How to Protect Against Stealth Audits

In this latest podcast focused on stealth software audits, I sit down once again with four great guests:

• Michael Corey – LicenseFortress
• Dean Bolton – LicenseFortress
• Art Beeman – Beeman & Muchmore LLP
• Joel Muchmore – Beeman & Muchmore LLP

We have another action-packed discussion covering Oracle, audit tactics, court cases, recent acquisitions, contract terms and much more. We also talk about new terms to best describe modern software audits (stealth software audits?). Between LicenseFortress and Beeman & Muchmore LLP, there are decades of experience in audits and the legal arena – tune in and see what they say!

Introductions

Rich Gibbons:

Hi everybody. Thank you very much for joining us on this latest ITAM Review podcast. As ever, we’ve got an excellent hour or so coming up for you. So joining me today, I have got a range of fantastic people over from the other side of the Atlantic. So first up, we’ve got Art Beeman.

Art Beeman:

Hello. Good to see you. I am Art Beeman. I’m with the Beeman & Muchmore. I’m one of the founding partners, along with Joel Muchmore. Our firm is dedicated solely to the representation of licensees involved in matters and disputes on ERP software with the vendors. I’ve been practicing law for 40 years and as a trial lawyer, I’ve taken 30 plus cases to jury verdict. Joel?

Joel Muchmore:

Joel Muchmore, good morning from California. I am the other founding partner of Beeman & Muchmore, we’ve been doing this, as Art described it, for about two years now, dedicated in practice solely to software licensing. I was in big law litigation for about 20 years prior to that, found a niche in the market that was best served with small, precise, micro specialty targeted counseling and that’s what we launched back in June 1st, 2020 to do. Thanks for having us again, Rich.

Launching a Law Firm During a Global Pandemic

Rich Gibbons:

No problem, thanks for joining us. And in June, 2020, must have been an interesting time to launch anything, but yes, looking at it, it’s going well.

Joel Muchmore:

Well it was a fascinating time to launch. Part of the good thing was is that everybody was rethinking everything in June, 2020. And so we brought to the table kind of a new way to practice law, untethered from the big firms, tailored, specialized counseling and we think it’s the way of the future.

Rich Gibbons:

Awesome, I like that. And talking of rethinking and doing things differently, we’re also joined by LicenseFortress. So from LicenseFortress, first of all we’ve got Dean Bolton, hi Dean.

Dean Bolton:

Hi Rich and hello everyone, thanks for taking the time. My name is Dean Bolton, chief architect and co-founder of LicenseFortress. I’ve been working with Oracle for 22 years now, started as a DBA, but spent the past 15 years, can’t believe how fast time goes, 15 years focused on enterprise architecture, license compliance and audit defense. I’m a VMware V expert, Oracle ace, a SQL certified DBA, Oracle Certified Master, Rack certified, Exit Data certified. So a lot of time hands on with Oracle and focused on the enterprise license compliance space.

Rich Gibbons:

Awesome. Is it safe to say that you know a thing or two about using Oracle kind of in the real world?

Dean Bolton:

Maybe, might have touched it once or twice.

Rich Gibbons:

And then last, but by no means least, we’ve got Michael Corey, also of LicenseFortress. So good morning to you.

Michael Corey:

Good morning, Rich. Yeah, this is Mike Corey, I’m the other co-founder of LicenseFortress. I’ve been working with Oracle Technology at this point 38 years, which puts me back to Oracle version three. I’m the original Oracle press author and have published numerous books on Oracle and Microsoft and VMware technology. I’m a past president of the International Oracle Users Groups. I am an Oracle Ace today, I’m a VMware V expert today and a past Microsoft MVP. Suffice to say, I’ve made my living dealing with Oracle Corporation and relational technologies for a very long time.

Rich Gibbons:

Excellent. So you can see a wealth of experience. I mean the kind of span that people are talking about, you must all have started when you were about four, so yeah, got some sort of geniuses of the software world. So whenever we get together and talk, we always find that there’s plenty of stuff to keep us busy. I know we’ve got some topics that we want to cover. I think first of all what we’ll do is I’ll hand it over to you Mike, and you can kind of set the scene and we’ll go from there.

Discussing the 2022 Enterprise Software Audit Survey

Michael Corey:

Oh that’s great. Thank you, Rich. So first of all, Rich, I want to thank you and ITAM Review for hosting this podcast. I really want to thank my three co-hosts from being here. Dean, the co-founder of LicensedFortress and Art Beeman and Joel Muchmore of Beeman & Muchmore. In this podcast we’re going to discuss a recent survey. The survey was managing the software audit, 2022 survey on enterprise software licensing and audit trends. This survey is literally fresh off the presses, it just came out a few days ago. And what I really like is that it was done by a research firm, [inaudible 00:05:49] Media, a division of Information Today, so it doesn’t have that venture taint to it. And the other thing, it will give us some really good insight into the effects of COVID and the economy on software audits.

