Unexpected damage: Software License Reviews trigger urgent financial liabilities

Robin Fry, director, Cerno Professional Services

There is an increasingly prevalent threat facing large corporates around the world:the use by major software vendors of contractual audit rights to search out inadvertent under-licensing, triggering substantial and unexpected liabilities against their customers.

The exercise of ‘software license reviews’ or ‘software audits’, most notably by Oracle, SAP, IBM, Informatica and Microsoft, has increasingly become a revenue-generation mechanism for these vendors. Against the backdrop of a huge number of IT systems being moved to the cloud, with Amazon and Google establishing themselves as market leaders, the historically-dominant software vendors are urgently seeking additional revenue from elsewhere: their existing base of on-premise software customers.

The amounts sought – aggregating license fee shortfalls, back-support, penalties and audit costs – can be eye-watering: Diageo was found liable in the High Court last year for under-licensing when it opened up its ordering to customers by allowing the use of iPads rather than, as previously, utilising only a call center. The ‘indirect access’ claim by SAP totalled more than £58million.

ABN-InBev, the world’s largest brewer, was also impaled in another under-licensing claim by SAP for US$600m.  The matter was settled in a New York arbitration late last year for an undisclosed amount.

These two claims represent only a tiny visible fraction of a new battleground, with hundreds of corporates receiving notification letters that have been ‘selected’ for such a license review by one of these major vendors.  The customer is directed to the audit provision in the license terms and often, at least at this stage, content for the review to be carried out.

The process of the audit

Following the notification that a review is to be conducted, the process then follows a sequence under which an appointed auditor – usually a major accountancy firm such as EY, KPMG, Deloitte or PwC, or, for Oracle, often its own license management services division – carries out the technical analysis.

The analysis examines the actual usage of the software and compares this to license grant, initiating an ‘Effective License Position’; inevitably shortfalls are exposed. The process can take in excess of three months, with the auditor running scripts on the customer’s IT infrastructure and then searching out all recorded usage or installation of their proprietary software. There is only one aim: to identify any shortfalls on which invoices can be issued.

The vendor will then issue an executable quote, with payment required within 30 days. The shortfalls often derive from:

• Installation of programs without use: generally, still licensable;
• Use of virtualisation (typically VMware) where any processors that might run the programs also all need to be fully licensed;
• Inadvertent triggering of management packs and options by the customer included (but not ordered) from when base technology is delivered by the vendor to the customer;
• New remote usage – for example, by customers, suppliers or partners using new channels or APIs;
• Robotic usage;
• Older software being shelved but still technically subject to support and maintenance charges (generally 22% of purchase cost per year).

It is almost impossible for any successful corporate with constantly-shifting business needs – and therefore ever changing IT systems– to remain fully and at all times in compliance with license terms. Vendors often point to white papers, policies and website downloads to shore up opaque and ambiguous wording within contracts, invariably to the customer’s detriment. Oracle, for instance, derives very substantial revenues from insistence on compliance with its ‘Partitioning Policy’ despite it being declared to be ‘for educational purposes only’.

The result: a crippling and potentially embarrassing bill at full list prices, with multiple other penalties and costs. This claim will not have been provisioned for and can, on occasion, have a severe impact on the financial statements.

Seven key lessons:

1. Never assume that a long-standing relationship has any weight: this process is driven outside your account director and is simply a substantial revenue-generation opportunity mandated at the highest level within the vendor;
2. Unless you have completed such an audit within the last two years, do not assume any complacency: under-licensing (and over-licensing) is largely unavoidable even for the best-managed corporates;
3. Confront these issues in advance: commission your own audit using specialists and then ameliorate any under-licensing that is exposed;
4. If you receive an audit notification letter, delay and prepare;
5. Choose to fight every demand: often there are contractual, technical and commercial arguments that together can destabilise and substantially reduce any settlement payments that are demanded;
6. In any M&A situation, if acquiring, immediately commission your own audit to crystallise the (latent) liability and then lay off to the sellers under their warranties;
7. If selling a business or company, confront the possible hidden exposure: far better to remediate early and, if necessary, negotiate with the vendor on your terms in advance rather than receive an indemnity claim for an uncontrolled amount after the sale.

The risks around under-licensing are significant but rarely publicised – often falling between IT, legal, procurement and finance teams. The latency is dangerous given the potential for very high claims that could have been addressed earlier.

Never raised by the statutory auditors, this is a board issue where the risk(s) are often overlooked by both the audit committee and any separate board risk committee. This is wrong: software under-licensing is not an incidental administrative issue but one that properly falls to be managed by the audit committee under the FRC’s UK Corporate Governance Code (July 2018).

Corporates are highly dependent on database technology and applications to run their businesses. But this dependence means that, if the installed software cannot readily be shed, then neither can any corresponding financial liability to the software vendor.

Robin Fry is a software licensing lawyer and director at Cerno Professional Services, a firm specialised in challenging licensing demands.