Software licensing compliance used to be a fairly straightforward business. You could purchase a license per user or a site license, and vendors made sure you complied to their license by using physical or virtual license keys, which were usually linked to a particular computer. In addition, you paid an annual maintenance fee that both gave you support and validated your license usage for the duration of the maintenance period. This arrangement was simple to manage but the simplicity has eroded over time. One complication came when the concept of concurrent usage was launched. This is a licensing model that allows you a maximum number of users of the software at the same time, which became popular with organizations for their expensive software (such as engineering software) as it was more cost-effective. The dawn of services in the cloud has added new complexities to licensing; most cloud-based software is subscription based, either on an annualised basis or pay-per-use.
While careful selection and use of these more complex options can result in savings, the management of licenses and compliance to the various restrictions imposed by vendors has created headaches for CIOs. All too often the processes and practices required for managing licenses fall short of the disciplines in other aspects of IT, such as security, managing hardware assets and access control, and this creates risk in the organization. In some jurisdictions where there has been a lapse in compliance, managers and other officers of the company who were responsible for the governance of software compliance management have been held personally liable.
Vendor Software Audits for Software Licensing Compliance
The methods of identifying software compliance have developed too. In the days before global connectivity, auditing for software compliance was put in the hands of some bodies formed by an association of vendors, such as the BSA (Business Software Alliance), who were incorporated to prevent software piracy. These bodies still exist today and still use the same software audit methods to check up on software compliance, with added channels like encouraging whistleblowers to come forward with information about possible infractions by their employers. Vendors also check on actual usage both in the cloud and by interrogating the customer’s server or servers from where users are granted access, using their own software audit tools.
Non-Compliance can Occur Unintentionally
No manager wants to be non-compliant, but being out of compliance can happen all too easily, even where controls would appear to be in place. Some of the pitfalls that can trap the unwary include:-
- A lack of centralized control of software licenses. There are often different silos within a company that manage traditional office software, IT-specific software and specialized software, such as engineering tools. Furthermore, engineering concerns can have different silos for civil, electrical and process engineering, not to mention R&D.
- No comprehensive policy and process for software asset management. The BSA found that 65% of companies did not have these in place in a report published in 2014.
- A lack of awareness within the workforce.
- Exceeding the concurrent usage maximum where the vendor has not provided sufficient automation to limit usage.
- The license was issued for a specific geographic location, and is being used outside that region. This is often the result of a complex vendor pricing structure, such as one differentiated by region – e.g. EMEA and APAC. In such cases the customer’s portfolio may only be viable for that region, and cannot be used beyond its boundaries.
- The license was provided for a specific scope of use and the customer is using it outside this boundary. This is especially a problem with ERPs and large, complex software suites. The business needs of the 21st century place pressure on companies to re-gear their business models, which can also cause a misalignment between what was bought and how it is currently used. SAP for example recently won a huge claim against their customer Diageo, in which all the software in question had been legally purchased for millions of dollars, but the devil was in the detail of a very complex contract.
- Usage by contractors and employees on devices that are not part of the company asset register.
- Usage past renewal date. Licenses do not all expire on the same date and not all vendors remind the client timeously.
- Changes in organizational structure. Mergers and acquisitions, unbundling and other forms of restructuring often neglect the management of software licenses when splitting up or consolidating asset registers.
If any of these issues have arisen in your environment, and you are not aware of them, your organization could be exposed to both financial and reputational risk. In 2013, PWC estimated that approximately 80% of software customers had instances of non-compliance of licensed software .
What the Vendor Provides
One of the factors making software compliance so difficult is that vendors do not always provide adequate tools to help their customers, although it would appear to be in their best interests to do so. New features can be introduced by vendors via the latest software releases without reviewing the effect they can have on existing licensing conditions. Where vendors are changing to a pay-per-use model and retiring earlier offerings, such as perpetual licenses, some customers are faced with different compliance regimes for the same vendor. For instance, under the old concurrent usage model, the user had access to the complete application. If the customer purchases an additional pay-per-use option with a maximum of ten seats, this could be a basic version that excludes some of the features available in the full package.
When it comes to engineering software, licenses are generally expensive, and engineers require a plethora of software tools to get their work done, from generic CAD software to specialized products for failure analysis, lightning protection, 3D-imaging, to name just a few. Most major engineering software vendors such as AutoDesk and Siemens use Flexera for their license management, as do other large vendors, such as Adobe and IBM. Flexera is robust and will give a generally good overview of your compliance, but it may not pick up infractions such as an ex-contractor or employee who still has a loaded copy of your expensive engineering software on his own laptop.
