In April 2022, we composed an article titled, “The Weaponization of Software License Audits.” It focused on how software license audits have long been used as a successful, revenue-generating tool for software vendors. Gartner has noted that vendor-driven, revenue-motivated audits are on the rise across all industries and company demographics.
Gartner also noted that the percentage of revenue generated by the software companies when using this technique is increasing dramatically. Publications such as InfoWorld and CIO confirm this trend, emphasizing the increasing frequency and aggressiveness of audits. Software vendors constantly update their audit playbooks to streamline the process and accelerate revenue.
The Fine Print—Understanding Software Audit Rights, on Both Sides of this Brutal Playing Field
As we have consistently emphasized during the last decade, vendors have the right to protect their intellectual property. Vendors also have the right and the fiduciary responsibility to their shareholders to maximize profitability. Patents exist to encourage and reward innovation by granting inventors exclusive rights for a limited time, helping them recoup investments.
The U.S. has one of the strongest legal frameworks globally for protecting intellectual property (IP) rights. This framework has fueled Silicon Valley’s success, enabling fortunes to be built on technological innovations.
To protect that precious IP, software contracts typically include the vendor’s right to perform periodic license compliance audits to ensure that the customers are using the software within the confines prescribed by the letter of the contract. Often, these contracts state that failure to comply with an audit request may result in the customer’s right to use the software being revoked.
It’s also common for contracts to include a non-disclosure agreement (NDA) as part of the audit process, which restricts customers from sharing audit findings, communications, or sometimes even the fact that an audit has even occurred.
To facilitate the process, vendors often require the customer to run proprietary scripts or tools—even if not explicitly required in the contract. More recently, vendors have been encouraging customers to enroll in programs that allow intrusive proprietary audit software to run continuously in the customer’s environment, reporting back to the vendor on usage. The enticement? A “no audit” clause if the customer capitulates and joins the program.
Many of these programs are administered by a vendor’s “trusted partner,” offering a symbolic separation. The data appears to go to the partner, not directly to the vendor—though the real boundaries are often blurry.
The goal of all these efforts is clear: Streamline the audit process and accelerate revenue generation for the vendor.
The Dreaded Software Compliance Audit
Everyone dreads a software audit. One major reason Oracle customers sign unlimited license agreements (ULAs) is the “no audit” clause during the agreement term. Many have renewed their ULAs simply to avoid future audits.
But vendors have found a more subtle, more effective approach. It’s a seemingly polite and non-intimidating method that implies a gentlemanly overture in the most diplomatic manner imaginable: the soft audit.
What Is a Soft Audit, and Is It Actually Soft?
A soft audit (also called a license review, health check, or friendly assessment) is an informal, audit-like process initiated by a software vendor—such as Oracle, Microsoft, or IBM, as well as all the other usual and unusual suspects—without formally invoking the contractual audit clause. “The absence of formality is the real threat of the soft audit,” said Joel Muchmore of the software licensing law firm Beeman & Muchmore. “Because a formal contractual audit announces itself, companies are automatically alerted to the risk. By eschewing formality, soft audits can sneak in through the back door and wreak havoc before the licensee knows what is happening.”
To use a hockey analogy: A soft audit gives the vendor free shots on the net. You’re handing over information without the usual scrutiny. Some call it a submarine audit—because you don’t realize you’re being audited until it’s too late. One wrong answer, and the torpedo is already in the water. We have a never-ending supply of sports metaphors because so many apply.
We will refrain from the more common baseball analogies because at this point that just seems mean because it’s too easy.