Vendor Software Audits

Our team: Tim Wright

Software Audits – are you ready?

T Wright, Partner, Fladgate

If you use software provided by the likes of Adobe, HP, IBM, Microsoft, Oracle, SAP or VMware, it is quite likely that you will have been, or will be audited, to see whether your use of their software complies with the terms on which their software is licensed and particularly to make sure that every copy of installed software you have is actually licensed.

Right to audit

Almost every software license contains audit rights, although the precise terms can vary and should be checked carefully including as to scope and timing. Audits are usually performed by industry associations, such as the Business Software Alliance (BSA), or by the software vendor itself. Software vendors use audits to drive revenue, as well as address software piracy, and the tactics adopted are often very aggressive. Audit requests are often triggered by events such as:

  • Merger and acquisition
  • Divestiture
  • Fiscal year end
  • Audit by another software vendor
  • Non-renewal of a current licence agreement
  • A whistleblower report to a trade group such as the BSA in return for a reward

Understanding the licensing position 

Each software vendor has its own ‘contractual paper’ and approach to licensing. The licence terms are often complex, interwoven, poorly conceived and confusing. Licence terms may also differ depending on the deployment model i.e. on premise, cloud, outsourcing or hybrid. Further, the contractual documents themselves are often ‘supported’ by a variety of other documents such as user guides and technical specifications some of which will be available from a particular website. The resulting contractual web can grow over time as new products are added.

Because of this, when faced with a pending software audit, it is extremely important to understand the nature of the applicable license(s) and the rights to use the software on different devices. In addition to the licence agreement itself, all other relevant financial and legal documents should be gathered including EULAs, bill of materials, invoices, product orders, change requests, relevant emails and implementation practices.

So what’s the big deal?

Being the subject of a software audit can be a significant headache simply in terms of the operational support and resource required, often over an extended period, with customers required to gather, check and produce accurate data within a relatively short period of time and then attend follow up meetings and negotiations. Gathering and checking relevant data can more difficult where enterprises have large numbers of users in multiple geographies, operate a thin client environment, or use outsourcing, virtualization, cloud computing or automation.

More to the point, disputes in this area are not unheard of. One of the most significant cases is SAP UK v Diageo Great Britain [2017].[1] SAP claimed a whopping £54 million in a dispute over indirect licensing (the licence only permitted Diageo’s named users to access the SAP software, directly or indirectly). Mrs. Justice O’Farrell, sitting in the Technology and Construction Court in London, found that Diageo’s deployment of two systems on a SalesForce hosted platform which interacted with SAP software meant SAP was entitled to additional license fees (amount to be determined in a separate hearing). And in March 2017, another drinks company, AB InBev, reported in its SEC filing[2] that it had settled an eye watering $600m unlicensed use claim, again brought by SAP. Facing alarm calls from its user base[3], SAP subsequently adopted a new ‘Indirect Access’ licensing policy[4] which differentiates between what it calls ‘direct/human access’ and ‘indirect/digital access’ (the latter covers direct access of SAP’s Digital Core software by devices, bots, automated systems, etc.)

Legal next steps

From a legal perspective, when considering a software audit request the following steps are key:

  1. Understand the licensing environment and associated risks. Different vendors use different (and sometimes conflicting) licensing metrics (per CPU, per core, NUP, PVU, etc.) resulting in a complex licensing environment. They also adopt different tactics and approaches. Oracle, in particular, has in the past been criticised for its aggressive licensing tactics (see the US cases of Mars Inc. v. Oracle Corp and City of Sunrise v. Oracle).
  2. Engage the in-house legal team but consider seeking external assistance as well, especially if the in-house team do not have a lot of experience of such audits. And depending on the jurisdiction, appointing outside counsel might also bring legal professional privilege (often referred to as attorney-client privilege) which may be advantageous if litigation follows as well as providing a channel for communication and negotiation.
  3. Check the vendor’s audit rights and consider the nature of the audit request received.
  4. Review licence terms and use restrictions in order to map to usage/rights data. Consider the indirect licensing issue very carefully – determine the nature and the type of access, the scope of use rights, categories of users, interaction of the software with other systems, including where automation has been deployed. Licensing models can also change over time, such as Oracle JAVA SE which changed from a one-off annual licence and annual support fee to a subscription-based model in January 2019.
  5. Establish processes and controls for the conduct of the audit including non-disclosure and agreements and audit scopes; also consider any confidentiality, data protection and privacy issues which may arise.
  6. Map out best and worst cases, and establish a range of acceptable outcomes. These may not be solely monetary e.g. moving to more favourable general contract terms, and will assist with negotiations and any re-contracting with the vendor.

Many businesses do not take software audits seriously until they have experienced the pain of an audit themselves. Planning for a software audit through the use of internal audits, and software asset management and inventory tools, combined with regular licensing position reviews, can significantly reduce the headache of a software audit, prepare the business for future audits, mitigate risk and help better manage existing licences.






View by date:

View by author:

Would you like to hear more?