Chapter 3: What to do if your firm gets a software audit
You are getting an audit. The Software Business Association decided they are going to see if you have illegal software licenses. What to do?
First thing's first: Don't panic. Sunbelt and ITIC have consulted with dozens of organizations over the last eight months that have received auditing notices or threats from over-aggressive Microsoft sales representatives. In at least half the cases, the end user corporations confided to Sunbelt and ITIC that they knew their organizations had significant non-compliance issues. Remember the advice we gave at the beginning of this report: proactive, prepared and patient.
Your company cannot prevent or avoid an audit. So your best hope for a successful resolution -- even if your firm has known software non-compliance issues -- is to address the situation in a straightforward manner. Assuming your firm has received notification of an audit by Microsoft or the BSA, you should use the 10-to-14 day grace period to:
- Proactively perform a self-audit.
You don't necessarily need a lot of money to initiate an audit. Follow the money. Start by identifying the personnel in your organization responsible for making purchasing decisions and documenting licensing usages and proofs of purchases. Have each of these people assemble the documentation. You must verify usage statistics including number of licenses purchased, installed, Select or EA discount level
- and version number as well as the expiration date. Compile a full profile of all the licenses and purchases and any "special deals" various groups or departments within the organization, received.
You will need all of this information to present to Microsoft and/or the BSA for "true up" purposes. Once you have compiled the data, schedule a conference call or meeting with the appropriate corporate purchasing agents and IT managers, pursuant to establishing centralized purchasing procedures. Document all of your activities in this regard. This will enable your firm to assess the level of compliance or non-compliance and estimate how much you may owe Microsoft for unlicensed usage.
Next, review and update your existing software licensing policies and procedures. If you don't have one, write one. Be sure to include enforcement procedures that contain explicit details of what actions corporate management will take against end users, IT managers and in-house developers who violate company policies. Next, make sure a copy of the software licensing policy and procedures are disseminated throughout the organization via Email and hard copy. In this regard, you will at least be able to demonstrate to Microsoft and/or the BSA that whatever its past mistakes, your organization is acting swiftly and decisively to address any non-compliance issues. Adopt a strict policy prohibiting any company employees from installing unlicensed software or even freeware or shareware.
Finally, if your firm does not believe it is capable of handling the situation, hire an outside consultancy to assist you. And by all means purchase the appropriate software asset management and metering tools. If you can't afford it, then at least download any of the many free or 30-day free evaluation software that is available on the Web.
Microsoft and the BSA also have free entry-level asset management and tracking software, which they make available to corporations. So there's really no good reason for not taking the time to perform a self-audit.
- Be prepared and cooperative when the auditors arrive.
Have your documentation and records ready. If you have taken the proactive measures outlined above, your business should have a reasonably good idea of where it stands. Above all do NOT try and destroy evidence, or what is known in legal terms as "useful infringement evidence."
Microsoft and the BSA will take this as evidence of malicious intent and they will be much tougher on your company. Cooperation ultimately will serve your company much better. This doesn't mean your firm must tolerate any unethical or inappropriate behavior on the part of the auditors. If you feel that that is the case, don't hesitate to get the company lawyers involved and voice your concerns and complaints to the appropriate parties at Microsoft. Again, remember that Microsoft wants to retain you as a customer, so if you are reasonable, then generally speaking, their auditors and sales people will most likely be open to making some concessions.
- Be patient.
Don't try and rush through either a self-audit or hurry things along with Microsoft and/or the BSA. It will likely backfire in most cases. Have your evidence and documentation ready and available. Your company does have the right to know how much of a non-compliance issue that Microsoft and the BSA think you have. And the audit itself should be completed within a reasonable timeframe, depending on the size and scope of your organization. The worst case of inappropriate vendor behavior in an audit, involved a well-known rival software maker.
In this case, the subject of the audit was a Fortune 300 manufacturing firm with 17,000 end users worldwide. The firm was notified of the audit. It did its due diligence and proactively gathered substantiating data and offered full cooperation to the vendor auditor assigned to its case. The vendor auditor though, never said why the audit was being done, if the vendor suspected any non-compliance issues, it never offered any evidence or estimate of anticipated true-up costs.
Instead, the vendor auditor in question asked the organization to provide him with sensitive company documentation and access to various procurement personnel in all of the company's global offices. To make matters worse, the audit dragged on for over a year with no end in sight and no indication to the manufacturing firm that it had any software violations. The end result: the company CEO went to the vendor CEO and complained. The software vendor CEO was startled to hear of the situation and the audit was called off. Again, be patient and indicate your willingness to cooperate, but make sure you have a skilled, knowledgeable employee working with the auditor.
Make that person the central contact for the organization (along with corporate attorneys) but do NOT allow the auditors full access to employees unless it is in the appropriate legal forums.
Best practices and policies
From a policies perspective, Sunbelt/ITIC has identified a number of practices that help organizations to go a long way toward reducing the risk of an audit.
- Centralize procurement.
Corporations are well served by designating someone to supervise and track all license purchases. Wherever possible centralize procurement.
- Schedule regular audits.
Quarterly audits are optimal but may not be feasible for over-burdened IT departments; bi-annual audits are preferable. But at the very least companies should do an annual self-audit. This will give you a detailed view of your purchasing costs, actual usage and ultimately be more secure.
- Maintain detailed proofs of purchase and documentation.
The single biggest mistake and flaw organizations make is sloppiness. Human nature being what it is, most of us unwittingly fall prey to bad or sloppy behavior practices. IT asset management is 20% tools and 80% business. This typically takes the form of bad records or no records. If you can't prove that you bought it or own it, you're in big trouble and may end up having to pay twice for the same software and also penalties if you can't prove your innocence.
- Have a corporate policy in place and enforce it.
Every company should have a detailed software usage plan that sets forth dos and don'ts and expressly prohibits users from installing unlicensed software or downloading freeware and shareware. The policy should be distributed throughout the organization in both hard copy and via e-mail. The policies and procedures should also contain an explicit list of penalties for violating the rules. And finally, your company will have to diligently enforce the policy, or it will be meaningless.
(This is a small section out of chapter three of "MS Licensing 6.0 program: Practical, tactical advice for negotiating and winning the best deal." To order the complete report simply click here and follow the instructions.