Earlier this year, the Business Software Alliance (BSA) sent shockwaves through the business community when it penalised two Scottish companies with fines of more than £140,000 for using unlicenced software. It was a warning to businesses of all sizes that the financial risk of disregarding licencing laws could be a costly one.
In the current economic climate, this trend of imposing financial penalties is expected to increase as software publishers increase the frequency and rigour of audits to preserve their revenue. To put the unlicenced software problem into perspective from the vendors’ point of view, in 2005 IDC’s research concluded that the world’s software companies were losing USD34 billion in revenue to unlicenced installations. This is more than the gross domestic product (GDP) of 42 countries.
With this backdrop, having the processes and technology in place to ensure continuous licence compliance is crucial for IT departments, but especially prior to a software publisher’s audit. Here are our suggestions for taking control of an impending audit.
1. Review the contract to understand audit terms and conditions
First, it is important to establish whether the software publisher indeed has the right to audit the business in the first place, per the terms of the licence agreement. Assuming the publisher has the right to audit, it is critical to understand the terms and conditions of non-compliance, as well. For example, it should be determined whether there are potential financial penalties.
Some vendors impose penalties and/or charge the cost of the audit to the customer if non-compliance exceeds a certain percentage of the total licence cost. The audit cost alone can be in the tens of thousands of pounds. Non-compliance is very seldom by design, but still represents a potential liability. Knowing the consequences can empower an enterprise to take immediate remedial action.
In addition, scrutinising contracts will also enable IT departments to create clear checklists of the key measurables of the audit. If the audit goal is to establish an “effective licence position”, then information on software installations must be compared to licence entitlement data for all applications in question. The data to be collected may include hardware and software inventory, users, purchase order and contract information.
Prior to any audit, it is worth asking the publisher exactly how the audit will be performed and what level of assistance will be required by the auditors. Enterprise software audits can consume many staff-months of time during which the IT department collects the requested data.
2. Make sure the software and hardware inventory is up to date
Software publishers audit businesses to make sure that the software is being used within its licence terms and is appropriately paid for. This means that IT departments must have a comprehensive view of their entire IT estate, including hardware, to ascertain how the software asset is being used and whether they are in compliance.
To make sure that software inventory is accurate and up to date, the fingerprint of every application installation, which includes file evidence, add/remove programmes and WMI (installer) data, must be analysed and a list of proper software titles generated for each machine. This is the necessary first step in the process that will enable the IT department to reconcile the list of installed applications with software purchase data, licence type and associated conditions of use.
3. Keep proofs of purchase and licencing agreements ready for inspection
Prior to an audit, IT departments should ensure that all their paperwork is in order, recorded and easily accessible including paid invoices, receipts of purchases, licencing agreements and certificates – especially soft records of purchases from resellers and publishers. This proof of licence entitlement is critical to the reconciliation process.
4. Demonstrate that licencing rules are understood and applied
Determination of a vendor licence position requires much more than simply comparing purchases and installations. IT departments need to be able to demonstrate that licence types, e.g. device based, named user, processor based or concurrent user, are understood in conjunction with the computing environment such as virtual machines, multi-processor machines, user communities, and physical locations. For example, Oracle database administrators must be able to show that they understand and meet the per processor minimum for Named User Plus (NUP) licences.
Further, demonstrating that both rights of usage as well as limitations of usage are understood and applied across the IT estate will instil auditor’s confidence in the company. For example, the IT department must be able to show that upgrade rights and rights of second usage are applied correctly. Similarly, the IT department should demonstrate that licence usage restrictions – for instance, limits on the number of virtual instances per physical host server – are respected.
5. Explain what SAM policies and procedures are in place
Enterprises should show documented corporate policies and procedures for software asset and licence management. These could include frequent hardware and software inventories, centralised procurement, periodic licence reconciliations (monthly, quarterly, etc.), software download and installation processes, employee education programmes, and internal audits.
Lack of IT policy communication to employees and end user monitoring and control are common oversights on the part of IT departments. On the other hand, by educating employees on what they “may” and “may not” install, central IT can prevent rogue installations, which often jeopardise enterprises’ compliance status.
A good way to overcome inadvertent licence breaches is to conduct scheduled internal IT audits. This not only ensures that the enterprise is always ‘audit-ready’, but also reinforces the importance of adhering to IT policy to employees.
6. Don’t remove software from computers; don’t start a shopping spree
Often, when IT departments find that they are out of compliance, a knee-jerk reaction is to instantly remove installed software from computers, just prior to an audit. However, removed software is easily traced by auditing companies, making them suspicious, which leads to further scrutiny. Instead, pre-empting such a situation is the better option.
Alternatively, in their efforts to be compliant just before an audit, IT departments often make purchases of software they need. However, it should be noted that only purchases made before the date of audit notification are considered by the auditors. Therefore, hasty purchase decisions are best avoided.
7. Automate software asset management
Software licence compliance is complex, and this complexity will only increase as more complicated IT infrastructures such as virtualisation and cloud computing take hold. Manually managing software asset management and compliance is a time consuming and onerous task, ridden with costs and risks. In general, by the time a manual assessment of an enterprise’s licence position is obtained, it is already out of date. IT departments should look to adopt tools that automate these processes to ensure on-going licence compliance.
Look for an enterprise software asset management tool that combines asset inventory, software usage, licence terms, purchase order data and licence compliance management round the clock, thereby helping your business to be audit-ready, optimise your software investment and allow enterprise-wide licence entitlement.
Patrick Gunn is Vice President for EMEA Sales, ManageSoft