So we’ll discuss the ramifications of the survey findings. We’re also going to discuss soft audits which are becoming more and more commonplace in the market and some of the inherent landmines that can happen for those who are not prepared for them properly. And we’re also going to discuss industry events like the Broadcom acquisition of VMware and the impact that they will have on software audits. So with that, let me turn it back to you, Rich.

Rich Gibbons:

Oh, thank you very much. So yes, as you can see, we’ve got quite the agenda lined up for you. So you mentioned the survey, the piece of research that’s just been completed. They’re always useful for us as industry people, but also for end users and the customers because I think this survey is quite a good way to benchmark what you are doing, what you think is happening, et cetera. So I guess I’ve taken a look through the report, I’ve got some thoughts and things, but it’d be interesting to hear from you, Mike, and everyone else, what are your key takeaways from the survey that people should be aware of?

Key Takeaways From the Software Audit Survey

Michael Corey:

So I guess I could start with that. One of the things that I wasn’t surprised by was that software audits continued to be on the rise and in fact, it seems like COVID and in fact the survey talks to this, is fueling even a greater rise of software audits. And the survey discusses the fact that as these companies were struggling for revenue coming out of COVID, that once again software audits are seen as an easy way to generate revenue.

Dean Bolton:

If I can …

Art Beeman:

Go ahead, Dean, please.

Dean Bolton:

I was going to say, if I can just piggyback on that, it’s always helpful to get the data from the industry that validates what you’re seeing personally, it’s the quantitative to go with the qualitative. From LicenseFortress, we’re busier than ever, so I know that there’s plenty of audits happening out there. But to see the research that shows that customers are getting audited on average every two point, what was it, Mike, 2.3 years?

Michael Corey:

Oh 70%, every three years, multiple audits.

Dean Bolton:

Yeah. So to see that across the industry in there, it really kind of reinforces the notion that the audits are there, they’re on the rise in there and that customers do need to be prepared for these. You can’t just stick your head in the sand and pretend that you’re going to get lucky, because that’s just not the case nowadays.

The Risks of Facing Audits Without Legal Counsel

Art Beeman:

Related to that also, the incongruity, which I saw in the survey, which was not surprising but still certainly somewhat dismaying in light of the acceleration of audits, is the fact that I believe I have this right, I’m relying on my memory, but over half of those surveyed had sought no outside professional counseling in any way, shape or form while the audit was going on. I think I have that right. That said, it’s amazing when you consider the exposure and the risks associated with that. Yet in the market, with the licensees being subject to the audit, you don’t have a commensurate vigilance on their part in light of this phenomenon, to make sure that they’re getting the appropriate counseling to protect their assets and their business.

Rich Gibbons:

And I think that’s something that’s quite interesting. Audits have been around for a long time, they’re always a big topic at our conferences, user groups, et cetera, but they’re always seen as ITAM’s problem, something which ITAM has to deal with completely on its own and you might be a one person ITAM team and you’ve got millions and millions of dollars on the table potentially, but very rarely do people know where they can turn. It’s something they have to bear themselves, and as we’ve seen already, the number of audits that people get, the frequency of them, I think for people just to know that there are support mechanisms, as it were, and that it’s okay for them to reach out to people and get assistance. I think for a lot of people, probably just knowing that that’s possible is a good start for them.

Art Beeman:

I think that’s right and it even goes, I believe, a little beyond that in terms of what is the standard practice within a market, within an industry, when you get notice, by way of example, of an audit. If we were to move to another sector like the world of patents and if you received a notice letter as someone in house, whether IT or in the law department, that someone was alleging that your business is infringing their patent, you would lose your job if you didn’t get the appropriate counseling, and it’s generally outside, to assess the risk and make sure that it’s managed appropriately. You’re not seeing that sort of practice yet in this space of software audits, but as this group is commented on previously, many of these audits, especially with the reform on the patent side, you could compare it to the exposure presented by software audits and argue that the latter actually today represents on average a greater risk to business.

So there’s a little catch up being played on the part of the consumer, the licensee, in terms of what it should be doing when faced with an audit. And certainly, this survey reinforced to me that there is an imbalance, and with the rise of audits, you need to see more in the way of a discipline on the part of licensee targets to make sure that they get the appropriate counseling for protecting their assets.

The Financial Impact of Software Audits

Michael Corey:

But let’s quantify the danger, the survey did a nice job of that. You have a one in four chance of paying up to a million dollars, you had a one in 10 chance of paying over a million dollars, and if you were large enterprise, over 1,000 employees, you had a one in five chance, I’m sorry, a two in five chance of paying over a million dollars. And the other thing is that these surveys were targeting mid-size companies, 250 employees roughly, 83% chance of being audited. And then gee, your odds if you were the enterprise, drop down to 70 something percent chance of being audited. So I go right back to your point, which is well done, when the chance of writing a million dollar check unexpectedly, you should seek professional help of a LicenseFortress, you should seek the help of a Beeman & Muchmore, otherwise you’re playing roulette and you have a losing number.

