Software Audit Code of Conduct [DRAFT]

16 February 2014
8 minute read
ITAM News & Analysis

Software Audit Code of Conduct [DRAFT]

16 February 2014
8 minute read

Updated 25th April 2014 – The first version of the Code of Conduct is now live here:
https://www.clearlicensing.org/audit-code-conduct/


This code of conduct from the Campaign for Clear Licensing is a first draft. Please leave your comments or contact me to discuss any suggested edits or feedback. Thanks in advance for your help. ~ Martin

Thanks to Rory Canavan, Glenn Thompson, Martin Chalkley, David Foxen and Kylie Fowler for helping put together this first draft.


CCLPreface – Current Market Observations

  • Technology exists within the current market to restrict the use of software that is not licensed correctly. Many software publishers choose not to implement such controls – preferring an approach to software control that enables flexibility and openness to customers developing solutions with their technology
  • Historically, software management controls have been two steps behind license program changes. Software is typically poorly labelled and customers are provided insufficient tools or guidance to accurately assess their consumption or clarity regarding changes to licensing programs.
  • Historically end user customers have been either poor at building controls for deploying and using software in their estates or found difficulty in managing their software audit functions.
  • End user customers accept terms to contracts that they do not clearly understand either through choice or ignorance
  • Software publishers have the ability to use the lack of clarity over software, licensing and audits to their advantage during sales processes or contract negotiations, resulting in general market dissatisfaction and distrust.

Introduction

Software publishers audit their customers to examine if software is being used within agreed terms. This code of conduct defines a set of acceptable practices for behaviour during such audits.

This code of conduct covers types of audit, defining scope, the introduction of third parties, agreeing objectives and discussing results and outcomes.

Guiding principles:

  1. Software publishers have the right to protect their intellectual property
  2. Software publishers have the right to exercise clauses in their agreements and contracts
  3. End user customers have an obligation to manage licenced software within the terms of the agreements
  4. End user customers have the right to deny audit requests that are not the result of contractual obligations or evidence based breaches of intellectual property
  5. End user customers have the right to professionalism, complete transparency, clarity and openness throughout the audit process

 In a nutshell…

  • For customers: If you can’t manage it, don’t use it
  • For software publishers: If you can’t demonstrate how to manage it with everyday tools and techniques, don’t sell it

Terminology and Types of Audit

Any audit activity should state the type of audit as outlined below; is it voluntary, contractual or legal?

The table below summarizes the most common types of audit:

Type of Audit

When Initiated

Commonly known in the market as…

Obligation to participate

Voluntary Audit Adhoc or speculative,  during sales process Audit, Review, SAM Review, Assessment, Self-Audit, Friendly Audit Voluntary
Contractual Audit Contract event or during sales process Audit / True-up Contractual
Legal Audit Breach of intellectual property Audit Legal

Notes:

  1. Audits and reviews may be incorrectly associated with, or labelled as, formal audits
  2. Pre-sales led audits and voluntary reviews can be a positive experience to benchmark an environment.  They must not be used inappropriately to benefit the sales or new business process, e.g. threaten legal recourse.

Audit Engagement

All audit communications should be routed through normal account management channels with appropriate escalation as appropriate.

Initial audit communications should cite:

  1. The main point of contact
  2. Nature/type of audit as mentioned in the table above
  3. Grounds for audit or supporting evidence
  4. Contract, Agreement or other unique identifier
  5. Audit scope in terms of products, geographies, environments, device types etc.
  6. Date for audit to be conducted, results to be collated and published
  7. Resolution process to be followed in the event of irreconcilable differences

Agreed Measurement Criteria

The software publisher shall publish clear guidance on what constitutes entitlement, installation and usage:

  • The software publisher will provide proof of install for all titles in scope.
  • The software vendor will provide proof of entitlement for all titles in scope.
  • This software vendor will include in its licencing terms and condition examples of evidence they would accept as “rights to use” the software in audit scope.

Data and Working with Third Parties

Third parties (companies involved in the audit but not the customer or software publisher) should declare all commercial interests (either customer side or vendor side) before audit work commences.

Commercial interests may include:

  • Profiting (directly or indirectly) from the outcome
  • Compensation for audit work
  • Relationship or commercial interests outside the audit work
  • How and when data relevant to the audit is shared

Timing

Both parties will agree on a date by when the audit will commence and complete.

If any install inspections are to be conducted by the software vendors or a nominated third party, then the processes and timing to complete such information capture are to be agreed by all parties.

  • Voluntary Audit: At client discretion
  • Contractual Audit:  Minimum 60 day notice prior to commencement unless otherwise agreed
  • Legal Audit: According to local jurisdiction

Onsite Inspections and Operational Details

The third party conducting the audit on behalf of the software vendors is to liaise with the client to confirm the operational aspects of the audit.  This might include (but is not exclusive to):

  • Access to hardware systems, duration of time permitted on site(s)
  • Arrangement of a client chaperone to escort the auditors about the client’s premises
  • Access to auditing software systems.

All information captured or created as a result of the audit is to be classed as commercial-in-confidence and not relayed beyond the software vendor, the third party auditor and the client, without the express permission of all parties.

If a third party does conduct any on-site data capture on behalf of a software vendor, then such data capture is copied to the company being audited.  100% Disclosure between Software Vendor and Client is essential, so that both parties understand what data is being used to derive any potential fees owed.

Audit Results

Dispute resolution

The software vendor is to confirm the calculation of any licence fees owed, including how final figures were arrived at.  A summary figure here is not fit for purpose, as it fails to account for a comparison to existing market prices, or pre-arranged contract prices that might be in force but forgotten about.

Note: Detailed transparency regarding shortfalls can also help organizations with root cause analysis – preventing such short falls in the future, benefiting all parties.

 Audit results / closure / recommendations

Both parties reserve the right to dispute the figures arrived at; and take recourse via mediation with the CCL, arbitration with an agreed arbitrator to be agreed and appointed by both sides, and legal proceedings.  It is important that an escalation route exists in the event of any dispute arising over the any fees felt due.

The Auditor / Publisher or Third party should explain any discrepancies, the likely root causes of any discrepancies and what steps the organization might take and best practices the organization reference to prevent the same issue happening again in the future. Audit results and recommendations should be delivered in plain english with minimal technical or licensing jargon so that the key messages can be understood and acted upon across the organization.


The Campaign for Clear Licensing will consider all complaints against organizations that have not followed the code with a view to stamping out unprofessional behaviour and raising standards. Contact us in confidence to discuss breaches of this code.


This code of conduct from the Campaign for Clear Licensing is a first draft. Please leave your comments or contact me to discuss any suggested edits or feedback. Thanks in advance for your help. ~ Martin

Thanks to Rory Canavan, Glenn Thompson, Martin Chalkley, David Foxen and Kylie Fowler for helping put together this first draft.


Can’t find what you’re looking for?