Getting an audit notification from your software provider can be nerve-wracking, but after reading this you’ll realize this is less likely due to something you’ve done wrong and more likely a tactic to throw you off-course.
If you’ve never been through an audit before, you don’t know what to expect, what to do, or how to make sure it’s over as quickly as possible with minimal expense to your organization.
In this article, we’re going to make all this crystal clear by outlining the audit processes of large enterprise software providers like Oracle, Salesforce, SAP, and Microsoft.
There are a few key things you need to take into account that apply to all of these providers:
● Use your contract as your best weapon to defeat audits. Take action if there is any sort of grey space in terms of what is allowed by the supplier.
● You’ll do best if you bring in outside assistance. An expert who has experience guiding businesses through software audits will be a huge help throughout the process.
● You need to control all the information that is shared with the supplier in your own format and spreadsheets.
● The more you are proactively sharing information with suppliers, the less basis they have to bring up an audit.
● Audits are brought forth to customers for many commercial reasons. The more proactive you (the customer) are with sharing information, addressing audit risks in meetings, and creating a paper trail, the less likely your supplier is to audit you.
What is a Software Audit and How Did Your Company Get Selected for One?
A software audit is both a technical and contractual review of your organization’s use of a specific software platform within your IT environment. Most large enterprise software companies like Oracle and SAP have separate departments that focus purely on license compliance audits. These teams look and feel like a shared service organization inside of a large software company. They work with a customer’s account management team to take an aligned, yet separate and distinct, position on behalf of their software company. We will discuss the similarities and differences between these different teams later in the article.
One common similarity across all of these suppliers is that the audits will compare your usage and processes to any specifications, standards, or contractual agreements in place.
Why your company? Why did you get singled out for an audit?
There are three primary operational/contractual triggers for a software audit:
While not mutually exclusive, you’ll also find the timing of these audits is very suspect and robotic in nature. The two primary timing triggers are:
These large enterprise software companies know that it’s very common for their customers to be out of compliance due to the sheer size and scope of their operations. This is augmented by the fact they know anytime there is employee turnover within a customer’s IT organization (especially their “software asset management” department) the company is susceptible to additional compliance risk as a result of lost tribal knowledge of the environment, past internal audits, etc.
Taking all of this into consideration makes it relatively easy to understand why a company like Oracle can confidently predict net new revenue from their existing client base.
In addition to market pressure for additional revenue, a customer’s upcoming contract renewal also serves as an all too common trigger. The general rule of thumb we tell clients is anytime you have a contract renewal coming up nine to twelve months, your supplier is likely to introduce an audit. Your supplier will use this as an opportunity to distract you and gain the upper hand in an anticipated contract negotiation that hasn’t even started.
Suppliers do this because it automatically puts you in a defensive position. Naturally, you will be forced to concentrate on defeating the audit instead of allocating that same time to figuring out what you need for the upcoming contract renewal. They want to gain as much leverage and understanding of your business as possible before going into a renewal negotiation.
The audit is merely a tactic large software providers use to 1) seek out unearned revenue for their company to meet revenue targets and 2) gain the upper hand in your contract renewal negotiations in the hopes of minimizing any revenue loss from your account.
The fact of the matter is that it’s very common for customers to be unintentionally out of compliance. Knowing this, it’s important you know what to do in order to defend your company from what is potentially a very costly situation.
Here’s an example to help illustrate this tactic
By way of an audit, an ERP provider could discover you are misusing the license, giving the supplier reason to charge you a larger fee. Often, sales revenue targets for these audits are about 30% of your annual maintenance/subscription costs.
Let’s say you are spending $1M on core licenses, the audit will likely lead to around $300k in costs on top of that. If you can defeat the audit and keep your core license costs at $1M, then you will be happy and reward yourself for fending off the extra charges. In reality, the supplier didn’t expect the $300k in the first place, the audit was just a way to distract you from putting time and effort into your upcoming renewal negotiation.
