• Eugene Cho

COVID-19’s Ongoing Impact on Software Audits

Updated: Feb 22

IBM - United Stateshttps://www.ibm.com/

When the Covid-19 crisis forced businesses to shut down, the audit segment of the IT market “pressed pause”. Audits slated to begin, or had started in the months before the Covid shutdown (Q4 2019 and Q1 2020), were put on hold. In addition, clients who received audit notification letters in March and April used changing business dynamics to postpone them.

In conjunction with this activity, we saw many clients’ small licensing infractions waived. Customers who had impending renewals with a minor use case (that would have placed them out of compliance) got a “pass”; vendors chose to close the renewal and ignore the licensing issues. Also, in lieu of an audit, we saw many clients sign “as is” deals, and others receive a 3- or 6-month extension of the deal with a promise to re-visit sometime in the fall.

Software Audit: Industry Trends vendor behavior from initial reaction to current in pandemic

As software vendors adjusted to the new normal, a V-shaped sales recovery became widely anticipated. Unfortunately, what we’re seeing is a significant lag time before that V-shaped recovery turns into reality. Vendors, much less optimistic about Q3 and Q4 sales than they were back in May and June, have turned to audits to fill revenue gaps.

Compliance and Remote Workforce change in IT environment - Micro Focus VPN access and Microsoft Remote Desktop

One big trend we’re seeing is vendors scrutinizing remote, distributed workforces they believe are ripe with compliance infractions. Vendors are comparing how customers license products from a metrics standpoint against how they use them. Meanwhile, customers look at the product from a functionality standpoint, which in their eyes has not changed. What these customers fail to acknowledge is the use case here is different from this time last year, based on how their resources work in different areas.

When you send everyone home, lots of things change. Say you had three different employees using the same device, working three consecutive eight-hour shifts, at a 24-hour call center. But because those employees, obviously, can't share those devices at their homes, you’ve got triple the device count for the exact same workforce.

So, vendors are checking to make sure that all those new devices have proper licenses. Going hand in hand with this activity, we’re seeing new security measures and networking requirements. There’s been a spike in remote desktop use across more and more customers. Say these workers have a port into a remote desktop instance with their home devices, on their home networks. The vendors say, “Hey, what you're doing is increasing the total scope of functionality, but we assumed that everyone was using our product on the same network at headquarters.” They are now coming after customers for that money, which is what we’re currently seeing from Micro Focus and Microsoft.

Another popular tactic: vendors are repositioning how audits are presented to customers. Because these communications don’t explicitly say “software license review” they encounter less customer backlash.

We counsel clients that receive any unsolicited program or invitation from a vendor to “check on your environment” to view these offers as a Trojan horse for an audit. They are also effectively serving as a revenue accelerator for the vendor: instead of a $50 million audit every five years, they are trying to squeeze out $4 million quarterly, while ballooning your ongoing run rate.

SAP “health checks” are a good example of this activity. The program measures how customers use SAP’s products with a new set of metrics and an eye towards indirect access. These new metrics and usage cases pretty much guarantee noncompliance findings.

IBM Authorized SAM Provider Program (IASP) Risk, 12 times increase in Audits, license reviews

IBM likewise is rolling out its IBM Authorized SAM Partner (IASP) program, which is basically a constant audit: instead of IBM checking on your use every three to five years, and using the audit as a hammer to force a new deal, this program lets IBM come in and examine your environment every quarter for a true-up. This is like Microsoft’s annual true up program, where you report your usage of licenses, and if there's a gap between your deployment and entitlements, you purchase up to the needed extras and you're good to go.

Another trend: the pandemic has also accelerated the movement away from perpetual licensing to subscription-only. This move does not mean customers need not worry about compliance on their subscriptions, however.

SaaS Vendors enforcing license compliance, Microsoft O365 first audit run, ServiceNow compliance notice

Our team at ClearEdge recently saw our first-ever Microsoft audit on Office 365, a cloud- based offering of Office. This client ended up with over a $1 million in findings and had to wrap that amount into a new deal.

ServiceNow is coming after customers, too. One client recently received an audit letter stating they exceeded their licensed node usage. Typically, customers have a certain number of nodes, or endpoints, or gigabytes, or other capacity measurement that the metered licensed users can access. For example, they might have a 1,000 users with access to 20 servers. Now, they might still only have 1,000 people using the licenses, but recently had to install 30 new servers that those 1,000 people are accessing.

We urge clients to read the whole vendor contract carefully and try to understand all the moving parts. Do not assume SaaS means that your governance obligations go away just because the vendor's hosting the solution.

For example, some vendors licensing products on a per user metric will now tell you it's per user concurrently, or per user within a geographical restrictions. Say you are a customer with headquarters in multiple geographic locations with 500 licenses for Salesforce. These licenses may be restricted for use only in the Americas, for example, or other specific location. We cannot overstate how important it is to know your rights.

In conclusion, we are seeing software auditors creating new and faster ways to generate revenue from clients by moving the goalposts, and the Covid-19 crisis has only increased the pace of this activity. Look for more of the same in the months ahead. To learn more about compliance “gotchas”, find resources on our website here, or contact a member of the ClearEdge Compliance team.

Eugene Cho is a Principal Analyst at ClearEdge.

This blog post was inspired by the webinar about the continuing impact of COVID-19 on IT spending. You can access the full recording to this webinar below. To learn more about SAP audits, stay tuned for part four of this series or contact a member of the ClearEdge Compliance team.