Category Archives: audit

Who can audit?

I posted the question on Twitter the other day: “How does the SPA have the authority to audit software license use?  In thousands of licenses I’ve never given them that right.”

I was looking for some insight that I might have missed.  In the world of contracts, your license actually will specifically state who has the ability to audit your license usage (if they have the right at all).  And in the world of law, the term “standing” is used to show who actually is allowed to raise a particular issue (via the courts, etc).  So the SPA/BSA/SIIA (SIIA is their current incarnation) (or any other third-party “enforcer”) wouldn’t have the legal right to ever come in and audit your software license use unless there’s language in the license that allows for such audit.

Even general audit language is probably safe to prevent the SIIA from knocking on your door one day.  Typical audit provisions include:

  • explanation of who can come to audit (it usually says that the vendor has the right to audit)
  • time-frame of any audits (I typically am very clear to limit audits to 1 time per calendar year)
  • notice for audits (even bad audit language usually says that the vendor has to notify the licensee of the intent for an audit)
  • who besides the vendor can come audit (if 3rd parties are allowed, I limit to a “big-four” accounting firm and have NEVER been challenged on this limit)

The result is that even with not-so-favorable audit language, I simply don’t see how the SIIA has any right to come and perform an audit, let alone try to sue a licensee for license violations (again, any license that has “no third-party beneficiary” language in it could be used to very clearly show that the SIIA doesn’t have any rights with respects to the license).

Additionally, it’s been suggested that there are two other routes to allow such an audit: the “source” (the licensee’s employee who reports a violation) and the potential for an assignment of audit rights.  As for the source person, unless they’re also the person in the company who can allow someone to come in, that individual probably doesn’t have internal authorization to allow the audit to happen – so I find this unlikely.  The assignment of audit rights potential does exist, and contracts that have poor assignment language could potentially allow the vendor to assign their rights to someone else (and, in fact, it appears that the SIIA attempts to use an assignment of rights in this manner).  So it’s conceivable, but I’ve never seen the language used in that way.

At the end of the day, the lesson is this:

  1. Have strong audit language which clearly states who can perform the audit, on what time basis they can audit and what the results would mean (ie: usually you don’t have to pay any form of penalty unless usage exceeds 10% of the licensed quantity – but you’ll always have to pay for the difference in usage).  Include notice provisions and be very clear about whether the vendor can outsource their auditing… many will use large auditors, which is fine, but you don’t want Andy’s Audit Shack to be performing the audit.  Lastly, if you’re maintaining any kind of uber-confidential information (like SSN’s, bank account numbers, etc), then I would also be clear about what kinds of auditing tools can be used to complete the audit, as many vendors like to install their own auditing software onto your network.
  2. Have clear assignment language which prevents EITHER party from assigning the agreement without the other party’s consent (not to be unreasonably withheld, if you so choose): “Neither party may assign or otherwise transfer this Agreement or any of the rights hereunder, without the prior written consent of the other, which consent will not be unreasonably withheld or delayed.”.

OK – so you’ve done the prior two things and the SIIA comes knocking (physically or with a letter requesting/demanding an audit).  What do you do?  Simple.  Deny them access – in writing.  They’ll threaten, similar to the Big Bad Wolf, to huff and puff and to blow your house down.  But if you’ve got things properly documented, the SIIA simply doesn’t have the legal right to audit.  It doesn’t matter whether the vendor they’re supposedly auditing for is a SIIA member.  It doesn’t matter if they claim to have permission.  (Oh, and interestingly enough, if they name names and tell you which vendor sent them to you, I would check your license agreement with that vendor because many vendors like to include confidentiality restrictions which prohibit either party from even identifying the other.)

Now, regardless of everything I’ve just told you, I also firmly believe that you should always be 100% compliant with your contractual obligations.  So use some form of license management tool to know that you’re only using what you’re licensed to use.


