Software-Audit Compliance Demands Often Include “Fuzzy Math”

in Blogs

In defending against software audits initiated by publishers such as Microsoft or IBM, many businesses make the mistake of assuming that those publishers or their designated auditors know what they are talking about when it comes to determining what licenses need to be purchased in order to achieve compliance. After all, the companies that wrote the license rules certainly know how and intend to apply them fairly, right?

Don’t count on it.

Initial compliance demands from publishers often are riddled with discrepancies in the factual assumptions underlying those demands or the legal frameworks on which they are supposed to be built, and those discrepancies almost always tilt the scales in the publishers’ favor. For example, it is not at all uncommon for network inventories to include duplicate or mis-classified machines. In the context of a Microsoft audit, this can take the form of internal-use servers being characterized as hosting machines (which would require either SPLA licensing or Self-Hosted Application rights under Software Assurance). If the audit involves a Microsoft Enterprise Agreement (“EA”), Qualified Desktop counts may be inflated by the inclusion of line-of-business machines based on an incomplete review of inventory data or on an overly expansive interpretation of controlling license terms (which can be frustratingly vague).

Even in cases where there appear to be no data errors or mis-applied licensing rules, it seems to be standard practice for publishers to take advantage of ambiguities in the licensing rules they draft in order to maximize the return on their audit investments. Again using Microsoft as a handy example, a company with a large server farm licensed under an EA may face a larger-than-expected settlement demand based on retroactive pricing for Software Assurance (“SA”). Microsoft often uses license pricing based SA being dated from the beginning of the term of an EA enrollment, even though the software in question may have been deployed sometime well after the beginning of the term.

While some of these practices may be consistent with licensing rules and others are not, they all point to the importance of not taking compliance demands at face value. You can bet real money on the fact that publishers will present those demands as unassailable and sacrosanct, but there almost always is room for improvement and negotiation. In cases where the demand is large or the environment is complex, it makes sense to seek the advice of a knowledgeable attorney or licensing consultant in order to identify as many opportunities as possible to attack the assumptions that underlie those demands.