Receiving a BSA software audit can be just the thing to ruin your day or your month. The Business Software Alliance (BSA) is an industry trade group that acts to defend its members, including large software corporations like Microsoft, from copyright infringement. They are also the top advocate for technological innovation.
The BSA’s software audits are a special kind of painful, and MetrixData 360 has just the remedy for that type of pain. Having spent many years in the software asset management industry, we’ve been able to get our clients out of the stickiest situations. So, let’s talk about BSA audits and how you can prepare for one.
What Is a BSA Software Audit
Software audits are the review or analysis of a piece of software to ensure several different regulations are being properly adhered to. The reasons for instigating an audit vary, but include:
- Checking Compliance
- Ensuring that the piece of software is working properly
- Investigating the proper configuration of a piece of software within an environment
Generally, software audits form an excellent stream of revenue for software vendors, since compliance gaps are often resolved with the purchase of more licenses to drive up the vendor’s sales and market value.
Having a strong defense for software audits is critical to ensure that you are not left paying out millions of dollars in unneeded fines.
What Causes a BSA Software Audit?
Regular software audits from a software vendor occurs for a variety of reasons.
- Their revenue has taken a sudden dip and they are trying to make up for the losses
- Your company has gone through a merger and acquisition, and it’s likely that your software licensing environment is messy after the move
- Random selection, some software vendors issue routine software audits on a regular basis regardless of whether their clients have shown any red flags for compliance issues. There’s little you can do about it just being your turn.
- You have rolled back on purchased licenses suddenly and without explanation
- You have gone through a software audit before and the results revealed a huge compliance gap. The software vendor will assume you’ve fallen back into old habits.
How to Avoid Software Audits
However, the thing that incites a BSA audit is a little different.
The BSA has telephone hotlines and radio stations where they encourage disgruntled employees and vendors to make anonymous reports and complaints about companies in violation, regardless of size.
These informants are further incentives by the potential of a reward for any leads into instances of the unlawful installation of software.
Of course, the BSA will consider any installation without a proper receipt or proof of purchase as an unlawful download. For each report, the BSA will decide if they will request a self-audit or if they will go straight to a lawsuit but usually, they will ask you to conduct a self-audit first.
A self-audit will give you the chance to run your own internal resources and use your own software audit team to compile your defense.
The Tools and Process of a BSA Audit
Since the BSA audit will be a self-audit, you will be allowed to use an internal staff or a third-party firm to gather your relevant information, which will include proof of purchases or receipts for all the versions of software and all the computers that you have in your software infrastructure. Make sure you pay close attention to this collection phase, since the BSA may mark free versions or old versions of the software as unlicensed.
The BSA may offer you software tools in order to collect the relevant data, but these free discovery tools may easily miss critical information. They may mark free or test/dev software as fully licensable or they may fail to accurately capture the intricacies and uniqueness of your software environment.
When in doubt it’s always best to use your own software inventory tools.
What are Software Asset Management (SAM) Tools: Functions, Advantages, and Disadvantages
What Are the Fees Associated with a BSA Software Audit
The most worrisome difference, and the one that is on everyone’s mind, is the price tag associated with the BSA audit.
A regular software audit is sent out by the software vendor on a systematic basis to their customers to ensure the proper use of their software. They usually send you one of two types of software audits: a review or an audit.
Reviews are voluntary and the only payment you have to make is the purchase of the licenses you are found to be owing.
Official Software Audits are distinctly not voluntary, and if you are found out of compliance to a significant degree (every software vendor is different but for Microsoft, you only need to be out of compliance by 5%) you will be asked to pay for the missing licenses, along with additional fees, and you will be burdened with covering the expense of the software audit.
Those are the two types of fees you can expect when the software vendor audits you. When the BSA audits you, it’s a whole different story.
When the BSA audits you, they will expect you to perform your own internal audit and provide them with the results. After receiving your findings, the BSA will fine you based on any illegal duplications or unauthorized use. This may be difficult to prove and, in some cases, even something like a proof of purchase will not be enough to satisfy the BSA standards. If that is the case, the fee can be staggeringly high — up to $150,000 USD per infringement, which is a reeling sum, especially for smaller businesses.
What Should You Do When You Receive a BSA Audit Request?
While one must be always worried about legitimate claims from untrustworthy sources, if you can affirm that the letter does in fact come from the BSA (and feel free to verify it with a lawyer), then it is always best to respond.
Even if the only thing they are asking for is a self-audit, refusing to comply will result in the BSA escalating things straight to litigation. If you were to refuse the demands of the BSA, it will make it look as though you have something to hide and will send a red flag to your software vendors.
- Ensure Confidentiality
Set up a confidentiality agreement between yourself and the BSA, this will determine the scope of BSA’s investigations and will limit the BSA’s ability to use the data you provide to them in court. If they provide you with a NDA to sign, make sure to read it carefully to ensure it protects your own rights as well as that of the software vendor.
- Start to Gather all the Relevant Material
You’ll need to compile all the data that will be required for this self-audit. This will probably take about 3 to 4 months to gather completely, depending on the size of your software licensing environment, so it’s best to get started early.
The types of things you’ll be gathering are:
- List of software products that are part of the BSA membership that have been installed as of the date the BSA letter was issued.
- Proof of purchases — usually an invoice will be fine when it comes to the BSA.
- A list of your software inventory
How to Handle Software Audits with Confidence
Software Audits are no one’s cup of tea, and when it comes to the software audits that the BSA dishes out, they tend to come with an extra dose of difficulty that can leave many companies stupefied.
Being stuck paying out millions of dollars in fines that you don’t owe is hardly an ideal scenario and, what’s worse, is that it is completely avoidable. There’s a way to get around this.
At MetrixData 360, we know how to deal with these types of audits and we have defended our clients in the most challenging times. If you’d like to learn more about MetrixData 360’s approach to audits, you can download our Audit Defense Procedure for an in-depth step-by-step look into handling an audit.