What are Software Audits, and Why Are They On The Rise?

Recent years have seen an uptick in software audits, with more companies being asked to provide evidence of licensing compliance. This is largely due to the fact that organizations are now using more software than ever before, with an increasing number of employees working remotely.

Watchdog groups like the Business Software Alliance (BSA) and the Federation of Software Theft (FAST) serve the sole purpose of ensuring the protection of software vendors’ intellectual property. These groups and software vendors are dedicated to discovering and auditing non-compliant organizations every single day with little to no notice. According to Gartner, the likelihood of an assessment for a medium to a large firm over the next two years is predicted to be 40%, which is expected to rise by 20% annually.

But why do software vendors act in this manner? 

Simply put, the main motivator is money. Revenue from software sales fell when the American economy saw a downturn and software expenditures were slashed. Software vendors were forced to hunt for alternative income sources when these profits started to decline. Audit fines and penalties of several hundred thousand dollars to even millions of dollars appeared as lucrative options for these vendors. According to the BSA, 25% of businesses that operate in the US are non-compliant in some way, costing software vendors an estimated $6 billion in the loss. 

 

What is a Software Audit?

A software audit is an assessment of a company’s compliance with software licensing agreements. Organizations that use pirated or unlicensed software can be subject to expensive penalties, including fines and damages. In some cases, they may even be required to forfeit their business’ computers and other equipment. 

 

How Do Organizations Fall Out of Compliance?

 The truth is that conformity is not simple. It involves more than just purchasing adequate licenses. Even techies typically struggle to completely comprehend software licensing laws because they are so sophisticated, and even when they do, modifications to the regulations occur so often that it is challenging to stay up to date. 

Most businesses lose their ability to comply with the rules when they lack proper record keeping and miscomprehend software usage rights. Both parameters are equally crucial to stay in compliance. The first approach is to have clear visibility into your integrated software usage. In the unfortunate case of your company being audited, this can be an added benefit because you will be able to provide records immediately and demonstrate your good faith efforts to adhere to the regulations.

Furthermore, it’s crucial to have an attorney or specialist who excels in contract negotiations. They can elaborate to you how you can lawfully utilize your software, saving you from involuntary non-compliance. Avoid attempting to resolve this on your own, as it is easy to misinterpret or fail to notice crucial facets of software use terms and conditions. For instance, there have been instances where a business has expanded internationally and had staff members using software in other countries. They believed this was acceptable since they had many licenses, but since those licenses were only intended for use in the United States, they were in violation without even recognizing it. 

 

How to Lower Your Risk of Being Audited

  1. Exhibit a Sound Understanding to the Software Auditors 

To show that you have a good grasp of your software agreements, it is crucial that you respond to any inquiries the auditors pose in an efficient and thorough manner. In order to achieve this, you’ll need a workforce in control of the project, a SAM solution in place to oversee your software inheritance, and frequent internal audit findings to get a complete picture of your software assets utilization. 

This is especially true if your business has just undergone a merger or acquisition or if it is a large corporation with numerous branches. Such circumstances will make you prone to disorganization, which in turn raises the possibility of overlooking factors important for compliance.

  1. Stay Prepared

Inform your staff on the importance of software asset management, and prepare a defense plan in case a software inspection occurs. Even if a software audit is conducted, a quick assessment with a few fines will show the software provider that you are not an easy catch. Preparing includes having your licenses in order, appointing a specific person to oversee your company’s software audit, and having an audit defense strategy in place. Knowing what to do will ensure that every software audit of your company proceeds without incident and with the least amount of damage possible.

  1. Be aware of your Software Architecture

Establish an efficient asset life cycle, along with a streamlined procedure to purchase and retire software resources to keep a close check on them. Failure to do this can lead to the acquisition of numerous unnecessary licenses, which quietly drain the company’s IT budget. Keep track of what licenses you have and how many licenses you need so that you can stay compliant. Additionally, make sure that only authorized users have access to your organization’s software. Implement user controls and set up alerts so that you can immediately spot any unauthorized access or usage. 

Often, the majority of software audits search in the company’s Active Directory (AD) to assess compliance. A company’s AD contains all devices and accounts—not just those that are currently in use—that have ever used their software resources. There will be ex-employees in your Active Directory, along with devices that have been gathering dust in the company’s store, and the auditors will claim that each of these entities needs a license.

 

Conclusion 

Monitoring your software resources will cost much less than having them audited. In addition to achieving compliance, successfully managing your software and how they are used also ensure that your software resources are used to their full potential. You may delete shelfware and restructure your agreements to ensure that every software program you have is being successfully utilized. Efficient asset administration has no drawbacks because the added administrative costs will eventually result in equal cost reductions. By making sure all of your organization’s software is properly licensed and keeping track of who is using it and when, you can help your company avoid costly penalties associated with non-compliance.

How to Prepare for an SAP Audit

Getting Ready for a Software Audit with SAP? 
Five tips to keep in mind  

Of all the software publishers out there, SAP is known for dealing out particularly vicious audits with high numbers that are dreaded by SAP customers. 

But living in constant fear of being audited is no way to live your life. 

If you have SAP software of any substantial scale, then it is only a matter of time before your SAP audit is at your door. The best thing you can do is simply prepare. 

At MetrixData 360, we have gone up against SAP in enough audits to know what to expect.

In this article,  we’ll share with you the five ways you can prepare for an SAP-specific audit. 

Know What Triggers an SAP Audit 

Expect an SAP audit at least every two years. You may receive a software audit from SAP more frequently if:

  • you are a larger corporation 
  • your company has gone through a merger or acquisition which has led to substantial growth
  • you have purchased a new SAP product
  • you are deemed a ‘high risk’ customer based on the findings of a previous audit

Basically, if your last audit didn’t go so well, then in SAP’s mind, two years is a long enough time for old habits to flare back up and for disorganization to creep back in.  