The Importance of Internal and External Resources During Audits

Rich Gibbons:

Yeah. And I think even before you get to the third party assistance, which obviously you guys have got huge amounts of experience in this area, but I think we see a surprising lack of people even going to speak to their in house legal teams. It may well only be at the very, very end when you’re on the hook, it’s all done and dusted, then maybe legal get involved because they need to sign a contract or something. I think there should be a, I guess, a phased approach. First thing you speak to your in house people and then once you’ve spoken together, then you reach out to a third party with even more specialist skills. And I’m not sure why, I don’t know if it’s reluctance, if maybe people feel their in house counselor are too busy or they’re doing something more important, but as we’ve already said, there perhaps aren’t many things more important than reducing your exposure on a software audit.

When Software Audits Turn Adversarial

Joel Muchmore:

I think it’s as simple as most people do not inherently view these as an adversarial process. I think they view it as, the way it’s presented to them, as no problem, we’re just going to shore up a few licenses, check a few things out, make sure everything looks good. And then before they know it, it either spirals into the adversarial process that we know that it can, or they just divulge everything and then let it all go through.

One of the things in the survey I was interested in was the relatively low number of people who considered it adversarial. And part of me says, well, I think that might be because a lot of people just gave it all up. They asked for more information than they deserved, they gave it, they asked for more licenses that weren’t necessary, they bought them, and by the time it got to legal to review the contracts, legal didn’t really understand how certain rights could been compromised going forward. And if there’s one thing that I always want to stress with everybody, is that there is always the potential, if not the probability of it turning adversarial, especially if you’re protecting your rights properly.

How Audit Scope Creep Affects Compliance

Dean Bolton:

And just to add onto that, I mean I can’t tell you the number of times I’ve seen the scope of the audit increase and just creep in. I mean the number of times we’ve been working with customers where they’re getting audited by Oracle or Microsoft or one of the other vendors, and the vendor already has information from lunch and learns, from outside conversations where they were just telling them about a new feature but gathering this information, it’s really staggering in there. And so I think that’s absolutely right, that the way these happen, they start sometimes from the bottom up and it doesn’t get the legal involved until later on, it doesn’t get the C-suite involved in later on, and sometimes that’s too late. And it’s just the nature of it because people aren’t understanding that these are adversarial, not just from the beginning of the audit in some cases, but from way before that and through the whole relationship.

Which is frankly very unfortunate, because you do need a resource to learn about the new products and new features in there and who better than the vendor to tell you about all those things. But one of the things we counsel everybody is just be very careful and don’t disclose more than you need to because it has a way of coming back down the road.

The Problem With Vendor Policies and Contracts

Michael Corey:

And let me take it a step further because of the different twist in that, and you would think going to the vendor would be the right place to learn how to properly license the software. But as we all know, a lot of these vendors have policies that are not contractual in nature, that are designed to artificially raise the cost of your purchases. And so if you’re just assuming the vendor policy’s contractual and you’re listening to them, you’re paying way too much for your software.

Understanding Contractual Obligations in Software Audits

Art Beeman:

I think one of the explanations could very well be, in terms of why a licensee doesn’t seek internal, to start internal counseling maybe from the law department or the appropriate professional within, and then of course when necessary, seeking the appropriate external counseling from professionals. I think it could be as simple as we have a contract, there’s a contract in place and they don’t feel the … if someone’s asking them to enter into a contract or a new contract, that’s one thing, and they’re not even having someone coming or confronting them and saying, “You’re in breach,” at least not right away. So they figure contract in place, it was executed couple years ago or whatever, and we’re just in the business now, says the IT professional, of honoring a contract, not realizing that so many different terms and conditions of that contract may very well be in play because of virtualization, because of applications that they’re executing, whatever they may be.

There’s a benign sense of comfort, they’re thinking, wow, this is an existing agreement, why do we need professionals, they’ve already had their input when the contract was negotiated and entered into and they don’t see the organic and dynamic nature of that contract and how terms can be in play from the moment an audit is triggered.

How Vendors Change Terms to Their Advantage

Michael Corey:

And what about the vendors slipping in new terms, or trying to change the contract, that people forget that when they make these purchases, it’s commonplace for the vendors to try to move the contracts forward and change the terms. And for Oracle customers, a lot of them have terms that are really to their advantage, that they don’t ever want to lose or give up, which is why it’s so important to have legal involved, it’s so important that people like LicenseFortress involved, so you don’t give up these rights that you already have.

Art Beeman:

Exactly.

