Should The Audit Tail Be Wagging The Enterprise Dog?

The prospect of a Software Asset Management (SAM) audit by a major vendor is continuing to influence Enterprise behaviour. Global Enterprises may deliberately overbuy software licences or buy excessive quantities of premium licences from the major vendors to mitigate perceived audit risk and the costly penalties associated with compliance breaches. However, the impact of this can be an over-confidence in the belief that the Enterprise will not be audited. While certain aspects of this may be true for a relatively small number of the major vendors, there are hundreds of medium to smaller vendors out there who may now see compliance breaches as a lucrative source of revenue.

The term “tail wagging the dog” is an English idiom, usually taken to mean a situation where a relatively small part is controlling or exerting undue influence over the whole of something. “Audit Tail” in the title of this article builds upon this definition as follows:

(a) The software audit process in general is seen to be exerting undue influence over Enterprise behaviour, and

(b) As Figure 1 illustrates, once the Tier-1 software vendors are taken out of the equation, there is a very long “tail” to the spending profile curve made up of hundreds of smaller vendors, also potentially keen to audit.

Figure 1

Figure 1. Annual Software Spend Profile

This article highlights why enterprises may be overconfident in believing they will not be audited, the factors that can contribute to increased audit interest from vendors and illuminates the potential impacts on Enterprises.

SAM Business Cases

SAM leaders within enterprises are competing for scarce business finances and resources in their attempts to take advantage of good SAM practices and technologies. Just like everyone else in their organisation, they have to make a compelling case for that funding and associated resources. A strong, well-articulated business case is therefore a prerequisite.

In creating SAM business cases, authors have to make sure that they possess certain key properties; in particular, they must:

• Be relevant to solving Business problems
• Be relevant to business geographies and industries
• Take on board Business specific circumstances
• Be compelling and credible
• Combat a “do nothing” mentality
• Be effective agents for change…

Accordingly, SAM Business Cases will often highlight a number of financial benefits attainable from a SAM project, including:

• Reductions in annual software spend through licence reuse
• Reductions in software maintenance payments related to unused or unwanted software
• SAM negotiation cost savings through improved licence intelligence
• Efficiency savings via automation of manual SAM activities
• Cost avoidance related to software audit penalties and audit labour effort
• Non-tangible benefits

Quantifiable benefits levels for these areas being determined via a Business Value Modelling activity (see Figure 2), where industry SAM metrics and client specifics are modelled to illuminate the art of the possible from an ROI perspective (see Figure 3).

Figure 2

Figure 2. SAM Business Value Modelling (See [1,2,3])

Figure 3

Figure 3. 3 Year SAM Benefits Projections

Audit Risk

While CxOs may buy into some of these projected savings, there is often a reluctance to accept cost avoidance benefits related to software audit penalties.

Rationale for such reluctance often stems from an over confidence in not being audited and a plethora of reasons are usually provided:

• “We haven’t been audited by a major vendor in 5 years…”
• “We’re currently going through a staff right-sizing exercise and should have a surplus of licences…”
• “We deliberately buy more licences than we think we need…”
• “We deliberately buy more of the major vendor premium licence options to reduce the risk of failing an audit…”
• “Software asset management isn’t a priority for our CxO at this time…”
• “Our CxO isn’t interested in cost avoidance, only hard savings…”
• “The Business is prepared to accept the risk…”

But does the Business really understand the magnitude of that audit risk?

SAM Audit Risk Magnitude – Some Software Audits That Made The News

Clearly, vendors want to maintain good working relationships with their clients, especially those that may have strayed into compliance breach territory. As such, vendors and clients will work hard to make sure that confidentiality is maintained. Only in some rare cases will “bad news” be made public. Here are some examples.

Source: Computing.co.uk, January 2016
A US confectionery company that made revenues of $33bn in 2014, filed a court action against <Vendor> in October last year, which showed just how far the software vendor would go to ensure it makes money through its much-criticised software licensing audit practices… Documents from the court show that <Company> provided <Vendor> with 233,089 pages in support of an audit. Eventually, settled out of court.

