virtualisation]," he said.
Vendors have long licensed software based on hardware metrics like servers or processors, and license agreements tend to assume the application will be permanently assigned to a specific physical asset, Jones wrote in a report released earlier this year.
But applications running inside virtual machines "usually cannot be permanently associated with the resources supporting them," he wrote. While license agreements often let customers transfer licenses to different machines, they don't typically allow "the continual, frequent reassignment that a customer wants to perform to make full use of virtualisation."
Customers should consider moves such as switching to a "named user" licensing model or an unlimited usage agreement, according to Jones' report.