The key clarification I would add is that vendor audits can fall into two categories;

Category A; hostile audit in response to an internal tipoff from a disgruntled employee

Category B; a “fishing expedition” based on “it’s your turn to be audited” based on their random audit schedule

Depending on which type of audit that occurs will determine whether and how any of the strategies outlined across the article (and the feedback so far) can be implemented and deployed to be effective.

Leaving it to the time of an impending audit (which isn’t the suggestion made by the article) is too late, but this stating the bleeding obvious!

Having said that, many do leave it too late, and then try and run around to implement some of the strategies outlined, and fail dismally!

Many of the fines and settlements made are arbitrary assessments (weighted in favour of the vendor) rather than factual full counts and in some cases we have seen instances where organizations have been penalised by poor housekeeping. They have “paid up” to get them out of the premises due to the duration and inconvenience caused!

Rule of thumb based on what we have seen having been in this industry (anti-piracy advice) since 1991 puts the cost of a full audit/fine/settlement and license true-up, plus the cost of staff, legal fees, reconciliation etc to be around 3 to 4 times (in some cases higher) the value of the under-licensed software.

If the vendor is auditing you under “Category A” they can do this with their own legal counsel and/or use a legal instrument as the means to gain entry to premises (an Anton Pillar order) and you have a maximum of one hour to have your lawyer attend.

Under this type of legal instrument (Anton Pillar order) they can seize assets and remove them from your premises, which can render a lot of your defence useless. This means that in this case many of the steps outlined in the article are not capable of being deployed at the time or just before the time of the audit. In this instance the licensee CANNOT control the situation or teh timing of teh audit ie; go away it’s end of year / end of quarter.

Best advice we can give is to be well prepared, well in advance with good housekeeping and good SAM management so as to minimize the risk of the audit situation. A good SAM program and regimen will help identify if you have over-licensed applications (paid for more than you actually need) in which case you can trade-off the costs of running an effective SAM program vs the cost of license saved.

We don’t sell SAM solutions (but we do recommend them for our clients) – we offer independent audit tools for auditors.

A licensor not only has the right but an obligation to protect its proprietary interests in and to the intellectual property it licenses.

It is equally important to note that licensees should have control over:

➢ the auditor’s adherence to corporate policies and procedures
➢ expulsion of a non-compliant auditor
➢ the duration of the audit
➢ the timing of the audit (e.g. never at quarter/year end)
➢ the qualifications and relationship (to the vendor) of the auditor
➢ what the auditor is permitted to access
➢ how that access is granted (e.g. accompanied at all times by licensee management or a staff member; NEVER remotely)
➢ who pays for the audit (good or bad outcomes)
➢ what percentage of overuse would be subject to penalties
➢ the grace period before penalties are assessed
➢ dispute resolution resulting from a “bad” outcome

I could go into an explanation of each bullet point above, but that would take up too much space for a commentary and would be advisory in nature. Each licensee has unique conditions and limitations (e.g. some smaller firms may not have a corporate policies and procedures manual that would have to be provided to the licensor’s auditor prior to an audit).

I believe that any organization undergoing or about to undergo a vendor audit should bear in mind, that unless certain terms have been agreed to up front, there is a good chance that penalties and even the cost to conduct the audit may be borne by them.

With that said, it should be clear to your readers that it’s never too late to amend existing contracts to include audit terms and conditions that clearly state the rights of BOTH parties. I strongly urge them to do so as both the demand and supply sides of the marketplace are feeling the pressures of our current economic times. Forget about setting a flag or causing suspicion by amending the license agreement. Your readers should assume that their vendors are always suspicious of overuse. That’s why they have incomprehensible license agreements. My advice is to use a third party expert in this field – preferably a third party that has no vested interest in the sale of more products as that would create a conflict of interest. A neutral party that is recognized by industry players as an expert would take the pressure off of the licensee and emphasize the licensee’s commitment to license compliance and the written agreement with their vendor/licensor. This process is a proactive move in the right direction, intended to mitigate risks and reduce spending.

Also, one of your readers made a very valid and important comment regarding the tools used to conduct an audit. Although the caution pertained to an internal audit, the tools used by the vendor/licensor should also be reviewed and researched for any known flaws as the outcome could result in overpayment by the licensee.

Good luck to you all!