Firms should treat software licence reviews as a material risk to business
Software licence reviews present a significant risk to business - but there are ways to combat them
For almost any large organisation, receiving a notification from an IT vendor that it is going to be conducting a ‘routine software licence review' can be the start of a long and damaging process.
Software audits have become an increasingly common method for vendors to increase their revenues from existing customers. But why? And what must organisations understand if they are to properly protect themselves against the significant risks posed by a software licence review?
Easy targets
Use of cloud computing services has risen exponentially over the past decade. The likes of Amazon, Google and Microsoft have established themselves as the major players in this space. Traditional vendors, meanwhile - those who rely on customers using on-premise software - have been somewhat left behind.
Indeed, while the cloud market has expanded at pace, Oracle's revenues have risen by only seven per cent in six years. Similarly, from the start of 2012 IBM saw its revenues fall for 22 successive quarters, only seeing a return to growth this year thanks to the uptake of its own cloud services.
The result is that many large vendors are turning to on-premise software users as easy targets to increase revenues. These customers - large organisations - find themselves unable to adjust. Issues such as security, business continuity and complex legacy operations mean that they cannot easily shed usage of on-premise technology in favour of the cloud. This leaves them at the mercy of regular software audits and the damages that can ensue.
Ambiguity and opacity
Software licence reviews are notoriously difficult to defend against. There are several reasons for this:
First and foremost, the terms used within software licences are often marred with ambiguity and opacity. What's more, the vendors tell customers that they must consult a plethora of white papers and policies on the vendor's website to understand how the terms apply.
Another issue is that the customer requires software licences for each installation, not just usage. As such, penalties can apply to software that is installed but not used.
Furthermore, vendors such as Oracle and IBM insist on software licences for servers and processors that are potentially available to run the programs - even if there is no proven use.
Finally, ‘Matching Service Levels' means that customers must pay for all programmes owned, even if the software is shelved or not deployed.
It is little wonder that CIOs are filled with such dread upon hearing the news that their vendor - the likes of Oracle, IBM, Microsoft, SAP and Informatica - is going to conduct an audit. In fact, major accountancy firms such as EY, Deloitte, PwC or KPMG usually carry out the evidence gathering, while Oracle typically uses its own licence management division.
In each case, the customer's account manager is informed but is effectively side-lined while the process takes place. And it can often be a long process: an audit can take three to six months, occasionally more, while the auditor closely interrogates all usage or installation of the technology and applications.
The end result can be significant: penalties are levied and the vendor will often require the customer to pay for new licence purchases at list price (or more). The vendor can also backdate costs for support and maintenance and request that the customer covers the audit costs. All of this forms an executable quote, which is issued after the audit with a 30-day demand for payment.
Destabilising the demands
Ultimately, the costs incurred through a software audit can often be out of proportion to the value the customer has received through any under-licensing, inadvertent or otherwise. So what can organisations do?
Unfortunately, vendor claims are rarely litigated, although there have been cases entering the press over recent years. This inaction is usually because the customer will have some anxiety about reputational damage, as well as needing to keep vital IT systems switched on. Furthermore, vendors can sometimes offer concessions in exchange for confidentiality about the process.
Importantly, there are ways of confronting these audits. While a solicitor's letter will have no effect, a combination of astute technical, legal and commercial arguments can destabilise the vendor's insistent demands and cut down claims to an appropriate level.
Customers must treat any invitation to co-operate in a ‘software licence review' as a material risk; the letter is essentially the precursor of what may be a significant damages claim. As such, high quality consultancy and negotiation expertise is needed if an organisation is to effectively protect itself. Importantly, this needs to be independent of the vendor (not their platinum partner) and, whenever possible, an organisation should utilise former licensing experts from that particular vendor.
Robin Fry is a director of Cerno Professional Services and a highly-experienced software IP lawyer. He is prominent in defending software audits and advising on software licensing issues.