Enterprises that do not manage their software are at a greater risk of failing an audit by a licensing compliance watchdog group. Don’t be caught out of compliance. Enact periodic self-audits to avoid boardroom embarrassment.

Watchdogs to Watch For

Watchdog groups are authorized to investigate reports of fraudulent use of software, then audit and fine companies which are found to be out of compliance. Watchdogs include:

• Software Information Industry Association (SIIA) in the US,
• The Canadian Alliance Against Software Theft (CAAST) in Canada,
• The Business Software Alliance (BSA) worldwide.

Fines are typically three times the retail value of the software titles found to be out of compliance, plus legal penalties, in addition to the cost of acquiring the legal licenses.

Believing that small organizations are safe because watchdog groups will pursue the big fish is a big mistake. According to the Associated Press (AP), of the $13 million in software violation settlements with North American companies last year, almost 90 percent came from small businesses.

The Most Common Violations

Software licensing violations take a number of forms. Watchdog groups normally look for the following types of violations:

• Under licensing. The most common form of non-compliance, this is a case of a copy of software being used on more PCs than licenses purchased.

Example Case Study Info-Tech completed a software audit for a telecommunications company in the US with 1000 users. The enterprise could have faced non-compliance costs of $4.8 Million USD, including potential penalties. The audit found $361,000 worth of software which could be eliminated. Further, another $90,000 was saved by switching to a Microsoft contract that includes free licenses for secondary use and non-production computers such as for training, testing, and development.

• End-user piracy. Employees reproduce and share licenses without authorization.
• Improperly licensing software. This can occur when an upgrade copy is purchased without the underlying license.
• Client-server overuse. Too many networked employees access a central server program without the appropriate CALs.
• Counterfeit software. The company unknowingly buys illegitimate software from a bogus supplier. This problem is less common since Microsoft’s launch of the Windows Genuine Advantage program.
• Internet piracy. This happens when employees download and install unlicensed software from Internet sources.

The Costs of Failing an Audit Are Real

Although the risk of being audited is relatively low, the cost of being found out of compliance is no small sum. The two major fines are:

1. License shortfalls. Each piece of software found in violation can be fined up to three times the Manufacturer’s Suggested Retail Price (MSRP) in addition to the cost of acquiring a legal copy of the software. Consider the following example: an organization of 300 users found out of compliance by approximately 15% on Windows Vista and Microsoft Office 2007 will face costs of over $100,000. Consider that proper licensing could have been secured for much less than the MSRP through a volume licensing agreement.

Table 1. Cost of Illegal Software

Software Title	Total Installed	Total Owned	Shortfall	Cost per Title (MSRP)	Penalty for Shortfall	Licenses to Buy	Total Cost
Windows Vista Business Upgrade	290	250	40	$199	$23,880	$7,960	$31,840
Office 2007 Standard	284	240	44	$399	$52,668	$17,556	$70,224
TOTAL							$102,064

2. Legal penalties. A company that refuses a Watchdog Audit can be sued for copyright infringement and can be subject to court proceedings. Penalties for copyright infringement can climb to $150,000 per unauthorized software title in the US, and up to $20,000 per title in Canada. There is no limit in copyright penalties in the UK.

Beware of Common Licensing Errors

Organizations should watch out for the following scenarios, as they have been known to lead a company astray from licensing compliance.

It Pays to Blow the Whistle Disgruntled staff members are often the source of a tip-off. A YouGov poll commissioned by the BSA found that 75% of workers would consider reporting their company if their felt their boss treated them unfairly, and 25% said poor pay raises may influence them to report. In recent years, the BSA has been very aggressive in their marketing campaigns, offering large sums to whistleblowers. In 2005, the BSA began offering whistleblowers $50,000 in the US. It raised the limit to $200,000 last year and just recently again to $1 million. It is highly unlikely that anyone will ever be paid that amount, since rewards have a sliding scale and the case must reap more than $15 million. The BSA’s largest case, one against an international media firm, resulted in $3.5 million.

1. Rapid growth periods. Overlooking licensing issues during a period of rapid growth is a recipe for disaster.
2. PC hand-me-downs. When handing an old PC down to another employee, many companies will transfer copies of software to a new machine but will forget to delete it from the old one. Most often the new employee may not need to use the particular software in question, and it will sit on the PC unused. Despite the fact that the employee isn’t using the software, if the company is under-licensed, it has a problem.
3. Upgrades. People often forget that when conducting a version upgrade, they are re-installing full versions of the software. This could result in two licenses being installed on the same device. More often, the upgrade package is used on a PC that does not have the requisite original package.
4. Temporary staff. A very common entry point for noncompliant software is through temporary staff such as interns, co-ops, and contractors. These folks invariably are working in specialized disciplines, and often bring with them a belief in a software need. For example, the use of educational discounted software in a corporate environment.
5. No controls in place. Without a tight control on what employees download and install onto their PCs, the company is put at risk. Without a proper software asset management process, no one will take responsibility for license management until it is too late.

Action Plan

Organizations should take the following steps to ensure software license compliance:

What Counts as Proof of Ownership? These count: MVLS or eOpen information License certificates Old purchase orders Paid invoices Reseller and OEM reports Record of license transfers These don’t count: Serial numbers Volume licensing agreement Original boxes

1. Conduct a software self-audit. Performing a self-audit involves taking an inventory of all software deployed and comparing this against licenses purchased. Smaller organizations with less than 50 PCs could conduct a manual inventory. For larger organizations, a software asset management (SAM) tool should be used for the inventorying process. If the IT department does not have the time or resources to conduct a self-audit, many third parties can do a thorough audit for a nominal fee.
2. Reduce, reuse, and recycle. If the organization is found out of compliance, there are two viable options: uninstall the under-licensed software or purchase additional licenses. Before forking over cash to cover up shortfalls, consider that many licenses may be going unused. Immediately reduce risk as follows:

• Reduce. Remove all duplicate installations, applications not required or used, or over-provisioned license types based on employee needs. Assess employee needs through an end-user survey.
• Reuse. Purchase Microsoft applications and server software though a Volume Licensing agreement in order to take advantage of peripheral license options such as secondary use rights, and training and development licenses.
• Recycle. Ensure the proper transfer of licenses when employee churn happens. Further, for hand-me-down PCs, be sure to uninstall programs not needed by the new PC user.

3. Develop a risk mitigation strategy.

• Centralize purchasing. Centralize purchase decision making for new software licenses and upgrades. All new Microsoft software should be purchased through a Volume Licensing agreement to take advantage of volume discounts and peripheral license options.
• Standardize Installs. Move toward standard disk images or installation packages for each PC in the enterprise. For example, all Sales Floor PCs will run Microsoft Office and LANDesk, but not Microsoft Publisher or Adobe CS3. This will simplify tracking.
• Educate end users. Have employees read and sign the enterprise’s software use policy to raise awareness on the potential liability. Help employees understand they will be held responsible for software they install.
• Invest in SAM tools. Investigate a SAM tool to gain control over assets, reduce license administration, and ensure ongoing license compliance. Look for SAM tools that alert IT of unlicensed software and rogue installs.
• Schedule regular software audits. Conduct periodic self-audits going forward to ensure continual compliance. Identify any non-compliance and resolve.

Bottom Line

IT executives are responsible for answers when a software audit looms. Software asset management tools are readily available, and leave organizations with no reason to be caught out of compliance. IT managers should enact periodic self-audits to avoid boardroom embarrassment.

• Next Research Note »