Almost all software licenses include a provision for the audit of a customer by the vendor to check whether usage is in compliance with the rights acquired. Globally, there are thousands of such audits every year, conducted by vendors and by third parties on their behalf and billions of dollars change hands as a result.
The need for a code of conduct
Customers dislike the audit process because it is intrusive, time-consuming and often results in difficult contractual and commercial discussions around the need for additional licences. Many vendors also dislike audits for similar reasons and because they fear that audits damage the vendors’ relationships with their customers. Not all vendors carry out audits for these reasons. However, most audits result in incremental revenues for those vendors that do them and these revenues can be significant in terms of overall vendor profitability.
One effect of these audit programmes has been to provide a clear incentive for customers to manage their software assets effectively. Another has been to create an industry of audit defence technicians and lawyers who specialise in helping customers prepare for audits. This is beneficial if it helps customers better manage their software investments. If this advice strays into disrupting legitimate audits, and/or concealing the use and misuse of software, then it can add to the tensions which audit programmes may create.
There is no consistent approach to the conduct of software audits by vendors. The rights and obligations are defined by the license agreements but these are usually non-specific in terms of detailed conduct and resolution of audit findings. There is considerable variation between vendors in terms of the identity of the auditors, technical approaches and tools, scope and intrusiveness, provision of entitlement information, approaches to resolution and more generally in the positioning of audits and the attitude to customer experience. This makes it difficult for customers to develop consistent management of their software investments. It adds to the tension between vendors and customers and disrupts the functioning of the software supply chain to the disadvantage of vendors and customers.
A code of conduct for software audits would help to alleviate this problem. It would also serve to codify market practice and provide a catalyst for improvement.
Consultation
The draft Code here is offered as a starting point for discussion. It has been developed by the authors, reflecting input and discussions with a number of software vendors and other parties. We invite comments on the draft in writing to the authors and will be arranging a series of roundtable discussions for interested parties. We will close the initial consultation at the end of June with a view to developing a further draft over the summer.
We should like to form a steering committee so that the Code can continue to evolve to a point where it will be in a position to be adopted by parties during 2022. We welcome suggestions as to the membership of such a steering committee, which should be representative of vendors and customers and their respective advisers.
How we envisage the Code would work
The Code contains obligations on vendors, their auditors and their customers. Those obligations relate solely to the audit process and not, for example, to vendor or customer engagement with Software and IT Asset Management standards such as those promoted by ISO.
The Code of Conduct is intended to be subordinate to the existing rights in agreements between vendors and customers and to be voluntary. Mutual compliance would be proposed by a vendor to a customer at the time of the audit notification.
Adoption of the Code by a vendor would give customers some certainty as to the vendor’s approach and adoption by a customer would give a vendor greater confidence in the customer’s intent to comply with its licensing obligations. Both parties would benefit from decreased tension and greater trust and a smoother, less disruptive process.
In due course if compliance with, and confidence in, the Code of Conduct increases then it may be that vendors will consider customer compliance as an indicator of attitudes to SAM and ITAM and take this into account when planning audit programmes. Customers may take it into account when making procurement decisions around software and in determining how to respond to audit notifications.
We propose that the Code should be a voluntary one with no sanctions for non-compliance. In any event there is no body to enforce any such sanctions. Nevertheless, parties might take into account the willingness to adopt the Code in both procurement and pricing decisions. In due course, if there is widespread adoption, the Code may become accepted as a benchmark against which conduct might be considered in the context of a dispute.
The benefits of a Code
Our view is that a Code would deliver significant benefits to both vendors and customers.
The benefits for vendors are:
- A public step to address customer concerns about the audit process.
- The possibility of smoother and more efficient audits at lower cost and with less disruption to customer relationships.
- An improvement in customer management of software licences.
- Greater transparency and trust in the relationships between customers and vendors.
The benefits for customers are:
- Greater certainty and greater consistency as to audit approaches by vendors, reducing the risks and costs of responding.
- A potential reduction in aggressive audit approaches with hidden agendas.
- Greater transparency and trust in the relationships between customers and vendors.
Most audit clauses are very short – typically less than 200 words – with little detail as to the approach. The code would amount to documenting reasonable market practice in software auditing. Currently there is no such document. Most suggestions in the market tend to be partisan, and those in academic and similar texts, such as they are, tend to be out of date, sometimes inaccurate and often out of touch with market practice. A living reference document would assist both vendors and customers when disputes arise. For example, a publicly referenceable code might improve the ability of publishers to seek orders compelling customers to accept an audit in line with the Code and/or might enable customers to show that proposed approaches were unreasonable and outside mainstream practice.
Risks
There are of course risks for vendors and customers in following a code of conduct.
Adoption of the Code of Conduct should constrain the freedom of vendors and customers to exploit the audit process for other ends. It may remove some elements of ambiguity which suit one or other party and it may become a benchmark against which conduct is measured. Our view is that this is partly the purpose and that a code succeeds if it sets a marker for behaviour that becomes widely accepted.
However, because the Code would be voluntary and subordinate to the license agreements there would be little practical downside risk to either customers or vendors in subscribing to it except in relation to the PR consequences of subsequently not complying.
Next steps
We welcome feedback and comment on the current draft of the Code. Formal responses can be sent to code_of_conduct_feedback@fticonsulting.com. Suggestions as to the make-up of the proposed steering committee are also welcomed. All responses will be acknowledged and considered in arriving at the next formal draft of the Code.
We are very grateful to those who have helped to get the Code to its present state.
David Eastwood, Senior Managing Director, +44 7802 636 079, david.eastwood@fticonsulting.com
Posted in Uncategorized
Upcoming events
Controlling Liability in IT Contracts – Clause and Effect
SCL Summer Networking Event – Organised by the Trainee Group
SCL Event: Procurement of Government IT Projects
Generative AI and Deepfakes: Understanding the Illusion
Annual AI Conference