July 19 , 2007 The external audit has become one of the most contentious issues in software management and one that is unavoidable for medium-sized and large companies.

Andrew Shefford, director of security and risk services for the consultancy Ernst and Young, says large businesses can expect to be audited by vendors looking for illegal software at least once a year: "In some industries, where there is a perception of higher risk, there is likely to be a greater frequency; for example, in financial services."

According to an analysis by the UK-based Corporate IT Forum, representing corporate users, the most active software vendors in licence audit over the past four years have been Microsoft, IBM, Oracle, Adobe and BEA Systems, in that order.

The cost of an audit is high: hundreds of thousands of dollars, which may be followed by the need to spend a six figure sum on new software licences: "Being reported for piracy is a situation no company wants to be in," says Robert Holleyman, chief executive of the US-based Business Software Alliance (BSA), which represents the big software suppliers. The right of a vendor to audit a customer's software assets - that is, to reassure itself that the software the customer is using is legitimate, being neither forged nor copied, and is covered by the appropriate number of software licences - is usually built into the software contract.

And on the face of things, it is a perfectly reasonable process. As Juan Fernando Rivera, Microsoft's worldwide software asset management manager points out: "For the most part, customers want to do the right thing. Our aim is to engage them in software asset management conversations and help to educate them to the value of software asset management solutions."

Yet a backlash is building up among companies who believe they are being taken for a ride by unscrupulous software suppliers seeking only to increase revenues. David Roberts, head of the Corporate IT Forum, speaks for many of his members when he says: "They do seem to indulge in a number of unneccessarily aggressive tactics, giving very short notice, for example, or not providing suitable reasons for the audit. It's easy for my members to take the view that they are only doing it to raise revenues rather than making sure they are not using pirated software."

And the US-based lawyer, Robert Scott, with the Dallas firm of Scott & Scott, which has a specialisation in defending firms against software audits, argues that shrinking software budgets and fierce competition among suppliers are behind an explosive growth in audits: "I believe software audits are initiated to raise revenues and to help customers. The focus, however, is increased revenues."

The existence of pirated and unlicensed software is, of course, the reason that audits exist. The situation, in the developed world at least, has improved in recent years but is by no means perfect.

A study by the Business Software Alliance (BSA), which represents the large software vendors, showed that the rate of software piracy in the European Union last year was stable at 36 per cent, but this still represented a loss to vendors of $11bn.

Organisations representing the software vendors emphasise the value to companies of prudent software management with neither too many nor too few licences and no illegal code on board.

Mr Holleyman of BSA says most audits are routine: "This happens every day of the week. It's a routine part of business practice. BSA provides free tools to help companies audit their own software."

Self-audit is also a way of countering the threat of an audit. Phil Heap, managing consultant with the corporate services division of the UK-based Federation Against Software Theft (Fast) says: "If you can show you have managed your assets to a level where you can produce reports of your entitlements and users' rights, it's very unlikely a vendor would want to waste time and money on a further audit."

He says it is important first to collect the documentation: "A lot of people make the mistake of splashing out immediately on a tool that will tell them which software they have installed. But the most important thing is the entitlements and user rights documentation, because that is what publishers want to see."

Mr Roberts remains sceptical of the suppliers' motives, pointing out that audits are often suspiciously demanded when there is business change - a merger or an acquisition when there will be maximum confusion in an organisation and especially in the IT department.

He says suppliers have tried to charge licence fees for software supplied on trial or gratuitously - and possibly never used.

He believes the answer is rapid implementation of the ISO software standard 19770-1, which provides an independent framework for software asset management.

Mr Scott agrees, with some reservations: "The software industry has to do more to share the burden of compliance management with end users. Successful vendors will work in tandem with their customers to manage compliance without disruptive and adversarial audits.

"ISO 19770-1 establishes an excellent set of policies and procedures for the implementation of a software asset management programme - but the costs of implementation remain unduly burdensome for most businesses."

Copyright The Financial Times Limited 2007 "FT" and the "Financial Times" are trademarks of The Financial Times.
http://www.ft.com