Audit Surcharge

Sherry Gordon (no relation) over at Spend Matters wrote yesterday on the topic of suppliers charging customers for the privilege of auditing.  No, we’re not talking about just covering the costs of the audit itself, we’re talking about a surcharge on top of the auditing costs – a fee to the supplier for the burden of auditing.  Ms. Gordon’s article was focused around a survey in the biotech/pharma industry which provided some interesting (but barely statistically significant) insights into auditing and whether customers would entertain the thought of paying a surcharge.

Once again, however, a lot of this issue can come down to a well-worded contract that spells out the costs, frequency and burden of the audit.  My template language typically says that the party requesting the audit has to pay for it (unless a major discrepancy is found – especially around license usage), and that the audit has to be performed after prior written notice (usually more than 10-15 business days in advance) and at a time that’s mutually convenient.  I suppose the “mutually convenient” language could allow for some wiggle room – some of the survey respondents said that they had received push back to audits in the form of delays, with suppliers saying that all slots for the year had been taken.  But generally speaking, this overall language should prevent the supplier from charging you for the privilege.

Another interesting wrinkle noted by Ms. Gordon’s other referenced article is the practice of a supplier offering an existing audit up at a cost to the other party.  Actually, this is probably not such a bad idea – again, as long as you discuss the practice beforehand and work out a few points for clarification.  These points would include the cost of the purchased audit, the name/quality level of the auditing firm, and responsibility for failures of audited processes/procedures/etc because the selected auditor wasn’t as good as hoped.  In other words, paying a fee to have access to an audit already completed isn’t a bad idea.  It saves time and should be EXTREMELY cost effective (ie: I would ask them how many customers they have that will get the audit report – ‘x’ … and then offer them 1/x of the actual cost of the audit).  But my real concern is that they would use Joe’s Auditing Shack to perform the audit – and that the quality wouldn’t even be worth the 1/x cost.

Oh, and just in case you were wondering… I would still want to know what any customer was going to do with an audit finding.  In many more cases than I would like, it ends up being treated like source code escrow or annual financial reports – an insurance policy that has no actual value and isn’t even reviewed by anyone on the requesting side.

Customer Audits of Your Contracts

I was recently asked whether I would ever allow a customer to audit my contracts.  The simple answer is No!

Of course, the original question wasn’t this simple.  The person asking the question had some interesting constraints.  Specifically, they were licensing software on an exclusive basis, with exclusivity carved out by geographic region.  So a prospective customer wanted to review the vendor’s contracts to make sure that they weren’t getting into an overlap situation.  My answer was still No!

First, contracts are, even at a fundamental level, based on trust and honesty, and not based on a lack thereof.  If you don’t trust the person you’re contracting with, the contract isn’t going to help you too much.  In other words, you can’t contract trust.  It just doesn’t work that way.  So if the vendor in this situation was going to be dishonest in overlapping exclusivities, what would make the customer think that they would allow the customer to actually audit all of the agreements?  A dishonest vendor would simply hide a portion of the contracts that they didn’t want discovered.

Second, with minor exception (such as during due diligence in a M&A transaction), I would never allow anyone to review my contract files.  There’s too much confidential information – and general poking around to see what’s in them isn’t a narrow enough reason to go looking.  In fact, even if the looking was just at license grant language, I still think you’re potentially revealing too much information (exclusivities for geographic regions aren’t the only way to restrict licenses and perhaps you also license based on user counts – allowing others to see the full license grant can give them a sense of pricing, perhaps).

Third, there’s a better way to handle the situation:  provide a warranty and a specific remedy for breach of this particular warranty.  Warrant that you are providing an exclusive license in exchange for specific consideration (probably money, but perhaps something else).  If you (vendor) breach this warranty, the sole and exclusive remedy could be the repayment of the specific amount of consideration provided for the exclusivity.  So, imagine a situation where you license exclusively by country (perhaps your product handles some sort of sales-related transactions).  In exchange for an exclusive license, the customer pays you an extra $1,000,000 in license fees and that this also adds into the annual maintenance costs.  If you later decide to break a previously-licensed country into smaller bits, you simply would have to pay back the $1M plus the accrued/paid maintenance fees for the breach.

