Cherwell IT Service Management Blog
Resources, Best Practices, and Solutions for ITSM Pros

Are You REALLY at Risk for a Software Audit?

Posted by

We’ve all at some time in our lives fallen victim to the temptation to glom onto “statistics” that validate a position we take, be it about business, politics or how to raise kids. In the PR world, the temptation is even greater when those statistics are considered “newsworthy” and can fill a hole in the editorial schedule. Every year, I never fail to be amused when asset management vendors such as ourselves predictably jump on the results of Gartner’s annual software audit survey. Their most recently-published study revealed that of 228 participants who attended Gartner’s 2011 “IT Financial, Procurement and Asset Management Summit,” 65% of had undergone a license audit in the previous twelve months.

We in the software asset management space peddle products to help rescue unfortunate souls from licensing perdition. It’s our obligation to warn them of imminent disaster by trumpeting a message of fear: “Software audits are on the rise!” or “Software audit risk jumps to 65%!” or, as one vendor patiently explained, “This suggests you only have a 35 percent chance of going a whole 12 months without receiving at least one audit request from a software vendor.” Code red! Take cover! When such claims are taken at face value, who wouldn’t run out and buy one of our best-of-breed software license management solutions?

Gartner, as a leading research institution, understands more than anyone that the figures they release, when judged in a vacuum, can be misleading, if not downright distorted. Here’s why: the “research” is conducted among a biased sample that doesn’t necessarily—and I would argue couldn’t possibly—represent the broad range of American businesses to which the rest of us belong.

1) The study’s participants hail from companies that are generally much larger than the “average” business running commercial software within its walls. Attendees of Gartner’s high price-tag conference tend to be very large enterprises with staggering IT budgets (see figures A and B below from Gartner’s Event Overview), 83% of whom are existing Gartner clients. We simply can’t assume that the experience of these companies can be extrapolated to the wider marketplace.


2) Larger companies, such as those representative of Gartner’s target audience, may be at greater risk of being audited than you or me. If you agree with the conventional wisdom that vendors conduct audits primarily a means of recovering lost revenue (as opposed to fighting for Company Size & Budgeta more just and righteous world), and if you agree that a ten percent license shortfall at a large enterprise represents a much more significant true-up than an equivalent shortfall at a small company, you would likely conclude—as I have—that larger companies get audited at a higher rate (despite the fact that software vendors strongly deny it).

3) Organizations that have experienced an audit may be more likely to attend Gartner’s conference because they’re committed to cleaning up their licensing practices and avoiding repeat violations. If you buy into this logic, it would stand to reason that sampling this audience would reveal a higher rate of audits than a true cross-section of all businesses.

Unfortunately, neither Gartner’s figures, nor the vendors who exploit them, help you evaluate your own probability of being visited by the BSA—much less, assess the likelihood that you’ll get through it unscathed. To understand your own risk profile, you’re better off examining whether the triggers commonly known to increase your risk of an audit apply to you. Here are just a few:

  • Company growth without a corresponding growth in licensed software
  • Organizational change such as a merger or acquisition
  • Outdated license models or contracts (vendors may perform an audit to force customers to sign a newer contract or convert to new license metrics)
  • Shift in hardware platform that may result in compliance issues
  • Disgruntled employee(s) who may file an anonymous piracy report with the BSA or SIIA
  • History of past failed audit(s)
  • ISV knowledge or suspicion that an organization has no software asset management tools and/or processes in place
  • Using Citrix technologies to deliver applications to multiple end-user devices if you’re licensed per seat/machine

The truth is, very little unbiased evidence exists that would suggest, to borrow a term from the recent political debate, an “effective” audit rate, or even that audits are “on the rise”—believe me, I’ve tried to find it. Only the ISVs hold the answer to these questions, and they have little to gain by releasing actual figures. Now, that’s not to say that software vendors are not stepping up their efforts. In fact, I believe they are auditing with more frequency, based on anecdotal reports from our own customers. An analyst recently told me an insider at one of the “Big Three” vendors claimed that for every dollar spent on a software audit, $80 of licensing revenue is generated in return. Why wouldn’t vendors seize this opportunity, especially in light of languishing software budgets over the past several years?

Yet in the midst of all this doom-and-gloom discussion about the probability of getting audited, we continue to ignore the single most important question: What is the probability you would fail an audit if the BSA were to come knocking? I’d love to see Gartner, the BSA, or someone else explore this aspect. Given that companies have little control over their own audit risk profiles, every attempt should be made to focus on the one aspect you do have control over: establishing careful asset management practices and implementing strong technology to ensure you’re in the strongest possible position if and when that fateful day arrives.