Oracle licensing consultant Eliot Arlo Colon can recall the enormous global publishing company that was "so darn confident" it would breeze through an upcoming software licence audit unscathed.
But once the company actually dusted off its E-Business Suite contract, it got a surprise.
Contrary to a long-standing internal belief, the publisher's custom licensing agreement only authorised North American use of the ERP package, not worldwide, according to Colon, president of Oracle licensing consultancy Miro Consulting. The company was on the hook for "tens of millions of dollars" in licensing fees, although the issue was ultimately settled for less than what was owed, Colon says.
There is little hard evidence that vendors are conducting more audits than usual in recent months, observers and industry analysts say. Even so, given the last thing a cash-strapped IT shop wants these days is a hefty, unexpected bill for licence non-compliance, now might be a good time to prepare for one in hopes of minimising the damage.
"Proactive is better than reactive when it comes to software audits," says Robert Scott, a Dallas lawyer who specialises in software audits. Companies should strive to be in "an audit-ready mode", he added.
"You need a systematic process for evaluating what's on your computers and what you have purchased," performed on a quarterly basis if possible, Scott says. Also, "you've got to do so with an analytical rigour sufficient to certify the results as true and accurate in a legal context. If you can't get to that point, you have got a big problem."
Of course, sometimes audits can have good results, turning up the fact that a company is over-licensed, giving an opportunity to get rid of shelfware or transfer licences to more useful applications.
While he gets "a steady stream of requests" for help from clients who have been found to be non-compliant, over-licensing is a "much bigger" problem than under-licensing these days, says Forrester Research analyst Duncan Jones.
There are many ways to get at the truth, some more expensive than others. Vendors such as Acresso sell SAM (software asset management) applications for monitoring compliance, and outfits like Miro Consulting can conduct "friendly" audits and compliance reviews.
But in many cases, customers should start with basic housekeeping, taking steps like storing all their software contracts in a single place, says Ray Wang, a partner with the analyst firm Altimeter Group. "Most companies have them in file cabinets that span multiple locations."
Another crucial preemptive step customers can take is to limit their use of virtualisation until they fully understand the licensing implications, according to Jones.
"I still see a steady stream of enterprises, who I thought would have known better, finding they have compliance problems because they didn't check out what was going on and read the agreement to see how it would handle [virtualisation]," he says.
Vendors have long licensed software based on hardware metrics like servers or processors, and licence agreements tend to assume the application will be permanently assigned to a specific physical asset, Jones wrote in a report released earlier this year.
But applications running inside virtual machines "usually cannot be permanently associated with the resources supporting them", he wrote. While licence agreements often let customers transfer licences to different machines, they don't typically allow "the continual, frequent reassignment that a customer wants to perform to make full use of virtualisation."
Customers should consider moves such as switching to a "named user" licensing model or an unlimited usage agreement, according to Jones' report.
Whatever precautions customers take, they are in preparation for the inevitable, according to Colon.
Miro Consulting tells its clients "to assume they're going to be audited in a formal or informal way in the next one to three years by Oracle", he says. "It is just a fact."
Oracle and other vendors did not respond to requests for comment on their auditing practices.
But many audits emanate from vendor-backed groups like the Business Software Alliance (BSA), which offers whistleblowers up to US$1 million for valid reports of software copyright violations.
The majority of BSA's tips – about 2500 each year – come from current or former employees at companies where alleged wrongdoing occurs, according to its web site, which keeps a running tally of the settlements paid by offenders.
Only about half of the whistleblowers ask for a reward, according to the BSA. "People want to do the right thing. When they see this happening, especially on a larger scale, people think it is wrong," says Jodie Kelley, general counsel and vice president of anti-piracy.
In most cases, the BSA asks companies to conduct self-audits of their software assets, and attempts to reach a settlement if any non-compliance is found. While the BSA may file suit if a deal can't be reached, it would prefer not to take that step, Kelley says."Litigation is expensive on both sides."
If a company receives a letter requesting a self-audit from the BSA, the document and its contents should be closely held, according to Scott.
"You never know who is cooperating with the BSA, or who internally may have a relationship with the disgruntled employee," he says.
If customers decide they want to resolve the matter out of court, they should get it in writing that any documents they produce are for settlement purposes only, preventing the vendor from using them in the course of a lawsuit, Scott says.
There is little to be gained from willingly providing more information than the auditors are demanding in an effort to be conciliatory, according to Scott.
"Clients can take the position, 'We're going to show them everything. We'll be fair, they'll be fair to us?' Once they deliver the materials ... they report a Jekyll and Hyde kind of experience [from the vendor]," he says.
The best defence against an official audit may be to conduct one proactively before any letter arrives.
If a self-audit turns up major problems, companies can alert their sales contact at the vendor, who could set things right at the most reasonable cost, according to Forrester's Jones.
One thing that never makes sense is an attempt to hide non-compliance issues.
For one thing, such actions are "morally wrong", Jones says. Secondly, if a company is caught in the act of such concealment, "other vendors are going to descend upon you", he added.