Now, this sounds like it may provide you with license to later break the agreement – no, I’m not suggesting that, I am however suggesting that you promise not to and a specific penalty for doing so.

Delay in Acting

Frank Scavo over at the Enterprise System Spectator noted an interesting situation brewing between Vaughan & Bushnell and Infor (the latest incarnation of a company originally called SSA Global), first reported in NetworkWork.

The situation isn’t uncommon.  V&B licensed software from SSA in 1987.  That same year, it received an upgrade of the product.  V&B had the software installed on a specific IBM minicomputer and, through the years, upgraded the hardware.  V&B alleges that their license allowed them to do so without paying any upgrade fees (for those playing at home, some software vendors tie the software to the specific hardware used to run it).  Now Infor is claiming that V&B owes upgrade fees for the change in hardware.

I’m about 90% sure that V&B is going to win this one.  Let’s discuss why.

First are the slam-dunk defenses to an increase in fees:

  • if V&B has a license agreement that doesn’t tie the software to the specific hardware; or
  • if V&B has a license agreement that ties the software to the hardware but states that changes to the hardware are OK.

Second are the next-best defenses (so, even if V&B should’ve paid the upgrade fee in 1993):

  • Waiver: Infor didn’t respond to V&B’s failure to pay – counts as a waiver of their intent to be paid; and/or
  • Statute of Limitations:  Infor probably had a set amount of time (set by state law or in the contract – usually no more than 3 years) to file a claim to obtain payment.

So this is why I’m 90% sure that V&B is going to be successful.  Even if they owed the money as a result of the upgrade, Infor has both waived the payment through inaction, and have also passed any time limits which would have allowed them to take action to collect.

Lesson?  Draft your contracts carefully – and if you’re the vendor, do regular audits and followup appropriately.

Do the Unthinkable

In the movie version of negotiation, Party A makes an offer, Party B makes a counter offer (rejecting the first offer). The first set of offers are the extremes, say for example, really low for Party A and really high for Party B. Then, through a series of back and forth discussions, each party slowly moves towards the other in measured, predictable steps. Finally, there’s some huge heroic leap made by one party to accept the other’s “final offer” to successfully conclude the negotiation – both parties smiling as they walk away from the table, arms around each other, glad that they were able to come to terms.

The reality is a little more tricky – and a lot less “clean” in terms of where offers come in relative to what their opponent has proposed. It’s hard work to predict the future, even if you’ve done all of the Information Gathering and Strategic Thinking in the world. And when you have a feeling that you’re really far apart from the start, it can even be worse. So, I’m going to suggest a tactic that you may have considered but never used – one designed to help bridge the initial gap to get both sides thinking about “real” numbers (while I’m a huge fan of negotiating the language of a contract and spend a lot of time doing it, this is really a tactic regarding money).

Let’s set up the problem. First, we have two parties; Buyer and Seller. Buyer wants to potentially purchase a set quantity of licenses. Seller, of course, wants to sell Buyer a much larger quantity of licenses. Thus, there will be two numbers that factor into how much the Buyer pays the Seller: the number of licenses and the cost per license. Buyer believes that they need X quantity of product at Y cost per item. Seller thinks it’s M quantity of product at N cost per item.

To get the negotiation started, Buyer could do one of two things: make an initial offer, or request the Seller to make an initial offer. Most negotiators suggest that you always let the other side go first. In this case, it might be better for the Buyer to go first based on the strategy I’m going to propose. So the Buyer needs to come up with the first offer. Lowballing (or coming up with a ridiculously low offer) isn’t the goal in this strategy. Rather, come up with a “reasonable” offer – one that is based on logic and some consideration to the other party’s beliefs. In our problem, this would mean calculating a dollar value based, perhaps, upon the X quantity but somewhere closer to the N cost. In other words, you already concede a point. (This, by the way, would initial have the appearance of a win-win strategy. In fact, it has the side-effect of testing to see if the other side is going to play that way, too.) So the Buyer’s first offer is $P. (X times N).

