Updated: Aug 23, 2021
Software Asset Management (SAM) is a big, unwieldy topic, but I’m going to focus on the software publishers whose audits present the greatest risk to customers. Audits are a central component of supplier sales strategies, as they are used to drive revenue, gain visibility into product use, and to push organizations to adopt new products or cloud solutions as a way to address compliance issues. Because most audits are quietly resolved, there is no official, reliable list of who audits the most; the following list is based on my work here at ClearEdge Partners and as a former professional auditor.
We advise clients to target their SAM programs on the top tier publishers – Microsoft, Oracle, SAP, IBM, Micro Focus, Quest, OpenText -- which is where about 80% of your financial risk lies. These vendors are the most likely to audit, the most difficult to work with, and consistently extract the most revenue from their audits. If you’re wondering why OpenText is on my list: we’re recently hearing from a lot of OpenText customers who are in a world of audit pain, so that’s why I put them on my top tier list.
Bear in mind that auditors are measured on the revenue they generate in findings. In my previous life as a Microsoft auditor, my team’s ROI was 27 to 1, meaning for every $1 we were paid, we generated $27 in audit findings. Other publishers have lower ranges – a ten to one return is average – but the point remains: audits are a lucrative source of income for software publishers.
Many clients can be quite naïve when it comes to SAM programs. They think that if they load everything into Flexera or SNOW, they’re doing software asset management. The problem is that these tools fall far short of counting everything, but based on the tool vendors’ claims, they often create a false (and dangerous ) sense of security for customers.
But let’s get back to the top individual publishers and where their audits tend to reap the most findings.
Top Software Auditors
Common Oracle Audit Struggles
In Oracle audits, it’s the use of VMware – the industry’s most popular virtualization product. Oracle maintains that VMware does not have the technical capability to truly limit their virtualization software and has a licensing restriction against it. So, if you’re an Oracle customer and use VMware, Oracle is going to make you license every place that the software could potentially move to – and this results in some astronomical audit claims.
Common IBM Audit Struggles
In IBM audits, the biggest problem area is the ILMT requirement, which is IBM's software that tracks their products, which, contractually, you must install and report on. Customers generally do not like this tool, because it’s so clunky and unreliable, but you have to use it, or they’ll make you pay.
Common Microsoft Audit Struggles
Microsoft audits tend to find the most transgressions around SQL Server use. This is the most expensive Microsoft product, and it's the most difficult to manage because it’s gone through countless changes over the years. Every release of SQL Server has seen a change in rules, from what you can do in the virtual environment, to processor-based licensing changing to core-based licensing, then there's user-based licensing, user counts, device counts – and all the exceptions. They have exceptions for fail-over and exceptions for development, they have cloud-based licensing… the risks are nearly endless.
Common Micro Focus Audit Struggles
Moving on, Micro Focus -- it’s tough to pick just one area of risk to focus on, but if I must, it’s the compliance challenges associated with the HPE products they acquired including LoadRunner, and their geographic restrictions. You’ve really got to look at the contract language and where you deploy these products because you can't use some outside of country or outside of state, or outside of your headquarters’ address, or another location like a campus, department or even a specific room number. Now imagine you've moved to a different room with your site license, and you’re unaware that you’re obliged to pay a geographic reload relocation fee. You will be penalized for this in an audit.
Most customers never examine this language, or forget that they’ve moved locations with the product, which is in breach of the contract. When audited, these customers get slapped with fees and penalties for this very common finding.
Common Quest Audit Struggles
Next up is Quest; I picked three areas of pain because I couldn't help myself.
Firstly, Quest doesn't like to give out trial software, so they have contract restrictions where you can download trials, but you’re only allowed to use a few, and customers often exceed the limit and get into trouble. I actually have a client who became banned from Quest trials.
Another problem with Quest is pirated keys. Often, when they find one of these pirated keys installed in your environment, it's registered to a different company. Maybe it’s registered to Wal-Mart or Amazon or somebody else, and it somehow shows up in your installation base. The best way to avoid this situation is to avoid running Quest audit scripts in an audit because those pirated keys are not identified by SAM tools. The SAM tool market is just not sophisticated enough to know how to do that.
Citrix is the last area of focus. Say you’re a Citrix user and you install a Quest product such as Quest Toad. When you put it in a Citrix environment, a lot of other people in other locations affiliated with you can connect and use it. This means you’ve probably breached your Quest contract.
Common SAP Audit Struggles
The biggest source of pain in SAP audits are around Indirect Access. This is because it's so difficult to count users. There are so many additional users indirectly connecting to SAP, and these might appear as one account, when in reality, it’s a thousand users. Maybe they first connected into Salesforce, and then Salesforce connected into SAP. So you have this daisy chain of connections. People often miss this, and suddenly find that they have a thousand users that need SAP licenses. The vendor now offers a new digital access licensing model that specifically addresses this common problem.
Common Opentext Audit Struggles
Lastly, there’s OpenText. Their audit behavior seems over-the-top aggressive, so I don’t think they care about maintaining a long-term relationship with customers. This vendor has perfected the art of contract refinement, which means that every time they release a contract, they add more language that will help them nail you in an audit.
Furthermore, they have a tendency to count users twice – this is quite common. They might count disabled users. They may count users who’ve left the company. The contract says duplicate users must be licensed. Even if the users left the company, if the account remains, it must be licensed. So be forewarned: disabled accounts must be licensed unless you purge them from your system. It’s essential to do a thorough clean-up and removal before an audit with this vendor.
This vendor is also very aggressive and litigious about audit settlements. One client who disagreed with the findings and penalties held out to the final hour before settling, at which point OpenText issued a “Cease and Desist” order to remove all access to their software within ten days. In other words, they play hard ball.
This is just a brief look at the toughest vendors to defend against before, during and after a software audit. To learn more about Software Asset Management, view our webinar on the subject here or contact your ClearEdge representative.
- Tres Larsen is the Software Asset Management Practice Lead at ClearEdge Partners.