How to negotiate a better software audit clause

Many customers report that the number of software audits requested by publishers has risen dramatically over the past several years.

At best, this proves inconvenient for customers that have to allot valuable time and resources to manage the audit. At worst, organizations face steep financial penalties if unintentional license deficits are discovered.

Perhaps the best means of protecting your company from the risks of software audits is negotiating sufficient protections in your software license agreements when initiating your relationships with publishers. By getting down on paper the terms of any future audits, you mitigate many of their potential risks.

But what are the best terms to negotiate? We thought we could provide some guidance by looking at the audit clauses that various publishers have included in their standard end-user license agreements (EULAs). By seeing what standards and variations exist across multiple publishers, we could get a feel of what is fair game in a software license agreement negotiation.

With this in mind, we’ve provided some research done on 20 different publishers, including a wide range of large and small software companies. All are available in our Fine Print tool, which makes it easier to index and reference such terms when needed.

We’ve broken the data down into what we consider the four general parts of an audit clause.

Please note that this is just a record of what is explicitly stated in the audit clauses of the various software license agreements we reviewed.  If you are in a negotiation, and certainly if you are getting audited, you’ll want to consult with your legal counsel to consider how other language in the agreement, whether in the audit clause or not, could have an effect on your audit rights.

1. Notice Periods

Most audit clauses include some terminology on notice periods—how much warning your company receives before publishers need access to your records to check for non-compliance. Our twenty publishers were roughly broken down as follows:

In most cases (eight vendors), the notice period was left fairly open-ended under the term “reasonable notice.” What is deemed “reasonable” can often be a source of conflict, but it does provide more flexibility for the customer than the six clauses tied to specific time periods, and is certainly better than the two clauses that left things mostly to the publisher’s discretion (one simply said an audit could take place with any “prior written” notice; the other stated that compliance records were to be provided “upon request”).

What’s clear from the sample is that any request by a vendor for very short notice periods, such as seven to 10 days, should probably be resisted. Clearly the standard across vendors is for more extended time periods.

Whatever notice period you do choose, though, make sure to consider worst case scenarios. For example, even if 15 days may work in most cases, would it be sufficient during August or December, when many of your required staff may be on vacation? If not, ask for more time, or default to the amorphous “reasonable” term, which at least is negotiable at the time of audit.

2. Audit Frequency

Next is the permitted audit frequency–how often the vendor is allowed to perform an audit on your company. The results here were less varied than what we saw for notice periods.

It’s interesting that more than half of the contracts had no mention of the frequency at all. Whether this is a disadvantage for your company depends on what language in the agreement defines how disputes are handled with the publisher. Without such clarification, it’s probably better to have specific language that limits the publisher’s audit frequency in some way. And as nine vendors did have such limits, it should not be considered a big ask in negotiations.

For the publishers that did have specific frequency language, there was a subtle distinction between the few that limited audits to “no more than every 12 months” and those that stated “once per year.” Given the choice, the “every 12 months” option is the preference and ensures that at minimum a year goes by between audit initiations. “Once per year” is a bit more open-ended—if it’s based on a calendar year (as at least one publisher made explicit), it could mean getting audited in December, for example, and then again in January.

It is worth noting that five vendors also explicitly stated that the audits could take place even after contract termination (in two cases within one year and in three cases within two years). As this is not the norm and could put you at risk, it may make sense to negotiate such language out of your contract.

3. Audit Process

All but one of the 20 vendors we examined had some language describing the audit process. Having such rules is crucial, as they determine the time and resources your company will have to commit to the publisher for audit assistance.

I’ve listed below some of the terms we’ve seen. Unlike the other tables so far, this one is not cumulative (summing to 20 vendors). Instead, I’ve simply listed how many vendors included the relevant process term.

The high number of publishers that request audits be done during normal business hours probably isn’t too much of a surprise, as this is frequently in both the vendor’s and customer’s interests. But make sure in such cases to add terms that such audits will not interfere with normal business operations—seven publishers did so, which sets enough of a precedent to make the request.

