Robin Fry, director, Cerno Professional Services
Large enterprises around the world are facing an increasingly pervasive threat: the major software vendors’ use of contractual audit rights to seek inadvertent sublicences, triggering substantial and unexpected liabilities against their customers. .
The exercise of “software license reviews” or “software audits”, including by Oracle, SAP, IBM, Informatica, and Microsoft, has increasingly become a revenue-generating mechanism for these vendors. As large numbers of IT systems migrate to the cloud, with Amazon and Google emerging as market leaders, historically dominant software vendors are urgently looking for additional revenue elsewhere: their existing customer base. on-site software.
The amounts sought – aggregating foregone license fees, upstream support, penalties and audit costs – can be exorbitant: Diageo was found liable in the High Court last year for sub-licensing when opened up its orders to customers by allowing the use of iPads rather than, as before, just using a call center. The ‘indirect access SAP’s claim was for more than £58 million.
ABN-InBev, the world’s largest brewer, has also been impaled in another sub-licensing claim by SAP for $600 million. The case was settled in arbitration in New York late last year for an undisclosed amount.
These two claims represent only a tiny visible fraction of a new battleground, with hundreds of companies receiving notification letters that have been “selected” for such licensing review by one of these major vendors. . The customer is directed to the audit provision in the terms of the license and often, at least at this point, the content of the examination to be performed.
The audit process
Following notification that a review is to be performed, the process then follows a sequence whereby an appointed auditor – usually a large accounting firm such as EY, KPMG, Deloitte or PwC, or, for Oracle, often its own division of license management services – performs technical analysis.
The analysis examines the actual use of the software and compares it to the licensing, initiating an “effective licensing position”; inevitably gaps are exposed. The process can take upwards of three months, with the auditor running scripts on the customer’s IT infrastructure and then searching for all registered uses or installations of their proprietary software. There is only one goal: to identify any breaches on which invoices can be issued.
The seller will then issue an executable quote, with payment required within 30 days. Lacks often come from:
- Installation of programs without use: generally, always licensed;
- Use of virtualization (usually VMware) where all processors likely to run programs must also all be fully licensed;
- Spurious triggering of management packs and options by the customer included (but not ordered) from the moment the basic technology is delivered by the supplier to the customer;
- New remote use – for example, by customers, suppliers or partners using new channels or APIs;
- Robotic use;
- Older software is shelved but still technically subject to support and maintenance fees (typically 22% of purchase cost per year).
It is almost impossible for a successful company with ever-changing business needs – and therefore ever-changing IT systems – to remain fully compliant with the terms of the license at all times. Suppliers often refer to white papers, policies and website downloads to reinforce opaque and ambiguous language in contracts, invariably to the detriment of the customer. Oracle, for example, derives very substantial revenue from insisting on adhering to its “partitioning policy” despite being declared “for educational purposes only‘.
The result: a crippling and potentially embarrassing bill at full list price, with multiple other penalties and costs. This claim will not have been the subject of a provision and may, on occasion, have a significant impact on the financial statements.
Seven key lessons:
- Never assume that a long-standing relationship carries weight: this process is driven outside of your account manager and is simply a substantial revenue generation opportunity mandated at the highest level within the supplier;
- Unless you’ve done such an audit in the last couple of years, assume no complacency: under-licensing (and over-licensing) is largely inevitable, even for the best-run companies;
- Confront these issues ahead of time: commission your own audit by bringing in specialists, then fix any sub-licensing that is exposed;
- If you receive an audit notification letter, delay and prepare;
- Choose to fight each claim: Often there are contractual, technical and commercial arguments that together can destabilize and significantly reduce the settlement payments that are demanded;
- In any M&A situation, in the event of an acquisition, immediately commission your own audit to crystallize (latent) liability and then terminate the vendors under their warranties;
- If you are selling a business or business, be aware of the possible hidden exposure: it is far better to remedy early and, if necessary, negotiate with the seller in advance on your terms than to receive a request for compensation of an uncontrolled amount after the sale.
Sub-licensing risks are significant but rarely publicized – often between IT, legal, procurement and finance teams. Latency is dangerous given the potential for very high claims that could have been handled sooner.
Never raised by auditors, this is a board issue where the risk(s) are often overlooked by both the audit committee and any board risk committee separate administration. This is wrong: software sub-licensing is not an ancillary administrative issue, but an issue to be dealt with by the audit committee under the FRC’s UK Corporate Governance Code (July 2018).
Businesses rely heavily on database technology and applications to run their business. But this dependency means that, if the installed software cannot be easily removed, so does any corresponding financial liability to the software provider.
Robin Fry is a software licensing attorney and director of Cerno Professional Servicesa company specializing in demanding license applications.