10 Ways to Ensure Software License Compliance and Avoid Audit Failure
A software license audit is when one of your software vendors wants to compare the number of software licenses your organization has purchased with the number currently installed on your computers. An external audit can consume a lot of time and resources, so it's important that IT organizations take proactive steps to ensure software license compliance and avoid an external audit disaster. Here are 10 ways your organization can get a head start on managing your software compliance.
1. Be Clear on Contract Terms and Penalties
Compliance with software license agreements begins with a clear and thorough understanding of the agreements themselves—the contracts established between software vendors and the IT organization that dictate licensing constraints and terms of service. Contracts describe an agreement between two parties to exchange goods and services, and while some types of contracts are relatively straightforward, software licensing agreements are known for their complexity. IT organizations need to be particularly aware of the terms of their software license agreements, as violation of these agreements can lead to software audits, unplanned licensing costs, or litigation.
Go through each term in the contract carefully to understand what exactly is being provided to them in terms of licenses and service. There needs to be total clarity on what constitutes billable use of a software license, the way licenses and their users are defined in the contract, and how software deployments on virtual machines, test environments, and other platforms are treated by the vendor.
It's also important to be aware that changes to the vendor's standard software agreement may occur each year at renewal time. Reviewing service contracts is not a one-time exercise—rather, it should be done carefully and thoroughly at each renewal to ensure the company knows how to comply with the contract requirements.
2. Understand User License Definitions
IT organizations that fail to understand how user licenses are defined in their software license agreements will invariably find themselves in violation of their service contract in an audit. Understanding the different types of software licenses and which model is used by each software vendors is essential. Some common models include:
- Proprietary Licenses - The IT organization purchases a single software license for the entire business, which covers all workstations, users, virtual and test deployments, and other usage.
- Workstation Licenses - The IT organization must purchase a separate software license for every workstation where the software will be installed.
- Single User Licenses - The IT organization must purchase a separate software license for each person that will use the software. Typically, each user will have their own login for the software. This type of software license often prohibits login sharing and account sharing between users, so compliance depends on employees not sharing their credentials or accessing the software on a machine that is not assigned to them.
- Concurrent Use License - A concurrent use license is based on the number of users simultaneously accessing the system. A concurrent use license for 10 people would allow 10 users to access the system, but the 11th person trying to log in would have their access denied.
IT organizations need to investigate the licensing models offered by their software vendors and ensure that they comply with the user license definitions described in their license agreement.
3. Maintain Policies and Procedures for Compliant Software Usage
Maintaining internal policies and procedures for installing new software is of vital importance to IT organizations who wish to remain compliant with their software license agreements. This means that making sure to:
- Understand the terms of their software license contracts
- Translate those terms into policies that employees must follow
- Create processes to support those policies
- Educate employees on those policies and processes, including what's at stake when they fail to comply
- Continually check and verify that employees are following the policies and hold them accountable
- When it comes to contract terms that prohibit employees from sharing login information or loading proprietary software onto their personal machines, employees need to get the message that compliance is mandatory and necessary to avoid the negative consequences of a failed software audit.
4. Bring in Specialist Help When Required
IT organizations may need to bring in outside expertise to help improve their results when it comes to negotiating software license agreements with a vendor. Legal experts that focus on this area of contract law can help your business understand what its rights are under a given software license agreement and what penalties it could face if it was found violating the agreement. The same experts would also have a better idea of industry standards and could help you negotiate a more favorable license agreement that shields your company from additional risk.
Contract lawyers can be expensive, but so are true-up costs for noncompliant software usage, litigation fees, statutory damages, and any other contract penalties that result from an unsuccessful software audit. The bottom line is that IT organizations need to know where they stand on these contracts, even if it takes hiring an external contracts expert to get there.
Related: Ivanti License Optimizer
5. Keep Detailed, Accurate Records of Software Licensing and Usage
Businesses that fail to establish and maintain detailed records that demonstrate their software compliance status are taking a measure risk in a software audit. If you can't tell your side of the story, you won't have any evidence if a software vendor accuses you of noncompliance with their licensing agreement and starts demanding more money.
