Self-Reporting: The Path Forward on Software Audit Defense

In 2019, software (SW) publisher audits are as common as the robocalls you get on your phone. These have become a key revenue stream for SW publishers. To be fair, the SW publishers should be properly compensated for their intellectual property (IP). This article does not focus on what a client or publisher considers “proper compensation,” but defines an alternative approach to address the SW publishers’ objective of getting clients to pay for what they are using.

To understand why this is an issue, we have to go back to 1999 and the days of the dot.com bubble, and the urgency with which clients needed to deploy hardware (HW) and software infrastructure. It was during these days of massive growth of information technology (IT) infrastructure that the traditional “key-based” licensing became insufficient. Businesses needed greater flexibility to meet the demands of the market and needed the SW publishers to alter their approach to product fulfillment and delivery. SW publishers gave the markets what they wanted, but the accountability and responsibility of SW compliance shifted from the publishers to the clients. As a result, clients needed to develop strategies for tracking SW license usage to ensure alignment and compliance with their SW agreements. It was a bit simpler in these days with just a few licensing types.

Now, fast-forward 20 years and we see that the challenge of measuring SW licensing has grown exponentially — from a license per server and named user to processor value units (PVUs), resource value units (RVUs), user value units (UVUs), processors, virtual processors and cores. The increase in licensing complexity is being driven by the marketplace, in an effort to only pay for SW licenses being used and consumed. The SW publishers are introducing complex licensing models to meet this need, but as a result are also introducing greater complexity for clients in how to measure the actual license usage. When you bring these two together and add in the pressures of meeting Wall Street’s revenue and profit growth expectations on a quarterly basis, it is a perfect storm for SW publishers to drive more and more SW audits into the marketplace. The true impact to clients lies not just in the payments for SW licenses that are not properly licensed, but in the need for the business to support and defend the SW audit itself. Every SW audit requires clients to invest a tremendous amount in resources to address the audit with the publisher. This has an impact on the work streams that those resources would have been working on without an audit. Bottom line: SW audits are burdensome on the marketplace in both cost and resource time.

The question confronting clients is whether they should invest in a strong SW asset management (SAM) program or essentially “buy their way out of it.” The reality is that in both scenarios, the client is still being audited. It is still going through the audit defense and validating the findings. So, let’s pose a different question: “How do we stop SW audits with the publishers?” The answer is surprisingly simple, but a bit more complex to implement. Clients should voluntarily agree with the SW publishers to a self-reporting program in lieu of future SW audits. The concept is not new — Microsoft has had annual true-ups in its agreements for many years — but involves taking that program to the next level. This is about clients investing in a strong SAM program that will enable them to provide the necessary reporting to the SW publishers on a quarterly, semi-annual or annual basis, based on the products licensed and the terms of their enterprise agreements. A self-reporting SAM program allows SW publishers to “get” a declaration from the client on the client’s SW usage, which is what they wanted out of a SW audit, so they can be fairly compensated for their products. The client gets a controlled process for providing the information and avoids the disruption that an audit introduces into the business. This clearly can be viewed as a win-win for audit defense or elimination, but the challenge is whether a client has the resources and infrastructure to support such a program.

The reality in 2019 is that counting licenses and creating SW inventories are the table stakes for clients relative to SAM. Managing SW licenses is growing exponentially important as clients embrace their digital transformation and migration to the cloud. These changes include the introduction of new licensing models designed for cloud deployments through containers and Kubernetes, the implementation stage of cybersecurity strategies, an increasing focus by internal risk management on IT infrastructure, and identifying the exceptions for end-of-life assets in productive use. These business drivers are key to the long-term viability of the organization. SAM, which has been thought of as an expense line item, needs to be viewed as a critical foundational function within IT and Finance. Clients can no longer dismiss the need for tracking and measuring the utilization of SW assets.

When considering the value of having the HW and SW data available to all the internal stakeholders, it is no longer about investing in IT asset management (ITAM) only for audit defense and contract renewals, but for the business insights and the value that these insights deliver to the lines of business. Through investments to enhance their SAM program and enabling the data analytics in a dashboard, clients will be able to meet the ever-changing SW licensing landscape of IT (cyber, digital transformation, cloud migrations, etc.) and counter the real, or perceived, motivation that the SW publishers have to audit – to uncover the unknown license deployments. Therefore, the new approach to SW audit defense drives the client to come to agreement with the SW publishers to provide them the SW inventory data (which they are collecting for the internal business users) on an agreed-to frequency in return for no future audits during the agreement. With the client providing its SW inventory, the SW publishers get what they “really” want (i.e., understanding of what is truly in use), and, in return, the client won’t be “burdened” by an audit process. Self-reporting can address key pain points of an audit: untimely interruptions, unplanned expenses, disruption of team resources, and unwanted investigation into IT operations.

IBM is embracing this new approach to self-reporting in lieu of an audit through its new invitation-only IBM Authorized SAM Provider “IASP” program. It focuses on removing the burdensome audit process and enables clients to invest in their SAM programs. IBM’s program incentivizes the client to self-report its license utilization.

To self-report or not is no longer the question. Self-reporting is the real future of license compliance.

*****This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Member firms of the global EY organization cannot accept responsibility for loss to any person relying on this article.

About Frank Venezia