Rich Gibbons:

That’s a really good point. And I remember reading last year or the year before and it wasn’t Oracle, but it was one of the other usual suspects, it was Micro Focus or Quest, I think it was Quest. And there was an organization, they’d bought say 30,000 licenses under an agreement in 2015, which had certain terms, and then they bought a handful of licenses, 30 licenses on an agreement from 2019, and that had more restrictive terms. And the way the vendor looked at it was, right, all your licenses now have this more restrictive term because our new agreement supersedes and overrides all previous agreements. And that’s the kind of thing, if you’re an IT professional, you’re not going to think to yourself, they might try and do that to us. So I think that goes to that point around them trying to slip in new terms and make changes. Would you say, should you have legal review every time you buy something, should you have someone review the terms and conditions of what you’re purchasing?

The Dangers of Click-Through Licensing Agreements

Joel Muchmore:

You just got to. I mean what you describe as one of the most pernicious uses of click through licensing, that Quest and Micro Focus were doing, which was a literal substitution of the entire master agreement with a new one. So it did, it changed everything that they had been licensing, going way back decades and the terms for every single license. And admittedly, that’s more of those new folks, the tier two licensee ORs are doing that. Oracle and Microsoft and the others, are a little bit less overt about it, that I have not seen an instance where an entire master agreement was substituted for every license they owned, but they are definitely pressing for a new master agreement and getting more and more aggressive that you have to sign the O&A regardless of whether or not you’ve been purchasing pursuant into an [inaudible 00:21:54] since 2001. Every ordering document has new terms, whether it’s subsidiary use, whether it’s territory use, whether or not it’s how you can back up the incorporation of licensed definitions and rules, every one of those changes.

And if you don’t have somebody paying attention to that, that can either shore it up, keep it consistent, or at minimum, give a heads up and say, “Look, they may insist that you sign this but if you sign this, here is what’s going to happen, and you have to be careful with that going forward.” And then even the most innocuous Java purchases and installations, they’re just throwing up a new sign in screen all the time, new rules. We have clients that have, as far as I can tell, 15 different Java agreements controlling how they have it splayed throughout their organization, is just too much. Somebody needs to keep track of this, it can become almost a rubber stamp, it doesn’t have to be complicated, but somebody who knows something needs to look at every one of them.

Reviewing Contracts to Avoid Future Costs

Dean Bolton:

And I just want to second that, it’s one, the dollar figures involved are just too great. And even if it is something as simple as taking an hour to compare this ordering document or this support renewal, against last year’s and flagging the terms and asking a question, because you could have millions, tens of millions, we’ve seen hundreds of millions of dollars at stake because of these terms. That’s worth an hour of everybody’s time. Maybe there’s a couple billionaires out there where it’s actually not, but they can do their own thing, everybody else, you should check on that. And it’s because we’re seeing all of these things, the intentional ones, like Joel said, from some of these tier two vendors, but just natural and normal changes and focused changes too. We’ve seen a number of ordering documents where the customer will just, by default, get terms that limit the territory.

You’re a US based company, so the restrictions limited to that territory. Well then natural mergers and acquisitions, divestitures happen, you’ve got an issue around that. And we’ve had a number of customers where when they entered in the agreement, cloud was as afterthought, it wasn’t even on their horizon. Well five years later, now cloud first is the strategy they have, those old licenses, do they apply, can they use those, are they counted in there? And it’s just all of these little things that come together for both intentional and natural changes that occur in there, that just need to be considered in addition to just the dollar figure of what you’re buying in there. So I think all of us would say, yep, you got to do it. Most of the time it’s going to be very easy, but you need to have that review, that formal process internally and using external experts, if necessary, to make sure that you’re avoiding all of these pitfalls.

The Legal Framework for Software Licensing

Art Beeman:

Just to provide context here, in terms of the parties with the law, at least US law, we talk about the licensees sometimes and we use the word consumer. Under the applicable law, UCC or otherwise, in the United States, and regardless of which state of the union you’re talking about, most of these licensees, if not all of them, would be viewed as sophisticated commercial parties. In other words, they would be viewed under law as parallel to a vendor like Oracle or Microsoft. You’re in the business, we’re assuming that you understand, as a business, the terms and conditions of contracts you sign, including amendments to the contract, et cetera.

You’re not the consumer of, by way of example, a drug or an automobile or something where the law perhaps can lay out certain conditions and protections for you as a classic consumer in the market of a consumer product. The law typically in these transactions involving ERP contracts, will view the licensee customer as a sophisticated commercial entity and they will get the benefit of no presumptions in their favor as the innocent or naive consumer gets with certain other products, classic consumer products in the market.

