News Stay informed about the latest enterprise technology news and product updates.

Software audit painful and costly for the noncompliant

Dynamic Systems Inc. CIO Will McManus learned about software license audits the hard way. He was audited -- twice.

Will McManus has been hit twice -- with software audits.

They hit him in the wallet. Nearly $10,000 on Microsoft Exchange mailbox licenses for which the company unknowingly hadn't paid. Even worse, close to $100,000 in license and legal fees to Autodesk Inc., maker of popular design software AutoCAD.

As CIO at Dynamic Systems Inc., an Austin, Texas-based mechanical contractor, he services 2,000 employees in seven offices and the field.

The experience wasn't fun.

"It's a little deflating, only because you are aware of the amount of time it's going to take," he said. "And there's no indication how zealous they're going to be in pursuing it. I have a department of six people and it absorbed an enormous amount of resources."

As far as preparation goes, McManus isn't alone. A recent survey found that 69% of IT leaders are "not confident" they are in compliance with software license agreements.

McManus' Microsoft license audit was more than three years ago now, but he said he remembers his staff spending weeks gathering the information Microsoft required.

The Microsoft audit began with a certified letter. McManus was required to show the size of his installed software base versus the number of Microsoft software licenses Dynamic Systems owned. He said the company turned out to be running too many mailboxes out of Microsoft Exchange. McManus attributed this to the employee turnover rate in some of the business units.

Juan Fernando Rivera, director of antipiracy for Microsoft in the U.S., said the company doesn't want to be punitive when conducting license audits. Instead, Microsoft uses its partner structure to disseminate Software Asset Management, the behemoth's license management protocol, to customers.

Rivera described Software Asset Management as "80% process, 20% tools," really a series of Microsoft-specific guidelines to help CIOs ensure they are compliant with Microsoft license agreements. The company offers a free tool to track Microsoft software on up to 250 PCs.

"We believe that customers, for the most part, want to do the right thing," Rivera said. "It's not about penalties. It's not about looking and charging for past usage and things like that.

"It's not punitive at all," he added.

McManus' experience with Microsoft reflects that attitude.

"When we were all said and done they were satisfied with what we had done, it just took a long time to put it together," McManus said. "That one was time consuming but relatively painless."

Not so with Autodesk. As it was, McManus had zero visibility on who was using AutoCAD. Instead, a department manager oversaw the program. When the audit was done, the company was out nearly $100,000.

A spokesperson for San Rafael, Calif.-based Autodesk wrote in an email that information about the audit procedure and how the company decides to initiate an audit is "not something we share."

But Autodesk does maintain a license compliance website featuring information on recent settlements with companies illegally using AutoCAD and other software.

Take Bickel Underwood Corp., a Newport, Calif.-based architecture firm publicly shamed to the tune of $73,300 in a settlement with Autodesk. The page also includes a write-up on the $124,000 Payless ShoeSource was forced to fork over in December 2006 after the company was found running unlicensed software made by six different companies, including Autodesk.

The Payless settlement was handled by the Business Software Alliance (BSA), a coalition of software companies that collects, investigates and acts on software piracy tips. Most tips to the BSA come from current and former employees of the offending companies.

License audits by the BSA start and end with attorneys. Companies are asked to conduct a complete software audit and provide proof of ownership, usually through a dated proof of purchase, such as an invoice.

If illegal software is found then, "first and foremost, the company needs to agree to get compliant with all that software," said Jenny Blank, senior director of legal affairs at BSA. That means paying for licenses or uninstalling the software.

The BSA then proposes a settlement amount. The exact settlement proposal is based on the value of the illegally installed software.

Blank suggested CIOs get ahead of the BSA by routinely conducting in-house software license audits.

"One of the first steps I would recommend would be to have management at the top level put together a policy and communicate it to the employees," she said.

There's no indication how zealous they're going to be in pursuing it.

"Get the work done and keep it fresh," she added. "You don't want to just do it once and put it on a shelf and never touch it again, because software is dynamic and is installed and uninstalled all the time."

McManus' $110,000 license audit convinced him it was time to put in for some license management software. He ended up with a product from Seattle-based Express Metrix LLC.

Previously, "we sort of had some real manual processes," McManus said. "Even as manual as filing cabinets and paper licenses and had real difficulty in both audits in justifying the number that we had installed versus the number that we owned."

With the management software, McManus says he has much better oversight of Dynamic Systems' licenses. That means not only does he know when he's using too many copies of a program, but he also knows when he has copies to spare. Plus, he said, it saves him a bundle in staff time, key in a small IT shop like his.

"We can see if people are loading software on their own or 'Did they have IT's permission to load?'" he said. "We're finding that this automation has made us much more productive and effective at taking care of what really is the company's property."

McManus said he did consider using free software management tools available for download, but they "stopped being effective at 75 seats or so."

Let us know what you think about the story; email

Dig Deeper on Regulatory compliance audits

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.