Responding to Software Review Audits- Good tips on how to handle audit requests and settlements

Managing Audits to Prevent Unauthorized Disclosures by Technology Teams

by Keli Johnson Swan in Blogs, Software Audits

Disputes involving software usage are on the rise for businesses of all sizes. In some cases, technical teams respond to a software publisher’s or a third party’s audit request and provide significant amounts of data without notifying anyone on the corporate governance or the legal teams.  It is critical for those teams to evaluate the publisher’s legal ability to audit, and to identify the data the publisher is entitled to request.
It is not uncommon for the legal team to discover the existence of a software audit or license verification after the company has received a demand for damages arising from alleged over-usage of software.
Often, employees responding to an audit request do not understand the request and provide inaccurate or incomplete information. Once this information is disclosed, it can expose the business to a damages claims arising from any license deficiencies. If the information is inaccurate, it is an uphill battle to rectify it and reach a resolution.
There are a few key tips to minimize unauthorized disclosures and to avoid potential liability.

1. Institute Communications Protocols for Inquiries from Third Parties

Depending on the size of the company, there may be varying resources available to respond to an audit request.  Whether a company has a single person in charge of the IT assets, outsources to a managed services provider or other third party vendor, or dedicates an entire department to managing software deployments and licenses, it is helpful to institute protocols outlined in an employee handbook (or vendor agreement) that prevents individuals from disclosing information without seeking management’s approval.

Some types of audits appear to be non-threatening “license verifications” or requests for software asset management reviews, which sometimes creates a false sense of security for individuals who may otherwise seek management approval prior to sharing information.  Even these seemingly innocent requests should be treated with caution.

It is helpful to have an established protocol that employees can reference when they receive a request for information related to software assets.  The teams should be required to notify the legal and governance representatives as part of the protocol.

It is also important to ensure in any agreements with a third-party IT vendors that they will not release any information without company approval, even if the third party manages all software on the company’s network.

2. Educate Business and Procurement Teams
Larger companies may dedicate entire departments to the business side of software negotiations, including management and procurement. These negotiations should always be supervised by inside or outside counsel.
Sometimes, during the business negotiations, these teams may disclose information regarding the company’s software installations that the publisher later tries to use as leverage in future negotiations.  For instance, if during a business negotiation, the procurement team describes a current use case that is outside the scope of the license grant, the publisher may claim that it is entitled to payment for the past improper usage.
It is crucial that these departments are trained on the specific types of information that may be disclosed and to ensure that the information provided is properly vetted for accuracy and legal implications.

3. Routinely Conduct In-House Self-Audits
Finally, a company should assign a specific individual or team to conduct routine self-audits and internally track entitlements to ensure license compliance. The benefits of this process is two-fold: 1) If the company receives an inquiry regarding its software licenses, it can quickly and accurately collect the necessary information, and 2) the information can be verified by the IT staff and management prior to disclosing it to a third party.
The first step in receiving a software-related inquiry is to identify what type of information is being requested, and whether a response is mandatory. In some of these situations, a company has no obligation to respond. In others, a failure to provide a timely response may escalate the matter to potential litigation. All inquiries should be brought to the attention of both management and the legal department to determine how to proceed.

Responding to Autodesk Audits

by Julie Machal-Fulks in Autodesk Audits, Blogs

The BSA and SIIA are not the only organizations pursuing business for software copyright infringement. Though it is a member of both the BSA and SIIA, Autodesk, which manufactures the popular design software AutoCAD, often pursues audit targets on its own.

The audits begin much like those instituted by the BSA or SIIA. The target of Autodesk’s audit will receive a letter from a law firm representing Autodesk demanding the business’ cooperation in disclosing the number Autodesk installations on its network and the number of Autodesk licenses it owns, including serial numbers. The law firm will assert it has received information that indicates the business may have more installations of Autodesk software than it is licensed to use. The letter will go on to describe the various penalties associated with copyright infringement and it may threaten the business with civil litigation.

Targets who receive such letters should treat the matter very seriously. It is important to know your legal rights and protect your legal position before responding to a request for information from a software publisher who is trying to conduct an audit. Additionally, many companies who prepare their own responses to Autodesk without the benefit of counsel and before conducting a thorough investigation often receive an unexpectedly high settlement offer from Autodesk.

In many cases, Autodesk demands a settlement payment calculated as the MSRP of the allegedly unauthorized products installed on the business’ network multiplied by three. The multiplier, Autodesk argues, is the penalty for using unauthorized software and is assessed in lieu of proceeding with formal judicial resolution. The use of multipliers as an approximation of damages is a hotly contested issue.

When responding to Autodesk audit requests, companies should work with experienced counsel to thoroughly investigate the software usage on their computers, protect themselves by requesting agreement from Autodesk regarding the use of the materials that will be produced in the audit, and negotiate a resolution geared toward ensuring future compliance.