Changing Mindsets: Licensees vs. Vendors in Compliance

Rich Gibbons:

That’s a very interesting point actually, because I think people, IT, asset managers, licensed professionals, they won’t see it like that. They will absolutely think of themselves as the typical consumer, you’ve bought the thing because you need it, but you don’t really understand it, how could you. So it’s probably just setting that expectation for people listening, that if it gets that far, you’re considered an equal of Oracle or Microsoft when it comes to understanding the contract and licensing terms. That may well be the impetus needed internally to get the, whether it’s extra manpower, extra budget for an external review or something. If you say to your leadership, “Look, if this goes to court, we’re considered equal to Oracle, so we need to do something to give ourselves a fighting chance.” That’s very interesting to learn that out, thank you.

So just with the whole, we’ve kind of touched on it a little bit, Dean, the sort of soft audit things, they don’t really look like an audit per se anymore and it sounds like they’re becoming more and more common from Oracle and from some of the other vendors. And I guess something, how do you defend against, an ITAM audit defense is a really big thing and you have your checklist and when you get the letter, you do X, when the vendor turns up with the briefcase, you do Y. If that’s not happening anymore, what’s a customer supposed to do to try and protect themselves?

Defending Against Soft Audits

Dean Bolton:

Yeah, I mean it’s a great question, Rich, and it is very dynamic environment. The vendors are changing how they do these and so it makes it difficult for the customers to figure out how to handle each of these different scenarios. The biggest one that we see right now is definitely Oracle around Java. I mean they acquired Java with Sun back in 2010, they made an announcement around the change to Java licensing for Oracle’s IP in 2000, I believe it was 2017, to take effect in 2019. And customers are still trying to figure it out on how to deal with it. And Oracle is making it difficult because they’re saying that they have to involve LMS, their audit division, to sell customers Oracle licenses. So it makes it a very, very difficult landscape to navigate. What we’ve advised customers to do is to treat it like a formal audit. It’s an adversarial engagement with them in there, and you have to be prepared to get all of your ducks in a row, understand exactly what your requirements are, disclose as little as possible and potentially press points quite thoroughly with them.

Now these soft audits we’ve seen from Oracle for, I think probably since April of 2019 at this point, maybe shortly after that. But just to the point of how dynamic it is, Oracle started officially auditing for Java as of earlier this year in there. Right now it’s still in a declarative format, where the customer basically has to provide details. There’s not a lot of review, technical review of that currently. We saw this before with Oracle and about a year and a half, two years after they start via formal audits, they get into the technical details. And so we think that’s tracking along too, that if you do get audited by Oracle for Java in January, I would say by July of next year, January of 2024 at the latest, there will be the formal process with the technical review component of that.

So it’s dynamic, it’s shifting, we’re trying to keep on top of it. It’s a little bit easier for us because we’re advising dozens of customers all at the same time, to get that view of it. But customers really do have to just treat it like a quote, unquote “hard audit” even though it might not be quite that yet.

Navigating Soft Audits vs. Formal Audits

Michael Corey:

Right. I was just going to add one more thing. When you are formally audited by the vendors, there’s a certain playbook that you follow, single point of contact to the vendor. Customers say, “Oh it’s just a soft audit, we’re just having a conversation,” and they don’t protect themselves. And once something’s said to the vendor, it’s very difficult to undo it, it’s very difficult to move the goal post from the right to the left. So just spilling this is how many licenses we have, then when you see the number of what it costs you, well maybe you might have redeployed the licenses to bring that cost out. Well it’s very hard to change the vendor’s mindset when they see dollar signs and they’ve got a quoted [inaudible 00:31:43] and they think they’re going to sell 2,000 licenses, not 500 licenses, though both could be set up in your environment legally and meet your company needs. So just remember these soft audits go back to the vendors of finding it an easy way to get the information they need because you’re not protecting yourself the way you would during a formal audit.

Using Contractual Protections in Software Audits

Joel Muchmore:

Well in fact the contracts … oh sorry Mike, I didn’t mean to jump in.

Michael Corey:

No, no, go ahead.

Joel Muchmore:

I was just going to say, the contracts themselves have limitations that help the licensee in the case of an audit. I mean Oracle famously has not unreasonably interfere with your business practices and you can kind of bandy and use that and be circumscribed in what you give them and be very careful, it is a built in protection. When you’re in soft audits, there’s no protection whatsoever. Art has coined the term that I like on this, free shots on goal. They just ask for information and if you get it, they say, “Great, maybe there’s more,” and you can’t really stop at any point, there’s no reason to stop giving the information as they ask for it. But then I stress to everybody, there is no self-reporting requirement in an Oracle or really any other agreement that I’ve seen. There’s nothing that says if they come and ask for what you’re doing, you got to tell them or you have to on demand provide information there.

There’s no requirement to do that, you police yourself until they audit you, and most people don’t realize that. We’ve actually seen in these soft audit situations, the salesperson say, “You have to give us this information.” And then I say to the client, “You do not need to give them that information. You need to be compliant, you need to be careful, you need to pay for your licenses and if you’re in an audit, you need to give them information.” But in a soft audit and just where they’re sitting there trying to gather up this information that they want to, you don’t got to tell them anything. You have no contractual or reasonable obligation to spill information when they start asking for it.