Vendors are not very forgiving when it comes to non-compliance, and they are increasingly applying pressure in this regard. It is advisable to get all your ducks in a row as soon as possible, a spot software audit by the BSA or the SIIA (Software & Information Industry Association) could be an unpleasant and costly exercise if you are not in compliance with licensing agreements. . There are many cases against customers ranging from the US Army to SMEs, and, while most settlements are out-of-court, they can stunt a company’s growth or even close it down.
When Elephants Fight: SAP vs Anheuser-Busch
ERP company SAP obviously has a strategy in place to rein in some of its largest customers. Following on a settlement with Diageo in February this year, where SAP won, they have now taken on the brewing giant for an estimated $600-million in damages for non-compliance. There is an African proverb; “When elephants fight, the jungle gets trampled”. It is quite likely that the software compliance landscape could look very different after this dispute. When it is considered that ABI has just completed the world’s largest M&A by acquiring SAB-Miller, it is quite likely that the software licensing issues internally still have to be put to bed.
The case with Diageo will give cause for concern to many SAP clients. Diageo wanted to provide their customers with a new self-service function, which they could access via their SalesForce portal. Diageo used the SAP API to interface their Salesforce CRM with the SAP Business Suite and access the data required. SAP’s argument was that these users were outside the ambit of the agreement of the Business Suite, and by providing data from the Business Suite to power the Salesforce integration, Diageo was infringing their agreement with SAP and the court agreed.
The fact that SAP feels it necessary to tackle its very largest customers, seemingly in a position of strength, because all its clients are locked in to the ERP, have made massive investments in time and money and cannot just migrate to another product overnight or even over the next 12 months, is a wake-up call for the rest of the market.
Internal Software Audits
Below is a list of recommended best practices of what you can do to keep your compliance in good order .
- Appoint a dedicated license administration function in your organization, if you do not already have one.
- Scope and prioritize. For instance, you may want to start with office software or engineering software, and add other disciplines later. You may want to perform this exercise in several tranches.
- Unearth all instances of software that your organization has paid for and find the associated contracts, if possible. Find the accompanying invoices and proof of payment.
- Identify who, if anyone, is using the software, where, on what hardware and why.
- Build a centralized software asset register and a diary of upcoming renewal dates.
- Capture all the business rules pertaining to use of each product you have acquired.
- Define a policy and document a process for software management, if you do not already have one. If you do, review it and make sure it supports the newer licensing models.
- Create a software audit checklist and run periodic drills to ensure that, in the event of a spot audit, everyone is prepared.
- Draw up a training program for all employees to understand the implications of non-compliant software and its use.
- Start a compliance project, to eliminate non-conformance. This could also be a good time to consolidate and make a decision on a preferred vendor and toolset where possible (perhaps you do not need 7 different CAD/CAM tools!).
Implementing a program like this will not just reduce risk, it will put you in control of your licensing arrangements with vendors. However, when it comes to the more complex licence models you are likely to find limitations with manual management using spreadsheets.
OpenLM App Manager
A dedicated software licence management product such as OpenLM App Manager can help you identify the gaps and manage them proactively, increase compliance and reduce risk. OpenLM App Manager actually does much more than observe and monitor compliance; it can also pick up on poor and costly usage of tools and whether your licenses are over- or underutilized. It can help you ensure there is conformance to your software usage policy irrespective of the license management tool used by the vendor. In the cases where the vendor does not provide you with licensing management software for their products, you can use OpenLM to provide the necessary oversight on usage and licenses utilized.
A further advantage of the tool is that of license harvesting, the ability to manually or automatically intervene in user sessions and suspend or cancel them if they are not being used according to the organization’s policy. For more information contact us.
If and When the Auditors come Knocking
If the auditors come knocking, they will want to see documentary evidence of purchase agreements, payments, records of usage as part of the software audit process, so it is best to ensure you have everything they require in printable or hard-copy format. You can also provide your policy and process documentation for them to evaluate and leave them in the hands of your dedicated license management team. This software compliance audit is time-consuming and stressful for all involved, but if you have taken the pre-emptive steps described above, you will increase your resilience against non-compliance and may be able to wave goodbye to a team of disappointed auditors.