Welcome to our new site. If you have any comments we'd appreciate you completing our feedback form.

A Code of Conduct for Software Audits

This is our first guest blog from Andy Jackson, senior director at FTI Consulting, in which he introduces the idea of a code of conduct for software audits to describe much needed responsible market practices.

If you would like to write a guest blog, let us know!

Almost all software contracts allow for the audit of a customer by the vendor to check whether usage is in compliance with the rights acquired. Thousands of software audits occur every year, conducted by vendors and by third parties on their behalf and billions of dollars change hands as a result.

Having been involved in software audits and audit practice for a combined total of over 40 years we have observed and experienced first-hand the tensions and inconsistencies in the audit process and felt that a maturing of market practice is long overdue and would be helpful to both vendors and customers.

In response to this, we have authored a draft Code of Conduct for Software Audits (“the Code”), which aims to capture and document reasonable market practice in software auditing, as currently no such document exists.
The Code has been released for industry consultation and can be viewed in full here.

Issues and how a Code of Conduct could help

Although software audits are commonplace, with most vendors having a compliance programme to some extent, there is no consistent approach to the conduct of these audits. The rights and obligations are defined in license agreements, but these agreements are usually non-specific in terms of detailed audit conduct and very brief. There is considerable variation between vendors in terms of the identity of auditors, technical audit approach, tooling, audit scope and intrusiveness, provision of entitlement information and more generally in the positioning of the audit and attitudes to customer experience.

Most customers will have a multi-vendor software estate and this inconsistency makes it difficult to develop an approach to manage software assets and to respond efficiently to audit requests. Without a consistent approach, audits become unnecessarily time-consuming and costly. This adds to the tension in the relationship between customers and vendors and disrupts the functioning of the software supply chain to the disadvantage of both vendors and customers. 

There is also a fundamental disconnect between vendors and customers and a mutual misunderstanding of the intentions and behaviours of each party.

The prevailing narrative is that vendors perform audits to generate revenue or exploit the audit process for other ends, and that customers are intentionally obstructive and seek to frustrate the audit process. Whilst there may be some truth to this, given there are a small number of vendors and customers that intentionally ‘misbehave’, this is not representative of the industry as a whole. 

Nevertheless, industry sentiment towards software vendors in the context of audits tends to be negative. This sentiment has led to the creation of an industry of audit defence practitioners who specialise in helping customers prepare for and defend against audits. 

Whilst beneficial if it helps customers manage their software assets and efficiently respond to audits, it can further contribute to the problem if advice given strays into intentionally disrupting/frustrating legitimate audits, and/or concealing the use of software.

Vendors are aware of this negative sentiment and the existence of audit defence advice and adjust their approach in anticipation of a defensive and uncooperative anti-vendor stance from customers. This leads to some vendors feeling it necessary to adopt a more aggressive approach and to insist on a more in-depth and intrusive audit process to ensure their intellectual property is protected.

This results in a self-perpetuating cycle, with customers acting based on their expectations of the vendor and vendors acting based on their expectations of the customer. In reality, most customers want to be compliant, and most vendors want exactly the same thing. 

This cycle only serves to prolong and complicate audits, increase intrusiveness and cost, and put strain on the vendor-customer relationship – just why both customers and many in the vendors dislike audits to begin with.
We believe the adoption of a Code would help break this cycle and alleviate the issue by providing an agreed framework for the audit approach, creating a transparent, fair, and equal playing field, and restricting only those exhibiting negative behaviours. 

All parties would benefit from decreased tension, greater trust, and a smoother, less disruptive process. Specifically, customers would experience a reduction in the risks and costs of responding to audits as a result of greater certainty and consistency in audit approach, a reduction in aggressive audit approaches or audits with hidden agendas and benefit from greater transparency in their relationship with vendors. 

Vendors would experience smoother and more efficient audits at a lower cost and with less disruption to customer relationships, gain greater confidence in a customer’s intent to comply with its licensing obligations and provide an opportunity to address customer concerns about the audit process. 

Consultation

Since its initial release, we have received feedback from across the industry and we are arranging roundtables to discuss and debate the code in more detail.If you are interested in sharing your views on the Code or participating in these discussions, we would be delighted to hear from you.

Register your interest in participating in the roundtable discussions here. Provide your feedback on the Code here.

Key Contacts

David Eastwood
Senior Managing Director
david.eastwood@fticonsulting.com

Andy Jackson
Senior Director
andy.jackson@fticonsulting.com

Gareth Coffey
Senior Director
gareth.coffey@fticonsulting.com