The Risks of Soft Audits Leading to Litigation

Michael Corey:

And Joel, didn’t you share with us recently, a company that was going through a soft audit that ended up in court, based on some things that were said?

Joel Muchmore:

Well, that is our assumption as to one of those two litigations that Oracle filed back in the summer of 2021. There was NEC Corporation and Envisage, NEC was in the context of an audit and Envisage was not. And so our reasonable speculation was that they had been just asking a bunch of questions and then had kind of just went radio silent, and then Oracle dove in on the litigation route. We have not seen, that I’m aware of and I keep a pretty close eye, any litigation against licensees by Oracle since then, and we don’t know whether or not that was a spike that was intended to send a message to the market, whether or not there were just two good back to back cases for them to do, or really what the status is. We’re constantly thinking about Oracle’s litigation playbook and there just aren’t that many tea leaves to read from, other than they don’t do it a lot. Then when they do it seems to be sending a message and when they do it seems to be because somebody went silent.

When I say, by the way, you don’t need to give them information, that doesn’t mean stop responding to emails. You got to keep them engaged until they naturally go away. But no radio silence, don’t stop communicating because that’s punching your ticket to a termination or a litigation.

Best Practices for Communicating During Audits

Michael Corey:

I was going to say, at the same time, don’t have diarrhea of the mouth, don’t give them too much information. Go back to what Dean said, which is figure out, get your ducks in a row and then communicate with them in a very precise way so that they get what they need and you pay what you’re obligated to pay and no more.

Art Beeman:

And I think to some degree, and the terms emerge as they emerge in describing phenomenon, but if ever there was a misnomer, it would be using the word soft in front of what’s going on here. Because it is highly, highly perilous and fraught with risks for your business if you are gratuitously providing information pursuant to what you believe are innocuous questions, all under the umbrella of a soft audit. And in many ways, in our practice at Beeman & Muchmore and our partnership with LicenseFortress, we’ve seen more legal risk created by clients responding to so-called soft audits, than clients engaged informal audits.

Because when you’re involved in the formal audit, it’s somewhat akin to litigation, and if you put on your armor, you know that hey, game on. The soft audit is almost like finding out, hey, you’ve been stepping to the plate and just swinging away and you didn’t realize that they’re actually recording and they’re recording the strikes and the outs and the hits and everything. You thought, I didn’t know we were playing this game. Well you are, and there’s really nothing soft about the potential consequences. So the watch word here is vigilance, you just have to be careful.

Rich Gibbons:

That’s very good point about the term. Maybe we should try and rename it because a soft audit does sound less worrying, less dangerous. Maybe there’s a kind of call to action for the listeners, if anyone wants to email us with suggestions for a new term.

Art Beeman:

I actually have a suggestion, and this is borrowed from my patent litigation days. We called the stealth patents, which were all of a sudden asserted because the patent holder was laying in the weeds waiting for certain dates to come, we called them submarine patents and then out of nowhere, boom, you would be sued on a patent where you had no idea for decades that you were infringing. We could call these submarine audits. In other words they’re under the water, but that’s the consequence, they can still fire torpedoes. Just a proposal, I’m not saying it’s going to go anywhere-

Joel Muchmore:

Although you said stealth, which I thought would also be a good idea. Stealth audits.

Art Beeman:

Yeah. Anyway, we have to run to the PTO and get a copyright of registration from [inaudible 00:37:59].

Rich Gibbons:

We might as well combine the two and call them stealth submarine audits. So I’ve got a couple of points that I want to try and sort of loop together. So we’ve talked about the fact that these submarine audits are always happening. So when we were talking earlier about the need to review contracts, review terms, et cetera, what we often see in reality at the moment, is people review things just before they get an audit, when they think it’s about to happen or just before they’re about to do a renewal. And really, in both cases, it’s too late because if you uncover anything, you haven’t got enough time to really look into it because you’ve got your renewal looming.

Is it something you would suggest that you have once a quarter, once a half, you pull out and you say, “Right, every quarter we’re going to review our contracts, versus maybe what’s out there in the market, just to understand what’s changing. In Q1, we do Oracle, Q2, we do IBM, Q3.” Is having some kind of process like that, is that going too far or are we looking at maybe a kind of best practice there?

Implementing a Regular Review Process for Software Contracts

Dean Bolton:

No Rich, I think that’s a great way of doing it. I think the driver for it should be the frequency of the contracts or the renewals. So there’s no point to renew or review Microsoft four times a year if the renewal is annual, same thing in there with Oracle, but staggering them across your calendar to line up with that, I think is a great way, a great first step. I think we would all say the best time to start reviewing this and to check on everything was yesterday, the second best time is today. And so it’s not too late. And I think it also just plays into one of the other points, is that these support renewals are an easy way for customers or for vendors to drive the revenue. I’m not sure if you’ve seen or people listening are aware of this, but Oracle has recently made a change so that they can now increase their annual support uplifts from 4% to 8%.

