Software Audits: Rules of Engagement


Most major software publishers are driving millions of dollars in revenue via audits. The severity of the imposed fees continues to rise with a vengeance. Did you know most major software publishers actually have revenue targets directly tied to auditing their own customers? If you haven’t been audited in the last 24 months, buckle up – your turn is likely coming!

How to Mitigate the Risks of a Software Audit

While audits are an important part of a publisher’s ability to protect its business, overuse by enterprises is rarely intentional; however, when it does happen, it can be a costly mistake. Investing a little time now can save you a lot of money later. Here are a few tips to help mitigate risks before and/or during an audit:

  • Do not negotiate a settlement too early. Organizations that negotiate a settlement amount too early in the process can reduce their leverage. Audit exposure is priced at list price and can highlight a financial exposure of more than $100 million. The key to mitigating your risk is to refute the technical findings, reducing audit exposure by more than 90 percent, then negotiate the correct framework and price allowing your organization to receive a benefit for dollars paid to the software publisher rather than paying a penalty.
  • Make it standard procedure across your teams to decline running scripts at the request of publishers without centralized internal approval. Publishers often ask entry-level developers to run scripts that collect confidential information and data that can be used to your detriment. Ensure the proper checks and balances are in place.
  • Keep a record of activities likely to cause usage spikes. Software companies select specific dates to sample usage, and they are often dates with higher-than-average usage because of development or quality assurance activities such as a new system implementation. In many cases, increased usage for such activities will not count against you, but be prepared to justify your outliers.
  • Monitor license usage with an automated solution. Though overuse is rarely intentional, it does happen. A monitoring solution can help catch errors and notify you before a pricey audit. We will often have clients that install software as part of the standard package on employee machines and have thought that if the software isn’t being used, it doesn’t matter – this is incorrect; if it’s installed, it counts as a license. This has sent many companies into accidental non compliance.
  • Take advantage of renewals as risk mitigation opportunities. Before signing a subscription or contract renewal, ask a licensing expert familiar with that particular publisher to review the agreement and help you mitigate contractual risk.

Creating a Communications Strategy after a Software Audit Notification

If you have been notified of an audit, be sure to organize an internal communication strategy with the following considerations in mind:

  • Don’t rush legal teams to converse. Strategically evaluate when/if your legal team should handle any direct communication with the software publisher. When enterprises are quick to respond with communication from legal representatives, publishers typically react by limiting communication only to your legal team and theirs; this lengthens the resolution time and can limit communications with your IT team who has the data and a more in-depth perspective on usage, development activities, etc. for the negotiating the software contract in question.
  • Designate a single point of contact, preferably not at the executive level. Publishers often initiate conversations with multiple people in your organization. It’s important to streamline the communications and have a gatekeeper who tracks all conversations with the publisher and ensure internal alignment. Assign the role at a level in your organization that still leaves room for escalation within the IT team.
  • Designate a data-release approver. Publishers often request more data than needed. Get a clear understanding of all information the publisher is collecting. A data-release approver may or may not be the single point of contact mentioned above, but, if a publisher wants to run a script, this person would be responsible for understanding what data they want to collect, assessing the relevancy and risk of the desired data (including any data privacy compliance risks)and providing internal approval.
  • Consult a licensing expert earlier rather than later. While your organization may handle an audit from a particular publisher once every few years, there are many experts that handle these day-in and day-out. More and more of ISG clients are receiving audit letters. It’s wise to check in on your SAM strategy prior to an audit to mitigate your risk, and if you do receive an audit notification, certainly seek advice early – preferably before responding to the notification.

ISG’s Software Advisory Team helps enterprises mitigate risk before and during an audit, communicate with publishers, evaluate software investments, reduce existing maintenance costs and optimize governance of suppliers. Contact us to learn more.


About the author

Megan Walling

Megan Walling

Megan Walling is a Partner in ISG.