A fairly high number of publishers cited the right to use independent auditors. If this is a part of a publisher’s process, it’s unlikely to ever be negotiated out. But if such a clause is included, make sure to negotiate harder on some of the other provisions that would present you with risks. Independent auditors are occasionally paid, at least in part, a commission on the discrepancies they find. They also have no vested interest in the publisher/customer relationship, so they may be more aggressive in their findings than the publisher would be alone. Also, make sure that any independent auditor is covered by a confidentiality agreement.

An interesting observation here is that eight vendors do not explicitly request direct access to the facilities and/or systems of the customer, despite the fact that this could impair their ability to perform the audit. It’s possible that they don’t need such access (a system may be in place to track usage remotely), they trust the customer to provide records on their own, or they feel that other agreement language provides them that right. In any case, there are enough such vendors to warrant asking publishers to take out such language if a method of self-reporting can be agreed upon, considering how much less disruptive such a process would be. In fact, six vendors did mention self-reporting as an option, though admittedly not as the sole means of verification (see #5 below).

4. Consequences of Failing an Audit

So what if an audit doesn’t go as well as you had hoped? The final section of the audit clause, what we’re calling “consequences,” covers the potential costs for the audited company.

It should come as no surprise that all of the publishers require the audited company to reconcile any shortfalls by buying new licenses. So what we focused on in our table below are any other charges above that amount.

As with our last table, the one below is not cumulative, but simply counts which publishers had which language.

The majority of vendors require that the audited company pay for audit costs, usually if there is over a 5 percent discrepancy (though in one case any discrepancy would trigger this fee, and in another it needed to be 10 percent). Considering how popular this clause is, it’s unlikely to be negotiated away, but consider requesting something higher than 5 percent if you believe there are unusual circumstances that could cause variations.

Most other penalties, however, are rare, which can provide some backing to negotiate them out of agreements. The best option is simply to add language that explicitly limits the license purchase prices to those from your normal, discounted price list with the publisher. We have seen that when language on pricing is completely excluded, publishers will often attempt to charge at list/retail price initially and then negotiate a price from there.

5. Other Terms to Keep an Eye On

Some final notes on other clauses we saw that did not fit neatly into one of the four categories above:

First, make sure it’s clear that the results of any audit are fully confidential. Five vendors included such language, which is enough to provide you with some leverage if you’re not already covered elsewhere in your software licensing agreement. If knowledge of an audit is made public, it could spur audits from other vendors, in addition to the obvious reputational risks for your company.

Also, six vendors included language about regular self-reporting of compliance numbers in addition to traditional audits. Consider the repercussions of such self-reporting and consider pushing back, as it’s not a standard request. Or conversely, push to enhance the self-auditing process to replace on-site visits, as noted earlier.

Finally, three vendors required that customers have “internal safeguards” or similar in place to prevent non-compliance in the first place. This probably isn’t an issue in most cases, as the interpretation of such language can be broad, but you’ll want clarification unless they try to force an unwanted system on you. Since so few other vendors make such a request, you have a strong case for asking to exclude such language.

The more you can shape an audit clause to your favor during your negotiations with a vendor, the fewer headaches you’ll probably suffer when the inevitable audit comes along. But when it does, SHI has staff on hand that can help you through that process. Feel free to contact your SHI account executive if you think we can be of service.

You may also be interested in:

5 hallmarks of successful asset recovery Out with the old, in with the new, right? Let’s adjust that adage a bit: Securely dispose of the old, and in with the new. Asset recovery – the pro...
The impact of sequestration on IT I chose not to blog about sequestration until now because, like most people, I never really thought it was going to happen. Much like January's fiscal...
Follow these 6 truths to unleash your ITAM program Lost laptops. Unused software licenses. Ghost assets. For too many organizations, these IT failures are really a failure of IT asset management (ITAM)...

Submit a comment:

Your email address will not be published.

Please note: All comments will be moderated

3 × four =