$P isn’t a great first offer from the Seller’s perspective. In this particular example, the quantity numbers are where the “real” action is – so the Seller is most likely going to respond with a calculated offer based on the M quantity (regardless of the cost per item). And, in fact, the Seller even thinks that the cost per item is probably too low, too, as it’s based on some discounted amount, not the current retail cost of the item. So from the Seller’s perspective, they have a few choices: 1. They can accept the offer. 2. They can counter with a new calculation by using M times N (their preferred numbers). 3. They can counter some other combination of quantity/cost with numbers between X – M and Y – N.

Or they can try to gain leverage and choose option 4: They can try to highball (take their preferred quantity M times the retail cost). This would create their highest calculable dollar amount and is probably an order of magnitude (add a zero) higher than the M times N number. Remember when I was talking about win-win? If the Seller believes that the Buyer’s first offer was completely unreasonable, there’s a good likelihood that they’re going to respond in kind – and this is the flip-side of that coin. If, however, the Seller believes that the Buyer’s first offer was made in good faith, they’ll mostly likely start with M times N.

So as a negotiator who is properly doing Strategic Thinking, you’re hoping that M times N is the Seller’s highest choice. But what if they come back with M times 10N? How do you respond? You do the unthinkable and LOWER your next offer.

Yeah, you heard me. LOWER it. Your next offer will be X times Y (your preferred numbers from both categories).

But wait! you say. Isn’t that being unethical? uncooperative? unproductive?

No. It’s not any of those things. As I said before, you tried acting in a win-win model. You calculated your price based on part of your preferred position and part of your opponents (based on a reasonable estimation of what that position would be). You presented an offer that, while lower than what the other side would want, was reasonably calculated. But the response you got back was not. Thus, to reset expectations and bust through the unreasonable highball offer, you have to lower your current offer to your best-case position.

The likely result is that the other side will panic. It’s quite rare for a second offer to go DOWN. They’ll accuse you of being uncooperative and unreasonable. They might even say that you’re not operating in good faith (ignore the comment). But a highball offer is a ploy, just as much as your actions are tactics (for a discussion on ploys versus tactics, see The VMO-Blog). You simply need a way to get to the real numbers and doing the unthinkable will help.

Case Study: Audit

[We’re going to try something new today. If you’ve done a case study before, you’ll recognize the format… if not, it’s not rocket science. The following is a story about a completely fabricated (but possible) situation. There is no end. It’s up to you to evaluate and make suggestions. In other words, what would you do based only on the information in the story?]

Acme Corporation received the audit letter in July. The notice informed them that their vendor, WidgetWorks, was invoking the audit provisions of their agreement and that they would be contacted in a few days by an outside auditing firm to schedule the audit. The recipient at Acme sent the notice to their contracting group, who reviewed the notice and waited for the auditing firm’s call.

During the review of the notice, Acme assembled all of its documentation regarding the WidgetWorks products installed at Acme. They pulled records from contracting, purchasing, IT and accounts payable. In essence, they performed their own mini-audit in preparation for what WidgetWorks might discover.

Meanwhile, Acme’s contracting team unsuccessfully attempted to find copies of any agreements with WidgetWorks. Curious, the contracting team worked with IT to investigate the possibility of a click-through agreement during the WidgetWorks installation process. Sure enough, one existed, but it didn’t contain any “audit rights” language. After several internal discussions, it was decided that without contractual language allowing an audit, Acme would not comply with the request.

As might be expected, WidgetWorks wasn’t thrilled to hear that Acme didn’t want to allow the audit. Through a phone call between WidgetWorks and Acme it came to light that Acme actually licensed multiple versions of the WidgetWorks product. The older versions (which Acme was using) did not, in fact, have the audit language. However, the newer versions (which Acme had purchased but was not using), did contain audit language.

Acme suggested to WidgetWorks that if they would like to limit the scope of their audit to auditing usage of the newer versions, Acme would be willing to comply. WidgetWorks kindly refused.

OK… what should Acme and/or WidgetWorks do?