Smaller organizations may be able to get away with manual record-keeping, but a software audit tool that offers automated reporting features is a much more efficient way to track license usage. Records should include data such as:
- The name of an installed piece of software
- The associated product ID
- The license number that was used for that particular installation
- The date of the installation
- Identifying information for the machine where the software was installed
- Verification of compliance at the time of the installation
6. Establish a Single Source of Truth for Software License Compliance
Some IT organizations use spreadsheets to keep track of their software licenses, but as organizations grow in size, the manual labor and data entry associated with tracking software licenses through an ever-expanding series of spreadsheets becomes costly and inefficient. Today's most efficient IT organizations are implementing software asset management applications as a means of proactively monitoring software compliance and maintaining a single source of truth for license compliance.
Unlike spreadsheets, purpose-built software audit tools include features that directly facilitate compliance and reduce costs, such as automated software discovery, automated monitoring and reports, and software usage analysis.
Related: What is IT Asset Management?
7. Measure Your Real Software Discovery Coverage
IT organizations need to be wary of using generic tools like spreadsheets or word processing documents to manually track their software compliance. One of the major audit issues associated with such practices is that only reported software installations can be included in the documents, but there's no way of knowing whether employees are accurately and consistently reporting to IT each time they use a software license on their machine.
Makers of software audit tools have built an automated feature called software discovery that can facilitate agent-less scanning of IP-based software assets on the network.
Other tools may use less effective methods for software discovery, such as registry analysis or looking at file extensions, so it's important for organizations to understand what their software discovery tool may not cover and what information they're missing.
8. Streamline Your Sourcing Channels for Software Purchases
For IT organizations that are developing systems to ensure their compliance with software licensing agreements, software purchasing needs to be a centralized process that always goes through the IT department. New software licensing agreements need to be reviewed by either an internal or external expert on software license contracts to ensure that the new agreement meets the needs of the business and that the business understands what is required to comply with the agreement.
Individual departments or locations should never install software on their machines that is not approved through the IT organization, tracked in a software asset manager and subject to the oversight of the IT organization for auditing and compliance purposes. Effective software discovery tools can be used to detect when this is happening, but staff need to understand the risks and implications of installing new programs without going through IT.
Staff should also be prohibited from installing software for non-business use onto their work machines, as this exposes the company to additional software compliance liability.
9. Understand What Triggers an External Software Audit
The best available data shows that major software vendors are seriously playing hardball when it comes to identifying partners that could be noncompliant and initiating audits. Gartner conducted a survey of software vendor audits and 65 percent of respondents claimed that their organization had experienced a vendor audit in the previous 12 months.
Software vendor audits can be triggered for a variety of reasons, and an audit request does not necessarily mean that your organization is suspected of noncompliance. Some vendors intentionally audit their customers on a regular basis to ensure ongoing compliance with licensing restrictions. Microsoft audits each of their volume licensing customers at least once every three years, and it's likely that other large vendors like Oracle and Adobe have adopted similar policies.
There are also global organizations that offer financial rewards to people that report instances of software piracy or illegal software license usage. This information would be passed on to the software vendor and could potentially trigger an audit. Organizations need to be aware that both former and current employees can report software noncompliance.
If your organization faced software compliance issues in the past, you may find that software vendors scrutinize you more than normal and want to conduct regular audits. Companies that operate in small, well-connected industries can easily have their reputations damaged by a failed audit.
10. Conduct Regular Internal Compliance Audits
For businesses that purchase licenses from major software vendors, it's only a matter of time before an audit request arrives in your mailbox. If your organization has never been audited before, you may be totally unaware of major license compliance issues that could damage your reputation and leave you on the hook for true-up costs, contract penalties and possibly litigation fees. The best way to verify your compliance with software license agreements on an ongoing basis is to conduct regular internal compliance audits.
An internal compliance audit can be conducted as a self-assessment or performed by a third-party. In either case, the goal is to see where you may have compliance issues, perform a gap analysis, and implement changes that will bring the organization into compliance. Regular audits make it easy to deal with external audit requests, as you have already collected the data from previous audits and already know whether you are compliant. This is much better than being surprised by the audit findings and having none of your own data to respond with.
IT organizations can ensure compliance with software license agreements by clarifying contract terms, penalties and user license definitions with each software vendor, and shouldn't be afraid to bring in external help to negotiate and interpret the finer points of these complex deals.
IT organizations also need to establish a unified system for tracking software licenses and usage, and they need to use that system to keep records that are detailed and accurate. IT organizations need visibility into what applications are installed on network endpoints and it is crucial that all software installations and licensing within the business is reflected in the software asset management application.
IT organizations must understand how software audits are triggered and prepare for them proactively by conducting regular internal audits. Staff and employees also need to be trained on the correct policies and procedures for installing software on company machines.