Software Audit Timeline

in Blogs

One of the top ten questions asked by my clients is “How long does the self-audit process take from start to finish?” Of course I give the standard lawyer answer: it depends. Here are the steps to a typical software audit.

Preparation of Audit Materials (3 to 6 months)
A software audit is a request, under threat of litigation, to compile a listing of software products installed on the audited entity’s computer network as of the Audit Effective Date. The Audit Effective Date is the date on the initial letter requesting an audit. The first step in preparing this information is conducting an automated inventory of the software products installed on all computers owned or leased by the target company, using a software inventory tool such as Scott & Scott’s Compliance Manager. Once an accurate inventory is completed, the next step is to reconcile the software inventory information with proofs of purchase dated prior to the audit effective date. While there are various ways to prove ownership of a software license, typically an invoice is considered the best evidence of ownership in a software audit. In the typical case, the software inventory and reconciliation process takes three to six months.

Secure a Confidentiality and Federal Rule of Evidence 408 Agreement (1 week)
With very limited exceptions, we advise the targets of software audits to cooperate with the self-audit process but to do so in a way that does not compromise their position in the event that an out of court settlement is not possible. We do not disclose any information to the audting entity until it signs an agreement regarding the confidentiality of the information disclosed and specifically limiting the entity’s ability to introduce the information as evidence in court. In the typical case, this is signed within one week.

Audit Entity Analyzes Self-Audit Materials and Makes a Settlement Demand (3 to 6 months)
After the self-audit materials are submitted by the target, the auditing entity typically takes three to six months to respond. The response provides its interpretation of the self-audit materials and applies a formula for its initial settlement proposal. In many instances, the settlement proposal is substantially more than the target may have expected due to differences of opinion regarding what constitutes valid proof of ownership. In our experience, the auditing entity usually takes three to six months to make substantive response following the submission of the self-audit materials.

Negotiation of Monetary and Non-Monetary Terms of Settlement (6 to 24 months)
After the auditing entity makes its initial settlement demand, there are various monetary and non-monetary terms that need to be negotiated. The obvious material term in every software audit negotiation is the monetary amount to be paid to the auditing entity for alleged past infringement. The most significant non-monetary issue is whether the auditing entity will agree to a confidentiality provision. Such provisions require the auditing entity to keep the existence and details of the audit confidential and preclude the them from issuing a press release. The length of the negotiation process differs from case to case but generally lasts between six months and two years.