How to Mitigate Software Compliance Risks

By Jonathan Shaw

In today’s business and IT environments, enterprise applications are deployed and used in ways beyond those envisioned by legacy license agreements. Global expansion, shared service centers and data center consolidation may contravene geographically restricted use rights.

Business process outsourcing can run afoul of limitations on third-party use. Integrated application architectures, portals and extranets blur delineation between direct and indirect users. Multicore and multithread processors and data center virtualization have made CPU- and server-based licensing schemes substantially more complex.

Further, decreasing new license revenue has led to more frequent audits. Previously, audits had been done in response to whistleblowers or because of suspicious licensing behaviors. Today, most software providers do audits as part of their normal business practices.

Large enterprises may be audited several times a year across their software portfolio, with each audit potentially resulting in multimillion-dollar liabilities. Fortunately, organizations can take steps to manage this growing area of risk during license acquisition, throughout the software asset management process, and in response to a provider audit.  

License Acquisition

Audit risks can be reduced by focusing on key areas of the licensing agreement. If alternative licensing models are available, the enterprise should select a structure that—beyond offering a cost-effective solution—enables compliance certainty. A per-user or per-device licensing scheme may not be suited to an environment with weak desktop configuration and asset management.

In general, a company should attempt to apply the license agreement as broadly and flexibly as possible, avoiding separate license pools and using approaches such as “exchange rights,” in which unused licenses of one product can be replaced with required licenses for another.

The enterprise should remove restrictions that constrain possible use scenarios, such as third-party use by an outsourcer or changes in geography caused by offshoring. The agreement should also assert the primacy of the negotiated terms, making sure that users cannot inadvertently update enterprise rights via a “click-through” or standard purchase order terms.  

Audit rights also should be addressed by adding reasonable constraints that limit audit intrusiveness and provide equitable settlements for unintentional noncompliance. The enterprise should receive adequate notice and be able to postpone audits for extenuating circumstances, such as year-end, peak retail seasons or another software provider’s audit. Audit duration should be limited to a reasonable period and, as much as possible, the software provider should bear the cost of the audit—regardless of the outcome.

It may be possible to review software asset management (SAM) tools and processes with the software provider and, if the enterprise can demonstrate that its SAM practices are robust, the auditor should not have to conduct intrusive, time-consuming and potentially risky activities to gather the same data. 

Remediation for inadvertent noncompliance should also be negotiated in advance. A favored approach is a resolution window—or cure period—­during which the enterprise can purchase the required licenses at its negotiated discounts.

Software Asset Management

After establishing an agreement that helps the enterprise avoid license infringement and protects it from the worst aspects of a software audit, the company’s focus can shift to ongoing operational compliance and implementing a robust approach to SAM. A best practice is establishing license compliance and centralized tracking as a core capability within IT, with an assigned executive owner.

The compliance team should be involved in any license procurement and included in the enterprise change management process to identify any unanticipated licensing implications. The team also should conduct periodic manual audits to confirm the output of any automated discovery tools and verify enterprise license entitlements.

The Information Technology Infrastructure Library (ITIL) v3 provides some limited guidance on SAM, but a more detailed source of recommended practices is the ISO/IEC 19770-1 standard, which outlines a process framework designed to satisfy corporate governance requirements. In an audit, adherence to processes based on the ISO standard demonstrates, at a minimum, that the enterprise has made reasonable efforts to maintain control. 

Most companies now realize that Excel and manual data entry are no longer sufficient. SAM is currently recognized as a required core capability in an IT service management suite, and it’s provided as an element in most of the large ITSM toolsets. There are also standalone SAM tools, some of which are approved by enterprise software providers as alternatives to their own license management software.