LearningCenter Post81

Microsoft, Oracle, IBM, and Adobe Software Audits at a Glance

The Top Four Software Vendors Sending Out Software Audits

It is likely that your software budget is shrinking yet your software vendors are looking for you to spend more money with them every year. When software companies can’t get the revenue they expect from you, they will often turn to software audits as a way to make up the difference. Software audits are many things: stressful, frustrating, leave you thinking that living in a cave, herding goats might have been an easier career path. But for the software publishers’ audits are quite profitable, and they have come to exploit this as a way to make their annual revenue growth targets.

Gartner has said that there is a 60% or greater chance that enterprises will be audited by at least one software publisher in any given year. The best way for you to handle the rising tide of software audit requests is by knowing your software environment and performing routine health checks to uncover areas of exposure. We cover the top areas where a company is exposed to in a software audit in our article Software Audit Preparation: What You Need to Know.

The Biggest Companies Performing Software Audits Are:

  • Microsoft
  • IBM
  • Oracle
  • Adobe

At MetrixData360, we have extensive experience working with all of these vendors, and we know how to handle an audit from each. In this post we’ll discuss some of the things you need to know about each of the software vendors and how to handle them during a software audit.

Microsoft Audit

Microsoft often claims that their audits are simple, short, and painless. In our eight years of defending companies during their software audits, we’ve yet to see a Microsoft audit that has matched this description.

Instead, we have seen audits that take almost 18 months to finalize as customers try to dig through rising mountains of data that are required as part of a Microsoft Audit (or SAM Engagement). Here are just a few tips for dealing with a Microsoft software audit:

    • SAM Audit or Review?

From our experience, Microsoft can either offer you SAM reviews or audits. SAM reviews are technically optional but refusing will likely result in getting audited. For a full breakdown of the difference between a Software Audit and a SAM review, visit our post Software Asset Management (SAM) Review vs Audit: What’s the Difference?

    • Respond to Your Vendor

We are often asked if you need to respond to an audit or a SAM letter. The short answer is yes, it is highly advisable that you respond to both. Not responding to a software audit, can find you in breach of your contract and leave you facing potential legal ramifications and hefty fines up to $100,000 USD. Although you could technically refuse a SAM Engagement, you could also find yourself running the risk of being in breach of your contract.

It has been our experience that refusing a SAM review will often result in Microsoft responding by sending you a full audit that you can’t refuse. Therefore, it would be more beneficial for you and your company to negotiate with Microsoft to perform a self-assessment as opposed to having a Microsoft partner perform the audit. A SAM engagement will be nearly identical to an audit after the data collection stage has begun and you will struggle to see the difference between the two processes until the negotiation stage has been reached.

    • Software Reviews vs Software Audits

The real difference between a SAM review and an audit can be seen when examining the penalties of each and how they are resolved. In a SAM review, you will be allowed to purchase your missing licenses at your contracted prices or at your historically discounted rate. In an audit, on the other hand, Microsoft has the right to charge any shortfalls at List Price in addition to a 5% penalty, although this may vary depending on your contract.

    • Paying For An Audit

Another difference between a SAM review and full audit appears when asking who will pay for the whole process. Microsoft will pay for the cost of the SAM engagement themselves whereas in an audit if you are found to be greater than 5% out of compliance you will be responsible for paying for the audit yourself in addition to any penalties you are incurred during the audit.

IBM Audit

IBM audits can be especially tough, since many of their license metrics require you to accurately have installed their ILMT tool in order to effectively capture your estimated license position (we have found that the majority of IBM’s customers have not done this correctly). Here are some things to consider that can help in the case of an IBM audit:

    • True Up Costs

Once your software audit has concluded, IBM will often let you settle at your discounted price with an additional fee for the maintenance that was used for the upkeep of the product when it was unlicensed.

    • Watch For Licensing Changes

IBM is also prone to make licensing changes which can apply to a wide range of their products in the wake of acquiring a new software company to their profile or releasing new versions of their software. When these events occur, be sure to look at your licenses with IBM to check for relevant updates.

    • Properly Set Up and Use ILMT

Our CEO Mike Austin says that you need to understand ILMT and how it works to effectively manage most IBM Software Audits.
According to Mike, “IBM isn’t typically auditing their Passport Advantage program, they are going after the complexity of sub-capacity and PVU based licensing. In order to pass an audit if you are licensing at sub-capacity, you need to have ILMT up and running. You will also need a have a history of reports. Installing and configuring ILMT is tricky and not many companies have done it correctly. In a lot of our work around IBM Audits, we are fixing ILMT reporting before we even start the work of defending an audit.”

    • ILMT Does Not Hold All The Answers

However, installing ILMT doesn’t mean you are 100% safe from IBM’s audits, you can still be found out of compliance.

    • Avoid Scope Creep

Our IBM Audit teams says to make sure you define the audit scope, as IBM is quite notorious for scope creep. You will want to ensure you know which products and contracts are included (and excluded) from the audit.

    • Put The Onus On IBM

You need to get an agreement with IBM (not the reseller- they can’t promise this) stating that IBM will take on the responsibilities to ensure that the product being deployed is correctly licensed. If they fail to then deploy ILMT after such a deal has been reached, then it might be possible to get a concession during an audit.

    • Defend Yourself With Data

Even if IBM doesn’t take responsibility for the licensing of deployed software, you might have a case to circumnavigate adverse findings that can come up due to ILMT’s failures, if you can collect historical system-generated reports that demonstrate the following things:

1) the processor resources that were allotted to the VMs running the PVU-licensed products have been or are capped and are not subject to any automated augmentations-based on system demands and

2) the historical usage of these products never exceeded licensed levels. However, this data has proved difficult for companies to obtain in the past.