While it is not a rule set in stone, SAP may initiate audits as a reactive measure to events that are occurring within their company. If SAP has lost a competitive bid, if their sales are slowing down, if they have released a new licensing model, it may increase the likelihood of you seeing an audit sooner rather than later.  

Know Your SAP Software Contract  

SAP contacts have the tendency to be needlessly complex, with over 100 separate Agreements/Order Forms/Exhibits/and so forth. These contracts all contain custom wording that can be difficult to understand but this comprehension of your agreements is critical if you want to avoid the brunt of an audit. Take something so simple as SAP’s definition for Use, as an example.  

Isn’t it great when a software publisher slightly changes the use of a seemingly commonly understood word? For SAP that word is “use.” 

According to SAP’s Software License Agreement, Use is defined as the ability to load, execute, access, employ the software or display the information resulting from those capabilities. This is a fancy way of saying basically any interaction or capability of interaction with SAP’s software can be defined as Use and any Use requires a license.

Since the definition is so broad, it means that it could prove a challenge in an upcoming audit for companies who do not have a strong understanding of Use according to SAP.  

In particular, you should make sure that your company has a strong understanding of the following terms as laid out in your specific agreement since they are often subject to customization:  

  • Named User 
  • Definition of your particular license metric, with close attention to any exceptions that your company could qualify for.  
  • Indirect Access or wording related to Indirect Access such as External user, interfaces, etc. Pay attention to even the smallest clause.  

SAP Indirect Access  

Many SAP systems have a dual-licensing system that relies on two main components.  

  • Packaged licensing: is what you paid for and what you use. I couldn’t tell you which metric SAP will use since SAP uses every metric under the sun and it will vary from product to product.  
  • Named User License: allows a user to use any number of SAP applications that can be found in the packaged licenses. Every user needs at least one license and to access any package you need a packaged license and a named user license. Confused yet? 

Taking the SAP definition of Use as seen in the last section, Indirect Use can be interpreted as Use through a custom-built application or a third-party application. So basically, anyone who touches SAP data or software in any way could be considered having Indirect Access.   

Make sure that you have a clear map of your SAP environment, including any SAP architecture not linked to your main ERP environment and affiliate system that might be interlinking with your SAP environment. 

Risk Management for SAP  

Before you start organizing your briefcase full of money to hand over to SAP for the purchasing of more licensing, there are a few strategies you can implement that can address the compliance issues of an SAP audit even before you are found in the middle of one. License purchasing should only be used after all other methods have been exhausted. 

  • License Identification: You may already have the licenses required to cover unique and seemingly unlicensed scenarios. You need to figure out if you are even in trouble before you start paying for it.  
  • Software Reconfiguration:With issues like indirect access, a reconfiguration of your software architecture may be just the thing you need to get you out of the compliance risk hotseat. 
  • System Clean-up: It’s important that you are using up-to-date software, and a system cleanup can be a great way to reduce your exposure. 

Have the Right People on Your Side 

Above all else, it’s important that you have the right team to handle an SAP audit. This isn’t a side project your IT department can get done in their spare time. 

Depending on the size of your software licensing environment, you may very well need to hire a team of people for the job, either in-house or an expert. Each option comes with its own advantages and drawbacks. 

An in-house software asset management team, while they may be more integrated into the culture of your company, will need to be versed in licensing and contracts from every vendor in your profile, negotiation skills, expertise in technology and so many more. 

To get all the resources you need, you will be required to hire a whole team of experts and it may take them a while to get up to speed. An external expert may come at a higher starting price but their immediate expertise and scalability to match your project can make it easy to gain massive returns on your investment. 

If you’d like more information about the pros and cons of hiring a SAM expert vs. doing it yourself, check out our article!

End on a Good Note!  

The frequency of software audits are only accelerating, and SAP is no exception. Ignoring what you have in your software licensing environment until your SAP audit is upon you will only create further problems, along with copious amounts of unneeded stress for you and your company. Imagine being able to approach a software audit with confidence in your own compliance and a rock solid defense to back your claims? 

At MetrixData 360, we have all the tools you need to get yourself ready for any audit that might be thrown your way, regardless of which software vendor it comes from. So, get ahead of your audits today!

SAP Indirect Access: Are You At Risk For A $600M Audit Settlement – Webinar Replay

SAP Indirect access is becoming a hot topic as its driving huge audit settlements for SAP.  Anheuser-Busch InBev, one of the world’s largest brewing companies, has notified SEC that SAP claimed “damages potentially in excess of $600m” on the grounds that the former had allegedly breached its software license agreement. Just a few weeks before this came to light, the high court in London has ruled in favor of SAP against Diageo, another large brewer with a similar claim for approximately £54 million pounds. Both claims are related to a license term named “Indirect Access”, where SAP views that users that ‘indirectly benefits’ from any SAP solution, regardless whether they each have a user account within the SAP solution, needs to be licensed.

Your organization may be exposed to the same license compliance risk if it any of the below applies – Deploys any SAP solutions – Integrates SAP systems with other SAP or third-party applications – Allows external user access – Allows user to access data within SAP via an integrated application Top Learning Objectives from the Webinar: – Understand of the concept of SAP Indirect Access – Learn to assess your organization’s current Indirect Access Risk (IAR) level – Learn potential options to remediate IAR

During this Webinar we break down the risks of SAP Indirect Access and explain how you can be proactive to fix any gaps before SAP comes looking for a settlement.