Software audits in the Cloud Age

Brian Sommer Profile picture for user brianssommer June 22, 2015
Software audits are a feature of the IT commercial landscape. Now they're turning up in cloud environments. Brian Sommer has some advice for unwary buyers.

Fotolia - Denis Putilov
Ask any CIO what is one of the least enjoyable aspects of their job is and they will likely tell you it is being audited by a software vendor. Software vendors routinely check in on their licensees to see if customers have:
  • more users than are authorized on the software
  • have moved the applications to more powerful computers or servers

The net result of many software audits is an invoice. Customers will likely end up paying more money to the vendor because of their noncompliant state. Trying to collect more money from software customers is an age-old challenge for vendors. Check out this 1976 demand letter from Bill Gates to hobbyists before he founded Microsoft. Looking back with the benefit of close to 40 years' hindsight, it has to count as one of the more amusing episodes in software history, but one larded with prescient statements about how money is made in software.

On balance, most software customers do not intentionally try to evade the payment for license infractions. Sometimes, well-meaning IT people may temporarily move an application off of a single core server to a quad core server as part of a testing, load balancing, or other initiative. Similarly, a customer may move their production environment to a virtual environment and that may trigger the need for additional licenses. Sometimes, companies still have former employees listed as authorized users when they have not been on the payroll for months or years. Any of these kinds of infractions can trigger an audit and additional monies owed to the vendor. This is a particularly thorny matter in the on-premises world.

No audit for cloud? Not so fast!

The recent SAM Summit in Chicago was instructive especially as it highlighted the changing Software Asset Management (SAM) landscape in light of the cloud software revolution.

But wait – should software asset management actually be an issue in the cloud era? It turns out it is and for reasons I had overlooked.

I thought that because a cloud application software provider was responsible for the hardware, system software, database, etc. that the customer would be far removed from those audit and license issues. For the most part that is correct. However, there were a number of other mechanisms by which customers could run afoul of their cloud software agreement that may trigger additional monies owed. These include:

  • User count exceeded – Look at many cloud application software contracts and you'll see that pricing is often broken down into multiple kinds of users. Customers are often asked to provide user accounts for these different categories prior to contracting with the vendor. The only problem is that customers often can only make a best effort guess as to these user counts and may quickly find themselves out of available user seats. The problem gets exacerbated when the contracts do not allow third-party implementers, auditors, etc. to access the system without a valid license for them too. Of course, that extra access costs additional money.
  • The use of a third-party product triggers the user count of the original solution to increase – In this scenario a customer agrees to use a given application but subsequently starts to use a companion software product from a third party. The companion product is tightly integrated with the original cloud solution but because of the nuances of the first cloud solution’s contract, the vendor for the original product will demand licenses for all users utilizing the second solution, too. The rationale behind this money grab boils down to one of two arguments.
    • The first vendor may claim that because its data is now being accessed by all of these other users of the third-party application, then these other users are essentially users of the original product.
    • Alternatively, one vendor may claim that because of their platform, architecture, or other foundational elements of their solution are being used by the new third-party tool, then it is this usage that triggers the requirement for more users. Either way, the customer may get stuck a big bill.
  • Shadow IT purchases violate a pre-existing IT contract - The democratizing aspect of cloud solutions makes them easy for non-IT workers and executives to purchase them. What can happen in a firm is that the proliferation of cloud subscriptions from various IT and non-IT groups can create situations where there are lost economies of scale, inadvertent software audits, compliance issues, incorrect assignment of specific users to the wrong cloud contract, etc. As before, the customer will likely end up paying for the lack of coordination and correct license application.

Money grab or genuine concern?

Both speakers and attendees frequently commented on the naked money grab some vendors pursue as a consequence of software audits.

There was much discussion about how software audits are often viewed as a profit center for software companies. Many of the attendees and panelists openly spoke about how they work to understand whether a software vendor is genuinely pursuing a real audit of their usage or is this some ploy to use an audit as a means of prospecting for additional sales opportunities.

Stated differently, is the software audit designed to protect the vendor from fraud or is it a means to increase revenues?

The software audit should become less commonplace as more of the market moves to the cloud. Practitioners of cloud solutions and services know exactly how much disk consumption your firm is using. They know not only which applications you utilize, but even which pieces of code within them are being used. The ability to meter usage of cloud applications exists and will be an integral part of the pricing. That said, the amount of information that cloud providers have has shifted the power balance to them and away from customers.

In the on-premises world, the software audit is an imprecise and imperfect tool. When nothing else changes with the company, except that they have upgraded servers, the logic on why the improved server warrants an increased license fee escapes me. It is as if vendors have no concept of Moore's Law.

The on-premise audit nemesis

On-premises contracts are notorious for only going one direction: UP! Revenue recognition rules make it difficult for vendors to reduce license fees on on-premises solutions but they make the opposite very easy to do. Software buyers of on-premises products need to be far more demanding and aggressive in their contracting efforts with these vendors and eliminate much of this non-value added and expensive activity. The focus of these audits should be on fraud prevention and detection.

This aspect of the software industry has problems. I heard stories of how a vendor’s own support personnel turned on new capabilities for a given customer to resolve a short-term technical problem. The problem was that the support person never turned this back off and the customer got nailed for it during an audit. I heard how vendors unilaterally change contract provisions via click-through licenses or other means. These new terms and conditions can completely un-do the hard fought contract changes that a company initially fought for.

If the firm uses the newer version of the softwarew without undertaking a contract audit, they’ll end up owing more money.

My take

More companies need to augment the audit language in the software contracts. The frequency of these must be agreed to advance as is the time permitted to schedule the audit itself. The provisions should detail:

  • exactly who will participate on the audit
  • what sort of events can trigger an audit
  • who pays for the audit
  • whether the vendor’s audit personnel are paid via commission, etc.

Anytime I hear of an auditor that is paid via commission, I smell trouble. Auditors should be professional, independent and fair. Getting a commission to stick it to one party seems anathema to auditing.

Should the vendors have the right to periodically inspect the usage of their solution? Absolutely. But striking the fine line between reasonable and excessive auditing is key and what software auditing looks like in the cloud era is still being defined.

A grey colored placeholder image