Common Mistakes in Software Audits
The most common mistake we encounter in software audits is the failure to compile and produce accurate installation information. Like all technology projects, collecting the information to produce in response to a request for an audit can be very complicated and time consuming. To begin the audit process, it is necessary for the company to select an automated software discovery tool, such as Scott & Scott’s Compliance Manager. Even for small environments, employing a manual process to review the software on each computer is time consuming and unreliable. Any automated discovery that is conducted directly by the client or by a third-party provider will not be protected by the attorney-work product privilege because the privilege only applies to communications between attorneys and their clients. Many tools capture information related to the software installations on a computer network, but produce the results in a format that the company cannot interpret. Even worse, many companies produce the audit results from the free tools provided by the trade associations. These tools, more often than not, inaccurately report the data and fail to exclude information that is outside the scope of the audit request.
Companies also err in the audit process by relying on their IT staff to respond to the request for an audit. Members of IT departments typically prepare audit reports containing information that is incorrect or beyond the scope of what is required to adequately respond. This is particularly problematic because the release of liability contained in most software audit settlement documents is contingent on the accuracy of the results produced during settlement negotiations. If the technology department improperly reports the software installations, the monetary portion of the settlement will be inflated, and the release of liability will be jeopardized.
Another common error audited companies make is submitting improper documentation in an attempt to demonstrate proof of ownership for software licenses. Contrary to popular belief, trade associations and publishers only accept dated proofs of purchase, with an entity name matching that of the audited company, before acknowledging that the company owns a license for a particular product. For this reason, companies should avoid purchasing additional licenses of installed software in response to a request for an audit as these purchases will be irrelevant to the audit. Companies should seek the advice of counsel regarding the purchase of additional software during the audit process and the impact that it may have on the pre-litigation audit and any subsequent litigation that may arise.
Because most clients are not able to properly interpret copyright laws and software licenses without specialized legal assistance, it is critical to involve experienced counsel in the process of interpreting the software installation information gathered by the automated discovery tool and reconciling that data with all available proof-of-purchase information. Once the installation information has been collected, it should be reviewed to determine whether it only includes information within the scope of the audit. Additionally, licensing models are often dependant on the actual use of the product in the company’s specific environment. In other words, you cannot interpret the license without a thorough understanding of the computing infrastructure and how the software is being used from a technical perspective. Other licensing considerations that require specialized knowledge and expertise include client access licensing, upgrade and downgrade rights, and licensing for non-concurrent laptop use.