If your company has received a notification from a software vendor about conducting a software audit of your deployment, you are not alone. Over the past decade, there has been a rise in software audits.  Some of the factors driving the increase include:

1. Revenue – Audits are a means to ensure that vendors are being adequately compensated for the software being used. Discrepancies in software usage versus licensing often lead to additional revenue for vendors through penalties or through the purchase of additional licenses.
2. Changing Licensing Models – Evolving technologies and new software deployment methods, such as cloud-based solutions, have resulted in more intricate licensing models.  This potentially can lead to non-compliance, which software vendors are becoming more diligent in finding.
3. Software Asset Management Tools – The availability of software asset management (SAM) tools has made it easier for vendors to monitor and manage software usage.  This often allows vendors to receive real-time notification of suspicious activity and non-compliance.
4. Mergers and Acquisitions – When companies are part of a merger or acquisition, this often involves the combining of software and IT assets and infrastructures.  Each company likely will have its own software licensing agreements which are now part of the same organization.  This can draw the attention of software vendors who might initiate audits to ensure proper licensing across the merged entities.

Regardless of the reason for the audit, companies should not disregard an audit request when received.  Failing to respond could result in the vendor pursuing more costlier legal action against the company.   Once a company receives an audit request notice, it needs to start preparing to respond.  This article discusses three key legal steps that a company should take as part of a software audit response.

Understand the License Agreement and its Audit Provision

A company’s first step after receiving an audit request should be to find and review the software license agreement associated with the audited software. This is crucial because the vendor’s authority to conduct an audit, as well as the company’s rights and responsibilities during the audit, typically are set out in the agreement. It is advisable to pull in legal counsel during this review to ensure a comprehensive understanding of the audit provision and to identify any potential areas of concern or ambiguity. Generally, a company will want to review the audit language for the following:

• Notification Period – The license agreement may specify how much notice the software vendor must provide before conducting an audit. It is important to verify if the vendor has adhered to this period.
• Audit Scope and Methodology – The agreement might outline the scope of the audit, which could include details on which software products are subject to audit, the duration of the audit, and the methods or tools the vendor can use.
• Confidentiality Clauses – Ensure that any information accessed or collected during the audit is protected, especially if it pertains to proprietary business processes or sensitive data.  Additionally, audits often are conducted by third-party entities on behalf of the software vendor. In such cases, it is important to ensure that confidentiality agreements are also in place with these third-party auditors, establishing clear boundaries on data access, usage, and protection.
• Cost Responsibilities – Some agreements might stipulate who bears the cost of the audit, especially if no significant licensing discrepancies are found.

By understanding the language of the audit provision in the applicable license agreement, the company can ensure that the scope and processes outlined in the audit request align with the agreement. If discrepancies or ambiguities arise between the audit notification and the audit provision, the company can communicate these to the software vendor to ensure mutual understanding of the audit’s parameters. Additionally, auditors may sometimes be assertive and aggressive in their efforts to ensure that license terms are complied with, and there is a risk that they might overstep the limits established in the audit provisions.  With a clear grasp of the audit provision, companies are better positioned to address any oversteps or requests that deviate from the agreed upon terms.

Conduct a Pre-Software Audit Review

To avoid unwelcome surprises from audit findings, companies should proactively gather data and conduct their own internal pre-audit review. If the company utilizes SAM tools as part of its regular IT processes, these can be invaluable for this review.  If a company is not using SAM tools, then it will want to make sure it gathers any documentation that will help it compare software deployment data against the number of licenses purchased.  Regardless of the methods that a company uses to conduct its own audit, it will want to start building arguments as to why its auditing methods provide an accurate accounting of software deployment.  Deployment tracking methodology often is an area that auditors will scrutinize, so it is beneficial to anticipate and prepare for potential challenges in this area.

Once the internal audit is completed, ideally, the company’s deployment data should align with the number of licenses purchased.  While this does not guarantee the external auditor will arrive at the same conclusion, it at least means that the company should be in a better position to push back on discrepancies that the auditor raises.  In the event that the company itself finds discrepancies in its own auditing results, this provides an opportunity to double-check its findings and strategize potential defense or negotiation tactics concerning the identified discrepancies.

Negotiate a Settlement

If the audit reveals a discrepancy between purchased licenses and software deployments, the software vendor typically will seek compensation for the licensing gap, potentially spanning back to when the discrepancies began. Additionally, the company might be responsible for covering the audit costs, especially if the discrepancies exceed a certain threshold or percentage provided in the agreement. As previously discussed, if the company uses SAM tools or other tracking methods it deems reliably accurate, it should assertively present its case as to how it is in compliance.

In the event that there is a valid discrepancy discovered during the audit, the company has several avenues to explore other than just paying the software company’s demanded amount. First, the company can seek to negotiate a reduction in the demanded payment, especially if it believes the discrepancy is minor or unintentional. Offering to purchase the necessary licenses for future use, rather than paying penalties for past discrepancies, is another common approach. Additionally, the company can propose a payment plan to stagger the costs over a period, making the financial burden more manageable. It also often is helpful for the company to highlight its long-term relationship with the software vendor, emphasizing the mutual benefits of a reasonable settlement. Throughout the negotiation, it is important for the company to be prepared with data, documentation, and a clear understanding of its rights under the licensing agreement, as these elements will strengthen its bargaining position.

Conclusion and Key Takeaways

Companies increasingly are receiving audit request notifications from their software vendors. Upon receiving such notices, it is important to actively respond and prepare, rather than to overlook the notification.  Knowing the audit rights provided for in a company’s license agreement and having a strong grasp on its software deployment data will help the company during the audit.  In the event that a discrepancy is found and the software company demands that the company pay for any additional license usage, the company has alternative resolution options may help lessen the audit’s impact on the company.  Engaging legal counsel can provide invaluable guidance in navigating the complexities of the audit, from initial notification through to potential settlement negotiations.