Technology

The Other Type of Tech Audit You Need to Worry About

GDPR has a lot of organizations worried about what might happen if the EU takes notice of them. It’s not the only audit-related headache out there, however—major software vendors like Microsoft, SAP, and Oracle have recently been on the lookout for firms that aren’t properly licensed to use their products. Here’s what you should know.

This week, organizations far and wide are stressing quite a bit about the General Data Protection Regulation, which we’ve written about many times over here at Associations Now, including an overview of how associations have been preparing for the May 25 compliance deadline and a report last week on how the regulation may improve trust between organizations and their constituents.

GDPR, the European Union’s big play to protect the private information of EU residents, is a messy reminder of the dance that compliance and technology play with one another at the corporate level.

But it’s not the only reminder out there. In fact, IT departments can face numerous other kinds of compliance headaches related to their asset management structure, including from the companies that supply them or their vendors with software—whether directly or indirectly.

In recent years, large companies such as Oracle and SAP have increasingly turned their businesses toward licensing audits, with the goal of squeezing a little more revenue out of clients that can afford to pay.

These audits have been both costly and controversial. According to a 2016 InfoWorld article, the candy maker Mars, Inc., faced an in-depth software audit at the hands of Oracle. The saga led to 233,089 pages of documentation and a court battle between the two companies. Mars eventually agreed to an out-of-court settlement.

For other big tech companies, the audit approach has created public relations problems. Last year, Microsoft compliance guru Patama Chantaruck had to write a blog post defending the firm’s software asset management program as not being the same thing as an audit.

SAP, meanwhile, launched a Licensing Transparency Center last fall, in the wake of negative headlines around its software audit battle with the alcohol giant Diageo. A British court found that SAP’s indirect licensing rules were legal—meaning that, at least in the UK, it can legally charge money for indirect uses of its software.

(Diageo is only one of SAP’s recent targets. Anheuser-Busch InBev recently settled a $600 million lawsuit filed by SAP.)

We could argue all week about whether software auditing rules are fair or represent bad PR. But they’re out there, and for organizations that use complex business software, it can be a real shock to the system to get notified of an upcoming audit.

But for the software industry, there’s a case to be made that companies leave significant amounts of money on the table if they fail to act against improper use of their products. A 2016 study from BSA: The Software Alliance found that nearly 40 percent of software installed on machines globally wasn’t properly licensed. Part of the problem was a lack of control over so-called “shadow IT.”

Most associations don’t have operations on the scale of the companies that make M&Ms and Bud Light, but many nonetheless rely on enterprise software that often gets quite complex down the line. A few considerations for IT departments looking to get a better grasp on licensing questions:

The cloud’s complications. Recently, Amazon Web Services CEO Andy Jassy showed up on CNBC and effectively admitted that AWS is building database solutions designed to let companies get past complex licensing structures. “I think over the last few decades it’s been a rough place for enterprises because they’ve had to contend with the old-guard database providers like Oracle that are expensive, very high lock-in, and also they constantly audit their customers and fine them if they find something,” Jassy said. His point highlights an Achilles heel of cloud computing in the enterprise space: Infrastructure changes, such as those from servers to cloud, can introduce new licensing headaches due to the way contracts are written. When building out your infrastructure, be aware of how existing contracts can complicate these moves.

The open-source factor. A couple of pieces of software commonly used by associations that are unlikely to ever be subject to a software audit are WordPress and Drupal. The reason is that the content-management platforms are open-source, and as a result, they both are free to use and made of software that’s free of any licensing surprises. Not every piece of software out there can promise that. However, be mindful of those open-source licenses as well: If you create a commercial product that integrates open-source software, the rules can change. You may have to pay for that right or release any changes you’ve made to the code under the same license. Do your research.

The vendor equation. With big companies like SAP going after indirect licensing as well as more traditional kinds of access, you can run into a hornet’s nest around the many hands that touch your technology, including through your vendors. It’s good idea to have a general awareness of what’s in your vendors’ software stack, particularly whether they rely on proprietary rather than open-source software. It could help prevent some headaches down the road.

Some commentators are optimistic that we’ll see changes in this model, which feels consumer-hostile. Computerworld contributor Daryl Ullman, for example, recently wondered whether downloading SaaS applications directly from the vendor could help make licenses easier to track.

But consider this a reminder that the software licensing issue is out there and you have to think about it. Better now than when you’re getting audited.

(BigNazik/iStock/Getty Images Plus)

Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!


Comments