This is the fourth and final installment in our series on software licensing audit preparedness and software asset management (SAM). Our first article focused on preparing for an audit and the importance of being very well documented and organized. The second dug a bit deeper as we explored that which Microsoft® looks for in an audit, or “Software Asset Management Review”, as MS prefers to call them. In the third we discussed what to do if your review reveals unfavorable results and also provided examples of inaccuracies we (Emerset) have discovered following an audit.
It’s important to take proactive software asset management very seriously. Whether a company does so because they realize the legal, financial, and operational importance or if they do it out of fear of an audit, the importance of SAM discipline should never be underestimated.
Since it’s impossible to manage software licenses without evaluating the hardware on which the software runs, an effective SAM discipline becomes an integral part of an overall IT Asset Management (ITAM) strategy. IT Asset Management impacts more than just legal and financial issues. It also addresses lifecycle management, maintenance, security, risk mitigation, and other critical business functions.
International Organization for Standardization (ISO)
In 2003, the International Organization for Standardization began developing best practices for software asset management programs. These standards have evolved during recent years and today there are scalable standards and best practices which may be applied to companies of all sizes.
Another benefit resulting from ISO® standardization is Software ID Tags (SWID). The use of SWID tags enables a degree of automation when performing software inventory.
Microsoft® Assessment and Planning Toolkit (MAP)
As we have noted, it is unlikely a company will ever be able to rely solely upon automation tools to conduct an accurate licensing or software inventory. Microsoft® offers a free Assessment and Planning Toolkit (MAP) which takes advantage of SWID technology. The MAP Toolkit is quite effective in determining software installed on-premises and can be a good starting point for a software inventory, but it will not provide a comprehensive list of devices or users who may access on-premises systems. Even Microsoft® acknowledges the limitations of the MAP Toolkit:
“The Software Usage reports should be used as a baseline for CAL usage analysis rather than as an authoritative summary of software usage. Due to the wide variety of ways that software can be deployed and inventoried in your environment, the Software Usage Tracker cannot always produce accurate counts of server software and access to that software. These reports are for informational purposes only and should not be used as the sole source of information for determining software license usage compliance.”
How to Approach SAM
Whether a company is being audited or is beginning or improving a SAM discipline, the best place to start is usually by taking inventory of all software installed on company assets (including virtual instances). Next, they must identify every person and device that accesses company assets that are running the software. Once they have an accurate inventory of software, devices, and users, the company must perform a similar inventory of licenses and CALs. This may include VL Agreements, product keys, OEM licenses, FPP, COAs, upgrade entitlements, and any applicable purchase records. This may reveal instances where systems have been retired or repurposed and the software may be eligible for use elsewhere. It may also reveal instances where the company has insufficient licenses or opportunities for more efficient or cost effective licensing. If the assessment reveals license shortages the company must purchase appropriate licenses to become compliant.
An important and often overlooked aspect of SAM is to educate employees and users. Many (most) users rely upon IT to ensure compliance, but the users may not know (or adhere to) their rights with devices which are not controlled by the IT department. This is particularly true with BYOD and the MS Home Use Program.
As we said earlier in our series on audits, Microsoft® doesn’t necessarily suspect or accuse companies of being non-compliant, but they do expect them to pay for all software they use or install. MS has implemented a policy whereby they request an assessment from their VL customers at least once every three years. This request is often communicated via e-mail and the customer is tasked with performing the self-audit so there is literally no cost to Microsoft®. The entire cost and burden lies with the customer. Alternatively, if MS wishes to exercise their rights to an onsite audit it will be performed at Microsoft®’s expense unless the audit reveals a five percent or greater deficiency in the number of required licenses, in which case the offending customer must pay for the audit in addition to the license shortages.
Despite all the warnings and even the knowledge that MS will most likely request at least a self-assessment, some companies still fail to implement SAM policies. This may be a result of many factors, but it’s important to remember that using unauthorized software is considered piracy and is treated as such by the courts. Falsifying a self-assessment or pleading ignorance is not likely to help one’s case and the media attention if a piracy case goes to court could be more damaging than the penalty to rectify.
The Software Alliance
If a company knowingly or unknowingly defies the terms of their software licenses and the threat of an audit by Microsoft® isn’t enough to motivate them to implement appropriate SAM discipline, perhaps the Business Software Alliance (BSA) will convince them. The BSA (aka The Software Alliance) is a consortium of many of the world’s largest software companies whose objective is to reduce software copyright infringement. It is well funded by member companies and settlements it wins against offending companies. A primary way in which the BSA learns of piracy is via disgruntled employees. The BSA has run campaigns such as the “Bust Your Boss!” which stated:
“Is your current or former employer using pirated software in their office? Hit ’em where it really hurts – report their illegal software use today.”
The BSA offers rewards of up to USD$1,000,000 for tips that lead to a settlement. Even for relatively minor violations, the potential reward payment can be up to $5000 for settlements as small as $15,000.
If an employee or someone with information of a violation files a report with the BSA they may have much more incriminating evidence than a typical audit would reveal. While most BSA settlements occur without formal legal action, evidence of knowingly using software without proper licenses will make it much more difficult for the offending company to negotiate.
This series of articles has been intended to alert readers to the likelihood of software audits; particularly Microsoft® Volume Licensing customers. We discussed how to prepare, what to expect, how to mitigate, and potential consequences for failing to comply with the terms of software licenses. Software is unique in that it can be replicated without requiring tangible elements. It is often governed by complex rules for usage. Finally, some form of software is typically used by just about everyone in an organization, resulting in a decentralized ability to control its use. Software represents a significant financial investment for most, and few companies could function without it. It is our hope that companies will proactively implement an appropriate Software Asset Management program, regardless of how large or small the company may be. This isn’t something to be done only when it’s convenient, nor should a company wait for an audit to begin. Depending upon the size of the organization it may require dedicated resources and possibly guidance from third party experts.
For further information or to discuss your specific situation, please contact us at http://emerset.com/contact.