Source: PC World July 2015
<Bank> illegally copied US$300M worth of <Vendor> enterprise software for use in a massive IT project at its subsidiary alleges a lawsuit. The bank stockpiled large quantities of <Vendor> software while it was still within the terms of a license agreement that expired in February 2013, then used the software for the project when it was out of license, according to the suit.

BSA: The Software Alliance May 2016
Computer users in <Country> are using unlicensed software at an alarming rate according to the new Global Software Survey. The survey, Seizing Opportunity Through License Compliance, found that in <Country>, the percentage of software installed on computers that was not properly licensed was 58 percent.

Source: Computer Weekly June 2014
Engineering design company <X> has been fined by the Business Software Alliance for running un-licensed AutoDesk software. On top of paying the settlement, the company also had to buy new software licences.

Recent industry metrics indicate a sharp increase in the probability of a software vendor audit with vendors aggressively auditing their customers; the largest organisations being targeted the hardest. For example, for companies with $3b or more in annual revenues, one third of respondents reported being audited three or more times over an 18-24 month period (See Figure 4). Only 4% of large companies had not been audited!

Figure 4

Figure 4. Audit Frequency (See [3])

Audit penalties can vary quite dramatically, but 20% of true-up costs were in excess of $1m (See Figure 5).

Figure 5

Figure 5. Audit Cost (See [1])

Industry studies have provided visibility of audit penalties in terms of enterprise annual revenues (see [3]). On average, the penalty for a single, large vendor, licence compliance breach is:

Annual Enterprise Revenue * 0.0004

e.g. for an enterprise with an annual revenue of $3B, the penalty is typically going to be about $1.2M.

Figure 6 shows who is likely to be auditing an enterprise. Note that audits by smaller, non-Tier 1 vendors, are relatively high at 27%.

Figure 6

Figure 6. Who Is Auditing? (See [3])

While compliance penalties levied by the smaller vendors may not be as severe as their Tier-1 counterparts, the sums are not trivial. As Figure 7 illustrates, a £400 product over deployed to 250 desktops, when all licence component penalties are factored in, the risk is some £210k.

(Licence Fees: £400 x 250 = £100k; Back Maintenance (2Yrs) £40k; Forward Maintenance (1yr) £20k; Single Audit Labour Cost £50k)

Figure 7

Figure 7. Smaller Vendor Audit Exposure

SAM Audit Trigger Factors

The author has developed a comprehensive mind-map of the factors that contribute to the likelihood of a software audit (a copy of which can be requested). It is summarised in Figure 8.

Figure 8

Figure 8. Software Audit Trigger Factors

Collaborating with numerous clients has allowed the author to reach some conclusions on the “top 5” factors that contribute towards enterprises being audited by software vendors; these are highlighted in Figure 9. (Pertains to all ISVs)

Figure 9

Figure 9. Top 5 Audit Factors

So Should The Audit Tail Be Wagging The Enterprise Dog?

“No”…, but it probably will do for the time being until Enterprises get a much better handle on their entitlements and what’s out there on their infrastructure.

5 Key Takeaways

[1] Don’t be overconfident in thinking your Enterprise is immune to a software vendor audit by any sized vendor

[2] While Enterprise software audit compliance breaches rarely make the broadsheets, the associated penalties can be significant

[3] The audit “tail” of smaller to medium software vendors realise that they too can take a sizeable bite out of your profits

[4] Even “inadvertent” enterprise level software compliance breaches can be embarrassing and costly

[5] Enterprises must use good SAM practices and modern SAM technologies to provide for a continuous and reliable compliance position

References

[1] 2016 The State of the (Software) Estate: Waste Is Running Rampant in Enterprises, Flexera Software

[2] IT Key Metrics Data 2015: Executive Summary”, Gartner

[3] 2013-14 Key Trends in Software Pricing & Licensing Survey, International Data Corporation (IDC)

About Laurence James

Laurence James is the Senior Solution Architect for Flexera Software.