And while that doesn’t sound like a huge amount in there, basically that means that before, at 4% it took 18 years for your costs to double, at 8%, now it’s nine. So in that same time, 18 years, you go up another factor of two in there and those prices can start to eat away very quickly. So I think those are exactly the things that need to be reviewed at least every year for these big vendors, where it’s looking at what’s your spend, how to get that aligned, what are the contracts themselves, do that full review or find a firm that can help you with it in there, to take a look at it and be aware of it, because you can end up paying a lot more than what you expected, even if you had great discounts at the onset.

We’ve seen customers who have been able to negotiate 70, 80% discounts 10 years ago. Well that was great then, but those annual increases have caught up with them and now, in a lot of cases, they’re paying more than list price for some of these renewals. And so if you’re not reviewing those type of things on a regular basis, you’re leaving probably a lot of money on the table and paying more than you need to.

Joel Muchmore:

Dean, are actually seeing 8% increases? I know that they made that a possibility, but are they actually doing that on their support renewals?

Dean Bolton:

We have not seen any customer get their renewal yet since that contractual change was made. So no we haven’t, but we’ve just seen that change with Oracle’s new fiscal, which was just in June of this year. So I anticipate with some renewals coming up, that it’s going to come through. I don’t think they did it just for giggles basically, but no, not yet because of the [inaudible 00:42:25].

Rich Gibbons:

Sorry. Do you think they could be doing it as a negotiation tactic? So even if they never actually put something through at 8%, now there’s always the, oh well if you buy Oracle Cloud from, or if you do this, we could double your support but we won’t do, we’ll keep it at four. Do you think they might be using it like that as well?

Dean Bolton:

It could be, but Oracle is, them specifically are very reluctant to negotiate on support. And so before, they had a 4% cap on it for a couple of years, in general, they only increased it 3% in there, so that it gave them the right to go there, and now with 8% they have the right to go there. But we’ve seen Oracle be fairly restrictive on that, it is difficult to negotiate those renewals in terms of the uplift that they decide to drop on there.

Michael Corey:

But to me, this is part of the COVID effect. All these companies saw impacts to their revenue directly as a result of COVID, and now they’re looking for ways to increase revenue, acquisitions only get them so far. And so this is an easy one, software audits, the more audits I do, the more money I generate. Gee, I can go back to my base and maybe if I go from 4% to 8%, well we’re in inflationary times, what a surprise. But what I found most concerning though, beyond all that, was in this survey it said 67% report they do not scan software resources configuration as part of this software asset management policy. They’re not keeping their house in order. With Oracle, there’s no license keys. And the decade that we’ve been looking under the covers and helping people, we’ve yet to find somebody 100% compliant, think about that.

So you are making yourself an easy target if you don’t control your own house. So part of controlling your own house is knowing what you’re deploying, where you’re deploying it, how you’re deploying it, what options you’re using. Another part is making sure that as you buy software from the vendors, you don’t let changes happen to the contracts that could hurt you. But to me, that 67% are not doing monitoring their own case, well no wonder why the vendors are doing this and they’re all doing it. Number one’s Microsoft, number two is Oracle, number three is IBM. And oh by the way, Oracle’s claim to fame here is that you’ll pay more to Oracle than any of the other vendors, IBM’s right behind them, and then of course Microsoft. So they have a right to be paid for their software, but you don’t have to overpay them.

Rich Gibbons:

Yeah, I think that that’s the takeaway that with all these conversations about audits, none of us are saying underpay or hide what you’re using, et cetera, but you don’t go the other way. I did see in the survey, something that tickled me slightly, that Oracle was apparently the second most friendly company to be audited by, which doesn’t quite match up with all the stories that we hear at our conferences. But it did remind me that when we, ITAM Review, did an audit survey towards the end of 2020, IBM managed to come in the top three for the most helpful vendor to be audited by and the least helpful vendor to be audited by. So there’s some kind of Schrödinger’s auditor, whereby go down bad simultaneously.

And I guess that serves to illustrate somewhat and the fact that Oracle were rated to be friendly, that no audit is the same, they’re very, very much like very expensive snowflakes. And that as an end user, as a customer, even if you are being audited frequently, you’re only going to see one or two audits a year, or every couple of years. So whatever information you have will be two or three years out of date, it might be pre COVID information that you have as to what an audit looks like. Whereas third party, such as yourselves, are seeing multiple audits in a much shorter time. So does that give you the ability to see changes in trends faster than a traditional customer would?

