Our team: Tim Wright
Software Audits – are you ready?
T Wright, Partner, Fladgate
If you use software provided by the likes of Adobe, HP, IBM, Microsoft, Oracle, SAP or VMware, it is quite likely that you will have been, or will be audited, to see whether your use of their software complies with the terms on which their software is licensed and particularly to make sure that every copy of installed software you have is actually licensed.
Right to audit
Almost every software license contains audit rights, although the precise terms can vary and should be checked carefully including as to scope and timing. Audits are usually performed by industry associations, such as the Business Software Alliance (BSA), or by the software vendor itself. Software vendors use audits to drive revenue, as well as address software piracy, and the tactics adopted are often very aggressive. Audit requests are often triggered by events such as:
Understanding the licensing position
Each software vendor has its own ‘contractual paper’ and approach to licensing. The licence terms are often complex, interwoven, poorly conceived and confusing. Licence terms may also differ depending on the deployment model i.e. on premise, cloud, outsourcing or hybrid. Further, the contractual documents themselves are often ‘supported’ by a variety of other documents such as user guides and technical specifications some of which will be available from a particular website. The resulting contractual web can grow over time as new products are added.
Because of this, when faced with a pending software audit, it is extremely important to understand the nature of the applicable license(s) and the rights to use the software on different devices. In addition to the licence agreement itself, all other relevant financial and legal documents should be gathered including EULAs, bill of materials, invoices, product orders, change requests, relevant emails and implementation practices.
So what’s the big deal?
Being the subject of a software audit can be a significant headache simply in terms of the operational support and resource required, often over an extended period, with customers required to gather, check and produce accurate data within a relatively short period of time and then attend follow up meetings and negotiations. Gathering and checking relevant data can more difficult where enterprises have large numbers of users in multiple geographies, operate a thin client environment, or use outsourcing, virtualization, cloud computing or automation.
More to the point, disputes in this area are not unheard of. One of the most significant cases is SAP UK v Diageo Great Britain . SAP claimed a whopping £54 million in a dispute over indirect licensing (the licence only permitted Diageo’s named users to access the SAP software, directly or indirectly). Mrs. Justice O’Farrell, sitting in the Technology and Construction Court in London, found that Diageo’s deployment of two systems on a SalesForce hosted platform which interacted with SAP software meant SAP was entitled to additional license fees (amount to be determined in a separate hearing). And in March 2017, another drinks company, AB InBev, reported in its SEC filing that it had settled an eye watering $600m unlicensed use claim, again brought by SAP. Facing alarm calls from its user base, SAP subsequently adopted a new ‘Indirect Access’ licensing policy which differentiates between what it calls ‘direct/human access’ and ‘indirect/digital access’ (the latter covers direct access of SAP’s Digital Core software by devices, bots, automated systems, etc.)
Legal next steps
From a legal perspective, when considering a software audit request the following steps are key:
Many businesses do not take software audits seriously until they have experienced the pain of an audit themselves. Planning for a software audit through the use of internal audits, and software asset management and inventory tools, combined with regular licensing position reviews, can significantly reduce the headache of a software audit, prepare the business for future audits, mitigate risk and help better manage existing licences.