(Maksym Yemelyanov – Fotolia)
Many midsized-to-large organizations are facing multiple software audits each year. Because auditors require raw data, which emanates from the technology department of the audit target, both the technical team and the legal team often believe that the matter is not a legal issue. But corporate counsel should be aware that significant negative financial consequences can result if the company provides information to the publishers or auditors without laying the proper groundwork for limiting the exposure associated with an involuntary audit.
Software audits are increasing. Software publishers interested in generating additional revenue often develop comprehensive software audit programs designed to review their customers’ compliance with software licenses, according to “Software Compliance Without Tears,” a survey published by Ernst & Young.
The software publishers’ justification for initiating an audit is generally a license review or audit provision in the main or supplemental license agreement. Although customers can negotiate the audit provision’s terms at the time of the license purchase, counsel experienced in software licensing know that it is extremely difficult to negotiate new terms after notification that an audit has begun.
Once a publisher notifies a company that it has been selected for a software audit, the audits usually follow one of three paths. The publisher can ask the audit target to prepare a self-audit report. The publisher may provide a tool or set of instructions to the audit target and conduct the audit through the publisher’s compliance department. Or, the publisher might engage a third-party auditor to gather information about a company’s installations and license entitlements.
Regardless of the audit process the publisher selects, technology departments regularly provide the publisher or auditors with information without realizing the legal or financial implications of their responses.
That’s risky but understandable. Technology personnel are accustomed to getting requests from software publishers, and many do not realize that an audit request is fundamentally different from other types of information requests. Many technology workers believe that a compliance audit is a minor inquiry and think that the publisher will treat the audited company like a valued partner.
On the contrary, auditors frequently interpret potential license gaps in the light most favorable to the publishers. The auditors often seek information to which they are not entitled, use pre-audit agreements to expand the scope of the audit and employ questionable tactics like extrapolation.
After receiving a request from a publisher or an auditor, many technology team members provide raw data to the auditors and publishers without conducting an independent examination of the company’s compliance position. After the technology team receives a demand from the publisher for payment of what can be tens of millions of dollars in licensing fees, penalties and interest, then the team involves legal and financial executives.
Audit Response Plan
To help avoid these issues, legal departments should ensure that everyone is prepared for the audit before a publisher gives notice. One way to do so is to prepare an audit response plan that articulates the process everyone should follow upon commencement of an audit and identifies an executive audit sponsor, preferably in the legal department. The audit sponsor should require the team to work together to conduct an internal investigation assessing the potential exposure before the auditors collect any data.
When an audit notice arrives, an information technology worker immediately must apprise the legal department or outside counsel. There are a number of pre-audit issues to negotiate, many of which significantly can impact the potential audit exposure if there is a compliance gap.
Initially, the legal department will want to ensure that the auditor or the publisher has the appropriate confidentiality agreement in place to protect any of the company’s information that may be disclosed as part of the audit. Publishers often object to the inclusion of audit-specific confidentiality terms, particularly when there is a nondisclosure or confidentiality provision in the license documents. However, depending on the audited company’s business (e.g., health care or financial services), such an agreement may be necessary before an audit can commence.
Before the audit, the parties also should try to reach an understanding about how to resolve the matter. For instance, it is important to notify the publisher in the initial phases that the company will require a written agreement and release before it will process an audit resolution payment.
Additionally, software publishers sometimes request that an audited company provide information about all of its offices globally. The applicable audit provision may not authorize such a broad inquiry, and counsel should review the scope of the allowable inquiry and object when appropriate, before the company provides any information pursuant to the audit request.
Furthermore, to expedite resolution of the audit, examiners often base their findings on extrapolations. They review a subset of the software installations (e.g., 20 percent), determine that there is a small license gap, and conclude that the same license deficiency exists on the remaining 80 percent of the computers.
It is sometimes possible to object to extrapolation as the auditors are analyzing the environment. However, once the company has provided the information to the publishers or the auditors, a challenge to the scope of the audit or to extrapolation likely will not succeed.
Finally, involving corporate counsel will ensure that the company earmarks appropriate reserves to resolve the audit and makes the required financial disclosures, if appropriate. Failure to involve legal and financial executives early in the audit to conduct an internal investigation and evaluate potential exposure can result in an unpleasant surprise if a software publisher makes a large financial demand.
In-house counsel should work with the governance committee, executives or other appropriate personnel to develop an audit response plan and provide clear and concise training to the people who are likely to receive audit inquiries from publishers.
Counsel should become involved at the outset of the audit, and should become apprised of the potential risks and costs associated with the audited software. Proactive management of the audit from a central point of contact within the legal department can significantly reduce the potential financial exposure the company may face as a result of the audit.
Julie Machal-Fulks is a partner in Scott & Scott in Southlake.