Software Audits: Strategies for Licensees

by Mintz Levin

Audits Have Become More Common

If you have received a software audit request from your software vendor or one of the industry trade groups representing software publishers, such as the Software & Information Industry Association (“SIIA”)1 or the Business Software Alliance (“BSA”)2 you are not alone. Over the past five years,3 software audits have become an increasingly common revenue-leakage recovery tool for software vendors. According to a survey published in December 20124 by International Data Corporation (“IDC”),5 64% of the 334 surveyed enterprises were audited or had a license review over the prior 18 to 24 months, 36% were audited twice in that time period, and 10% were audited more than three times.6 The surveyed enterprises were most frequently audited by Microsoft (51%), followed by Oracle (27%), IBM (24%), SAP (22%), Adobe (19%), Symantec (12%), and other vendors (24%). Following the software audits, more than half of the survey participants made true-up payments to software vendors of $100,000 and more, while the remaining participants made true-up payments of $300,000 or more.7 Lastly, the survey showed that almost half of the participants conducted self-audits to assess compliance with software licenses at least once per year, and 25% of participants conducted self-audits more than three times per year.8

How to Respond

First and foremost, don’t ignore the audit request! Upon receipt of an audit letter, whether from a software vendor or an industry trade group acting on the software vendor’s behalf, you should promptly engage with legal counsel, your IT manager and internal software management team, and any additional internal manager responsible for the product in your organization to review and understand your rights and obligations with respect to the audit and develop a plan of action. Legal counsel will review the relevant audit provision(s) to determine your contractual rights and obligations with respect to the audit.

It is critical that legal counsel coordinate all audit activities, including issuing requests and, to the greatest extent possible, drafting and reviewing documents and reports as part of a plan in anticipation of litigation so that any applicable work product and attorney/client privileges are maintained. After the scope of the issue is understood, your IT team should conduct an internal assessment of compliance with the software license. If you do not have a quick manner to determine the scope of use, such as through use of a software asset management (“SAM”) system, and the investigation will be time-consuming, contact the vendor and alert them that a review is underway. Following an internal determination of whether or not your organization is in compliance with the license scope, and if not, the level of non-compliance, legal counsel and the vendor relationship manager should engage in communication with the software vendor or industry trade group, as applicable, to discuss and agree on the audit scope and schedule.

After the audit scope and schedule have been agreed to by the parties, the software vendor itself or a third-party audit firm on its behalf will perform the audit or representatives of the industry trade group will perform the audit. If the audit is performed by a third party on the vendor’s behalf or by representatives of the industry trade group, the audited organization should negotiate and enter into a non-disclosure agreement with the applicable third party to ensure that any proprietary information revealed to the third party during or in connection with the audit process is kept strictly confidential. The auditor should, of course, have the right to disclose the audit results to their client; however, it is important that the audited organization reserve its right to review and comment on the audit findings before they are presented to the software vendor.

Following completion of the audit, if there is an underpayment, the parties typically negotiate a settlement and the audited organization makes a true-up payment. The parties may disagree about the price that applies to the true-up payment; typically the organization will ask to pay a discounted contract price, if previously negotiated, while the vendor will ask the organization to pay the current list price for the product on the theory that preferential pricing for non-compliance with the license will not have a deterrent effect. Note that industry trade organizations like SIIA and BSA typically work on a contingency-type arrangement, meaning that their fees for conducting the software audit represent a percentage of the amount of the audit settlement. As a result, this type of organizations may be more aggressive when conducting a software audit and negotiating the settlement, particularly since, unlike the software vendor, the organization most likely does not have an existing relationship with the audited party that it would be interested in preserving.

Advanced Planning

First, licensees should develop, implement, and maintain internal policies and procedures to enable them to keep track of and comply with their software license agreements and associated deployments on a regular basis (at least annually). Licensees should develop and circulate an enterprise-wide software use policy, monitor compliance, and enforce the policy. In addition, licensees should set up and maintain a SAM process, conduct regular internal audits to assess compliance with the scope of the various software licenses, and have a standard, enterprise-level protocol in place for responding to software audits. Such a protocol is key in making the software audit more streamlined and predictable. As noted above, legal counsel should coordinate all audit activities. The non-legal members of the team should be educated and understand that internal communications exchanged by the team during this process may be discoverable in related litigation and should to the extent permissible coordinate their activities so as to preserve the work product and attorney-client privileges.

Second, negotiate the audit provisions in your software license agreements. While software audit rights are standard in software license agreements, these clauses are negotiable. A well-drafted audit provision will ensure that the scope of the audit is limited to assessing compliance with the license terms and that the overall audit process will be minimally disruptive to the organization. Here are tips on negotiating such provisions:

  1. Attempt to avoid audits altogether by replacing the auditing requirement with an agreement that the licensee will provide a certified compliance report upon request.
  2. Strive to eliminate any ongoing rights of the software vendor to monitor the licensee’s use of the licensed software.
  3. Limit audits to once per year and only during the term of the license agreement.
  4. Limit the audit to the running of a mutually-agreed-upon software audit script.
  5. Limit the audit to only the licensee’s records directly related to use of the software and/or to the systems on which the software is installed.
  6. Ensure that the audit is conducted only during regular business hours to minimize disruption of the licensee’s business operations.
  7. Require that any third parties that may conduct the audit on the licensor’s behalf execute a non-disclosure agreement with the licensee on the licensee’s form prior to conducting the audit.
  8. Provide the licensee the opportunity to review and comment on the audit findings prior to such findings being distributed to the licensor, and on the time period for making a true-up payment to the software vendor following the audit.
  9. Include a provision for equitable settlement of non-compliance, specifying that non-compliance does not constitute infringement of the licensor’s intellectual property rights and that the settlement payment is the exclusive remedy for the non-compliance.

Last, but not least, licensees should consider including in the software license agreement an obligation on the part of the software vendor to maintain records regarding the license fees and reserve the right to audit these records, especially if the software vendor is performing professional services under the license agreement in connection with the licensed software or if the agreement contains a most favored pricing clause.




3 See “Survey Analysis: Survey Shows Another Increase in Software Vendors Audits; IT Asset Managers Should Prepare Now,” March 2, 2011, available at ID: G00210916. Sixty-one percent of the survey participants indicated that their enterprises were audited by at least one software vendor in 2010, up from 54% in 2009.

4 See “2012 Key Trends in Software Pricing and Licensing Survey,” 2012, available at, page 38. Forty-five percent of respondents were located in the U.S., 33% were located in Europe, and 7% were located in Australia. In terms of annual revenue, 14% of surveyed enterprises had less than $100 million in revenue, 17% had between $101 million and $999 million in revenue, 23% had between $1 billion and $3 billion in revenue, 31% had $3 billion or more in revenue, and 16% did not disclose their annual revenue.


6 See “2012 Key Trends in Software Pricing and Licensing Survey,” page 6. Enterprises with more than $1 billion in revenue were most likely to be audited three or more times in the 18 to 24 month period surveyed.

7 See “2012 Key Trends in Software Pricing and Licensing Survey,” page 39. Fifteen percent of the surveyed enterprises made true-up payments between $1 million and $5 million, 5% made true-up payments between $5 million and $10 million, and 4% made true-up payments of more than $10 million.

8 See “2012 Key Trends in Software Pricing and Licensing Survey,” page 39. 9% of the surveyed enterprises did not perform self-audits, 42% performed self-audits once a year, 20% performed self-audits twice a year, 3% performed self-audits three times per year, and 25% performed self-audits more than three times per year.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin | Attorney Advertising

Written by:

Mintz Levin

Mintz Levin on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.