Introduction

Most organisations (corporate and government) use enterprise level software to conduct their business. The use of enterprise level software packages is governed by complex licence agreements that define who can use the software, how they use it, what computer equipment it can be installed on, whether it is based on concurrent or named users, what software it can interface with, amongst possible other terms and conditions.

The penalties for not conforming to the software licence terms and conditions, whether deliberate or inadvertent can be costly. Stories of deliberate and illegal software breaches often make the mainstream media. Cases of accidental or inadvertent non-conformance typically are not so well publicised due to potential embarrassment of the organisation involved.

Enterprise software such as email, typically is one-size-fits-all, and is often licensed on a whole of organisation basis, to keep things simple. Other types of software offer different feature levels for different types of users, and that’s when things can get complex.

Business Intelligence Software

Enterprise level business intelligence and analytics software in particular is one such type of software that can get very complex.

Analytics software sold by the industry leaders such as IBM, SAP, Oracle, SAS and Microsoft typically has multiple levels of functionality, each level with a price to match the provided feature set. For example some users can write a report, others simply receive a report or view a dashboard.

To ensure contractual obligations are honoured, software vendors have the right to conduct audits. They do this to audit their licence revenue and to ensure customers do not understate their entitlements, which is a loss of revenue to the software vendors.

Pitfalls

Unfortunately, many organisations have failed to:

• Fully understand their licensing terms and conditions, and particularly how it relates to the design of their business applications
• Ensure tight integration of user administration processes between their corporate authentication software (e.g. Active Directory), and the specific analytics software
• Effectively manage their users, within their allocated licence category, or their changing roles or currency in the organisation
• Consider the impact on software licences when reconfiguring or upgrading servers
• Configure development and test environments within their agreed entitlement
• Act on wrongly licensed configurations (e.g. too many of one licence type and too few of another).
• Remove unwanted licences that are no longer used but inadvertently still pay annual software support on the licences

Catapult BI’s observation is that the majority of enterprises will experience a licence compliance issue of some form every four years. The majority of these events will be inadvertent. However a number of these breaches will involve significant punitive costs.

The potential downside from a software vendor compliance audit gone wrong is high. A little effort to prevent this happening is time and effort well spent.

How to Prevent a Software Licence Breach

Some of the steps that can be taken to prevent a licence breach include:

• Review and validate in detail the software licence entitlements you have, exactly what they mean, and validate how those have been applied
• Question the vendors about licence definitions in detail and ask clarifying questions where you are not 100% certain, and document these vendor discussions
• Review how your corporate authentication software integrates with the analytics software’s allocation of roles or features. A change in the authentication process might compromise your licence entitlement
• Physically login under each of the defined licence categories and attempt to access other features beyond that which is allowed.
• Schedule regular independent reviews to ensure any authentication practices at the administration, application design and configuration levels are in order. A new set of eyes may discover new issues
• Do a mock software audit to find any holes
• Undertake a review of usage logs to determine what is actually being used and cross check that with your software entitlements
• Ensure your user administration procedures are rigorous: additions, deletions, changes to user licences. Maintain records of this activity and a master record of all allocated licences.
• Use software licence management software to ease the overall administration effort and to the reduce risk of software compliance breaches. This may not help if there is a design flaw in how authentication is configured against your software.

What to do if you do get Caught in an Audit

Catapult BI hopes this never happens to your organisation, but if it does:

• Don’t plead ignorance or admit fault
• Seek expert assistance to validate the vendor’s claim
• Don’t be impulsive (i.e. don’t just pay up and terminate all relationships with the vendor).
• Vendors generally want to maintain a relationship and potential future revenue streams.
• Dangle the carrot in terms of future business. Vendors are willing and expect to negotiate on these matters.
• Undertake your own audit of the software, administration processes and your design/configuration processes.
• Collect as much relevant data to support your case for negotiations, and use an expert advocate to assist vendor negotiations.

There will be assumptions that vendors have made in assessing any breach, and most certainly they will have less data than your organisation to validate the rigour of their claim. Every customer installation will have been configured slightly differently, with different process for administering their installation.

Conclusion

Software audit breaches are uncomfortable events, but they can happen to the innocent and even the diligent. Don’t get caught. Consider a small periodic investment in time and money to ensure you are not exposed.

Catapult BI has expert consultants who can help with your software audit and potential negotiations with business intelligence software vendors. Catapult BI is vendor-neutral.

Visit www.catapultbi.com for more information.