It’s a win-win situation for them - if they win the audit, they put the money towards their sales revenue to meet their quota; if they don't, they’ve distracted you from being prepared to save money on your upcoming contract negotiation.
As a sales rep, finding new business is much harder than auditing an existing customer. Suppliers will target big companies because they don’t have perfect internal controls and mistakes are likely to happen.
What to Do When You Get an Audit from Oracle
When Oracle conducts an audit, they engage their License Management Services (LMS) team to run the process.
The audit process often involves installing software code within your secure environment. It is a listener software that will hit your mainframe servers and figure out how many other systems are connected.
This is important because, historically for this on-premise software, you are licensed based on the interconnectedness of both physical and virtual server environments. Your supplier wants to know how much “value” you are getting from their platform so the software they install provides a report of how many systems are interconnected. In a nutshell, the software delivers a report that illustrates when your technical architecture is in non-compliance. This automatically gives Oracle the upper-hand as it forces the customer to validate the information.
The best tactic to defeat this process is to never allow the software in your environment to begin with.
You have the right to refuse listening software within your Oracle contract.
Unless your contract explicitly calls out installing software, tell Oracle that installing software does not comply with your IT security protocols.
Look to determine if you have audit language specified in your contract. The older the contract you have with Oracle, the more likely you have the right to refuse the audit, or to at least not allow the listener software to be installed within your environment.
If this is the case, tell Oracle that instead of installing the software, you will run the audit yourself using their tools and spreadsheets with no software included. This means you are in control of what information is being shared with Oracle. Controlling the information is incredibly important in any audit, especially when suppliers are involved.
What to do when Salesforce Conducts an Audit
Salesforce audits customers when there is a restricted-use license available. When this happens you need to think critically about negotiating with Salesforce.
Salesforce is Software as a Service (SaaS) in the cloud which means they have more ability to freely monitor your utilization of licenses within your environment and can freely audit for misuse.
When you have a Restricted Use License (RUL), you have permission to use the product for a specific business purpose leveraging a certain number of standard and custom objects. Standard objects are modules within the Salesforce platform, such as contacts, accounts, or prospects. A custom object is something that was built by a Salesforce developer specifically for your company.
The license limitations in an RUL are a contractual limitation, not a technical one. A contractual limitation means there is legal language on your Order Form specifying how the license may use a predetermined number of standard/custom objects even though there is a set quantity limitation, technically there is no way to shut off access to other custom objects for that user.
This license is often in place for a subset of users who only need limited access to your tool. For example, an employee who is only viewing the data and not editing it. If this group starts editing objects, it becomes in and of itself a compliance issue.
Salesforce makes it easy for the end-user to accidentally do this without realizing they are in breach of the license. They will use this opportunity to accuse you of using the license incorrectly and request that your organization upgrade these licenses to full users and will seek compensation since the inception of the misuse. Contractually, Salesforce has the right to charge you full retail price for those non-compliant users.
Another time when Salesforce audits come into play is when a client is on a SELA Agreement (Salesforce Enterprise License Agreement).
How do you get around Salesforce RUL audit problems?
The best thing you can do is to establish quarterly check-ins with your account team at Salesforce. Use these meetings to stay on the same page with your account team and create a paper trail that shows how your users are engaging with the platform.
If you are accused of breaching restricted use, but have established quarterly check-ins with a paper trail, you can respond to Salesforce by saying “We met with your team and they didn’t bring anything up during our meeting so why should we believe you now?” Without quarterly check-ins and a paper trail, you get into a he-said-she-said argument.
Often times, the employee in breach of license may have accessed the wrong objects once or twice throughout the life of an account. Salesforce will create an argument that the license has been systematically misused for a long period of time.
We treat this event like a litigation. If you don’t have a paper trail of record, then you have no legal foundation for a defense. When comparing the perspective outcome of the party that has records and the other that does not, the person with records almost always wins in court.