-------------------

Settlement Structuring for IBM Audits

by Christopher Barnett in Blogs, IBM Audits

Software-compliance audits initiated by IBM can be extremely burdensome and time-consuming and can force companies to face challenges that are somewhat unique among major-publisher audits. For one example, a significant component of IBM’s business model is the acquisition of other software vendors and the integration of those vendors into IBM’s product portfolio, which can complicate the task of identifying the appropriate license metrics and entitlements owned. For another example, companies seeking to license IBM products based on processor resources in virtualized environments must use IBM’s License Metric Tool (ILMT) in order to avoid licensing the products based on the full capacity of the host infrastructure. The ILMT question can become a significant satellite issue to explore during an audit, and failure to demonstrate compliance can yield substantial licensing exposure.
However, once all of the data-collection and license-reconciliation tasks have been addressed, IBM’s auditors will generate a final audit report, and IBM will prepare a proposal to resolve the audit findings. At this stage, companies will need to turn their attention on structuring an appropriate settlement framework that definitively resolves all calculated license shortfalls as well as all, underlying licensing concerns that may have contributed to an imperfect outcome.
Here are some important subjects to keep in mind when negotiating the resolution with IBM:

• Fair Purchasing Options

IBM’s default audit resolution typically will incorporate a requirement to purchase licenses equal in kind and quantity to any license shortfalls calculated during the audit. Thus, if a company was found to be over-deployed for WebSphere Application Server (WAS) by 1,000 Processor Value Units (PVUs), IBM will require the company to purchase 1,000 PVU license for WAS. In addition, IBM also usually will require the company to purchase two years of retroactive support for the shortfall license quantity. However, there often are a number of opportunities to maximize the value of the audit resolution:

(1) Minimize Retroactive Support.
If the company can demonstrate that product installations associated with license shortfalls were deployed within the two years prior to the audit, then that information should be discussed in order to reduce the amount demanded for retroactive support.

(2) Reduced or Compromise Purchase Quantities.
Audited companies should not hesitate to request compromises associated with inadvertent licensing shortfalls. For example, if a compliance problem resulted from the company’s failure to deploy and use ILMT, then the company should seek to reduce the number of licenses to be purchased for the product in question, provided either that the products are re-deployed or that ILMT is installed following settlement. These arguments sometimes are more compelling when the company can demonstrate unsuccessful attempts to satisfy the licensing requirements prior to the audit. Furthermore, they can be especially compelling when the company can demonstrate that IBM had an opportunity to advise the company regarding the compliance concern prior to the audit – and failed to do so – or that IBM had an affirmative obligation to satisfy the licensing requirement (such as
through a statement of work for implementation services).

(3) Substitute Products & Services.
Whenever a quantity of licenses included in an audit settlement demand would address calculated shortfalls without providing prospective value to the company (for example, because the software either can be re-deployed or uninstalled following settlement), the audited company should seek to substitute those purchase quantities with alternative purchases consistent with the company’s go-forward needs. This approach typically is easiest for IBM to accommodate when licenses for one product are to be substituted with licenses for another product that was not found to be a compliance problem during the audit. IBM also has a strong desire to transition business to a cloud-services model, and it also may be willing to substitute those services in place of a perpetual-license demand. However, IBM’s hardware and professional-services offerings usually are not accepted as substitute purchases.

(4) Strategic Pricing Discounts.
Never underestimate the power of direct negotiations between business teams. IBM may be willing to offer further discounts if it perceives an opportunity to become a strategic vendor for the audited company. This can be especially true for companies willing to commit to subscription or other ongoing service-delivery relationships with IBM.

• Post-Settlement Compliance Obligations

Any product-specific compliance problems outside of license shortfalls that were identified during the audit need to be definitively resolved through the audit settlement.
The most obvious item falling within this category would be a prospective need to deploy ILMT. Large organizations especially may be unable to install and configure the tool quickly following settlement of an audit. Therefore, the audit close letter or settlement agreement needs to define the post-settlement ILMT deployment obligation, providing for sufficient time to complete the project. It also may be advisable to seek IBM’s commitment to support the ILMT implementation and to allow for additional time to complete the project, provided that the company has made reasonable progress toward completion.
Another item to keep in mind here would be any compliance concerns that may have resulted from IBM’s acquisition of a vendor from which the audited company previously may have purchased licenses. If there were any licensing allowances granted by that vendor prior to the acquisition, then the audit close letter should address whether and to what extent those allowances will be carried forward, either to facilitate the company’s continued use of pre-acquisition versions of the software in question, or to transition to post-acquisition versions of that software.

• Release, Forbearance and Other Legal Terms

Finally, it is critical to ensure that the audit settlement really is a complete settlement of all issues reviewed through the audit process. This means including a strong release of past liability in the audit close letter or settlement agreement that includes all audited products and business operations. It also means seeking a reasonable period of audit forbearance following the audit, so that the company has time to adjust its software-asset management procedures in preparation of the next licensing review. In addition, if any licenses need to be assigned from one organization to another within the company’s enterprise in order to ensure co-forward compliance, those issues also should be resolved with the audit settlement.

Reference: http://scottandscottllp.com