Oracle Audit

From our observations, Oracle Audits incur the largest compliance findings typically. We’ve dealt with Oracle many times in the past, and here are some things you should know about how Oracle conducts their audit.

    • Only Pay For What You Use

According to the ITAM Review’s article Oracle Audit: Top 20 Frequently Asked Questions, for Oracle, the installation of software and the licensing of that software are two different events, with the exception of Database Enterprise Editions, so be careful when initially deploying software as it will likely be the cause of issue during an audit. For example, Oracle optional features, such as RAC, get turned on by default when installing databases, these options may only be licensable if you actually use them, not if you have them installed. This is a subtle difference, but it can have a profound impact and it is an area that is often found as being licensable by LMS. However, we have often found that it can be negotiated out with usage data.

    • Oracle Software Review vs Oracle Software Audit

Oracle has Oracle License reviews and Oracle License audits. These are the exact same thing – “review” just sounds friendlier. Both should be treated with the same level of severity.

    • Understand Your Contract

According to Scott & Scott, LLP’s article, Seven Lessons I Learned Representing Clients in Oracle Audits, take extra care to understand Oracle’s policies around usage. Since many of Oracle’s policies will not be included in the license’s documents, there tends to be a lot of confusion generated around this topic. Some areas that produce the largest findings in an Oracle Audit are VMWare and Oracle’s policy stating that all Processors in a cluster must be licensed. This policy has caught many organizations off guard and is the crux of the major lawsuit between Oracle and Mars Corporation.

    • More Gaps Cost More Money

As with Microsoft, if you are found out of compliance on a Oracle Audit you will have to cover the expense for the audit.

    • Use Your Own Tools

Our Oracle Audit Experts state that you are not required to use Oracle’s scripts to collect your data, especially if you have your own methods in place for gathering your data. LMS will try very hard to get you to use their scripts. We recommend, however, that you use your own processes first, if possible.

    • Tools Are Only As Good As The People Using Them

ITAM Review’s article Oracle Audit: Top 20 Frequently Asked Questions, states that Oracle has several approved SAM tools like Lime Software, Easyteam, BDNA, Hewlett-Packard, Flexera Software, Nova Ratio, and iQuate. However, these tools only collect raw data and won’t provide you with the interpretation of that data which will tell you what you need to license. Therefore, just because you have Oracle-approved tools, it doesn’t mean you’re completely safe in an Oracle audit.

    • Get A Paper Trail

In all audits, but especially ones with Oracle, it is highly recommended that you get a closing statement to close out the audit (indemnification is the most ideal). This is especially important with Oracle, as they are a very litigious vendor. You will be happy that you have a closing statement in case the audit ever goes to court and your company’s reputation is suddenly on the line.

Adobe Audit

Compared to the other heavy hitters, Adobe’s software audits can seem like little more than a friendly reminder. However, Adobe’s products can be quite expensive, so it’s important not to let this vendor slip from your mind. Here are some tips about Adobe licensing:

    • Friendlier, But Not Friendly

According to a study released by Gartner in 2016 and presented in their article What Does an End to Adobe Auditing and License Compliance Activity Really Mean?, Adobe has steadily moved away from auditing their customers, focusing instead on their Software as a Service platform and subscription-based licensing. That does not mean your company no longer has to deal with compliancy risks from Adobe, as Adobe still maintains the right to verify compliancy, giving their customers 30 days to provide data to ensure proper usage.

    • Buy What You Need, Not What You Want

The Gartner article also states that with a focus on SaaS and the subscription-based nature of Adobe, along with the lack of an “off-switch” for Adobe products, the main focus of Software Asset Management when it comes to Adobe should be proper sizing and monitoring usage.

    • For Adobe, It’s The Little Things That Count

According to TechRepublic’s article How to Prevent or Navigate an Audit by Adobe, Adobe monitors their customers differently from other vendors. Where Microsoft, Oracle, and IBM are interested in unlicensed software, Adobe is more interested in the protection of their intellectual property and making sure their product is used correctly. Are you correctly licensing any fonts with Adobe? These small questions can accumulate if they are not properly answered.

    • Adobe Does It Themselves

TechRepublic’s article also states that Adobe performs their own compliance verification review as opposed to hiring a third-party auditor, which can either be good or bad depending how far out of compliance you are.

    • Watch For Creative Suite License Changes

One best practice we advise our client’s to adhere to when dealing with Adobe says that you will have to pay particular attention to Creative Suite, as it is prone to change almost every year and these constant updates make it difficult to keep track of products. It will often leave programs as obsolete and the licensing for it makes it difficult to understand what is truly needed.

    • Upgrade Licenses Can Downgrade Your Compliance

Finally, according to TechRepublic’s article How to Prevent or Navigate an Audit by Adobe, Adobe also has no program in place to account for upgrades. Upgrade licenses, therefore, can sometimes stretch back several years – so, keep track of how far back these licenses go and be sure not to leave yourself over-confident (don’t forget that sometimes you can only go back three versions – so tracking that can also be very difficult).

How MetrixData360 Can Help

Software audits have been known to put a strain on any company’s software budget, so knowing about the software vendors that tend to resort to such methods will leave you with a better knowledge of what to expect. At MetrixData360, we believe that you should not have to pay the software vendors more than what you owe them, so it’s important to invest in software asset management long before you’re confronted with a software audit. By clicking the button below, you will be taken to our audit services page, where you can learn more about how we can help you survive a software audit.

Give Your Microsoft 365 Licensing a Health Check

Book a meeting with MetrixData 360 today and see how much you could be saving on your Microsoft 365.