Keep careful documentation about your interactions with Salesforce, and have open conversations about audit and license use risk. This will build a strong foundation and reduce the risk of an audit.
How to Handle an Audit from SAP
An audit by SAP is very similar to an audit by Oracle in that, historically, their licensing model is primarily “consumption-based.” This means your price is based on your company’s revenue, profit, services used, how many suppliers you have, or any number of a series of variables.
This model falls under the concept of Value-Based Pricing and is a subjective assessment of value captured from the utilization of the software.
SAP will use many of the same tactics as Oracle which we’ve outlined above. One thing to specifically note about SAP is that they very frequently introduce audits during merger & acquisition (M&A) announcements. When supporting clients with M&A IT Sourcing, we commonly tell our clients to “get ready for the ‘ransom letter.’” These aren’t our words but rather those of our clients who received notifications from suppliers such as SAP immediately after announcing a large acquisition to the market.
Want to know if you’re susceptible to these ‘ransom letters?’ Take a look at your contract and keep an eye out for any language within your contract that indicates they will “readdress the terms of the contract if you the customer acquires or divests entities during the term of the contract.” If you have this language within your contract you will more than likely receive a similar notification within 1 month of publicly notifying your M&A intent.
In order to defeat an SAP audit, take the same approach we would take with Oracle and then protect yourself moving forward by changing your pricing model to a fixed baseline model that is attached to the reasonably certain variables in your company such as the number of employees.
What to Do When Microsoft Audits You
Microsoft’s audits vary depending on the products and services within your contract. Similar to Salesforce, Microsoft will commonly focus on those licenses that have restricted use. A very common audit for those clients with perpetual Microsoft Office licenses is the 1-to-1 validation of windows desktop licenses to computers within a customer’s environment. Similarly, for those clients with an active Office 365 subscription, Microsoft will look closely at the utilization of subscriptions that are inherently limited in their intended use. This is augmented by a deep analysis of computers and users in your ecosystem to ensure the capabilities being used are properly licensed.
If you are paying for any physical or virtualized servers from Microsoft within an SCE agreement, you will commonly be audited to ensure your consumption metrics are within your contracted allocation.
Frequently with Microsoft, you are leasing the utilization of servers either on-premise or in the cloud. Generally speaking, if you have a physical piece of hardware from Microsoft on-premise, they will almost certainly conduct an audit at renewal time to monitor utilization as part of their “optimization analysis.” In a nutshell, they will try to move you from an on-premise environment to the cloud.
Conceptually this is fine but they will use that audit as leverage to do a lift and shift into Microsoft Azure.
Microsoft Azure is a very attractive product for the sales team because they are heavily incentivized to get your company into the cloud. The market is looking at how Microsoft’s cloud growth is going year after year and as a result, the company wants to increase its usage.
Essentially, Microsoft will audit to try and sell you on Azure. This isn’t necessarily a bad move to make but knowing key motivators will keep you ahead of the game and alleviate any potentially detrimental surprises.
What Happens Next?
If you’ve been audited by any of your enterprise software providers, we recommend bringing in outside help to guide you through the process. Leveraging their experience and expertise will go a long way to mitigate both short and long term risk that can easily rise into the millions.
Don’t solely believe what your account executive is telling you, oftentimes they don’t have all the information needed and they are heavily incentivized by their employers.
Your outside expert will be able to comb through your contracts, identify risks/opportunities, and drive both cost savings and containment. With the proper assistance, you’ll be able to confidently stand your ground and mitigate risks before they are realized.
At The Negotiator Guru, we’ve helped countless global clients successfully navigate their software audit experiences to mitigate risk and contain costs. We can do the same for you.
Feel free to reach out for a free consultation to discuss your particular audit situation.
© Dan Kelly and Kelly Consulting Group, LLC. dba "The Negotiator Guru", 2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited.
You may also be interested in:
A 3-Step Process to Reduce Your IT Spend 25% or More
Understanding How Salesforce Negotiates
My 3 Guiding Principles for The Negotiator Guru