The Impact of Changing Auditors on Compliance Outcomes

Michael Corey:

So a couple things, I just want to jump in, a couple of things, first of all, it’s the luck of the draw who you get for an auditor. Ironically, one of the things that’s really important is that when you finish an audit, you have to make sure that the close doesn’t allow them to reopen something that’s already been closed. We’ve had a number of audits come along where they were old customers, they had certain agreements on how they’re going to report the numbers, and then a new auditor comes along and they want to ignore three previous audits and go down a whole new path. So I would argue that it’s the luck of the draw of the auditor and making sure that you’ve lined up your ducks, and that when you close out an audit, you don’t leave the window open for them to reopen something that was previously decided. Sorry, and then Dean?

Dean Bolton:

And I was just going to echo on that, that it is kind of, each one is a little bit different, but some of it, I think, Rich, to your point, is that because we see so many of these, we do have a different view of it. But the vendor audits you and says you owe $5 million and then negotiates down to one million and you can afford that, no heads roll at your company, and then there’s not long term impacts of that, you might not think that’s such a bad deal. Now if we go in and take a look at it and it turns out you only owe 100,000, you paid a million for it, I think that’s a terrible deal.

So it’s all about the perspective in there and each case might be friendly, they might have taken your million dollars with a smile on their face, and you think it was a great result because you’ve saved four million in there. But it is kind of custom in there and it just depends, but I think it does become just an issue where seeing more gives you a better view of the industry side, and this survey, I think, is a perfect example of it.

Art Beeman:

Well let’s focus also on the terms being used here, and I don’t want to make this a semantic exercise, but someone being friendly is not necessarily someone being fair. I mean I spoke at the outset about my litigation experience and the courtroom battles, let me tell you, the lawyer on the other side I feared most was that friendly person who just always had a smile, and that sensation I had in my side was the dagger he was putting in me. And so the point being, friendly is its own thing, that means that perhaps that they were professional, but I would never assume that any vendor is making an effort to be fair or equitable or even handed. To Mike’s earlier point, it’s about revenue, they want to maximize the dollars.

Joel Muchmore:

Well, and just being fairly quippy, if you want to see a friendly vendor, switch to an unfriendly one, tell them that you’re not going to pay too much and you’re just going to pay what you owe, and then you might see that one change really quickly,

Art Beeman:

No doubt.

Dean Bolton:

It’s funny, during this we talked about an adversarial relationship and it’s not that we try to approach it in a negative way, but I think go right back to what everybody said, you may think that giving you a good deal. We had one customer where the Oracles threw out a number of 50, 60 million, wanted to do a quick close at eight million. We look under the covers, they owe $160,000. And by the way, had we not been brought in because this particular vendor got negative on them and then they realized maybe this eight million deal wasn’t such a good deal, and my God, did they get a surprise when we say, “You owe $160,000, that’s what the contract sets.”

And it’s why we take the approach, we want to sell you a long term service, we have access to lawyers, Beeman, and we want to be with you at every step of the way. So as you deploying software, we can help you avoid all these pitfalls. Because remember, Oracle makes great technology, Microsoft makes great technology, nobody disputes it, IBM makes great technology depending on which camp you’re in, and they want long term business from you. But the second tier vendors, I’m not so sure I agree they care whether they have long term business.

Key Points to Focus on After a Software Audit

Rich Gibbons:

Yeah. And I guess on that point with the secondary vendors, the open techs acquisition and Micro Focus, I think it’s probably fair to say that that is going to result in more audits, that they’re both pretty aggressive. So I assume an aggressive auditor, plus an aggressive auditor, can only equal an even more aggressive auditor. And I think that’s something that we try and help our audience with, but I think people should do it. We help people keep track of who’s acquiring who, who’s just had venture capitalist money injected into them and things like that, which they’re not what people would consider traditional IT asset management. But I think for all these things that we’re talking about, understanding as much as you can, who is on the other end of the phone, who is asking these questions or if they’ve never asked these questions before, why have they started now?

If you can see, oh, they’ve just been acquired by a particularly audit focused company or venture capitalist, that might be the thing that helps you, as we mentioned earlier, put your armor on at the right time to answer those questions. So I think we see some people saying that audits are going away, cloud means that you don’t need to worry about audits, and IT asset managers should be focused on something more positive than audits. But I think as we’ve seen in this conversation, as technology changes, as business changes, audits are just changing along with them, and cloud brings its own concerns, which is probably really a separate conversation in itself almost. But I think no matter how technology is transforming, I think for asset managers, keeping up to date with vendors shenanigans and audits and things, is always going to be a significant part of their time, I would say.

Michael Corey:

It’s funny, the survey does a nice job of talking about the fact that moving to the cloud does not alleviate these issues. In fact, quoting the survey, close to eight in 10 enterprises reported software compliance issues have either increased or remained the same after moving to the cloud. So while I think the cloud is a long term strategy for companies, it’s not going to make these problems go away. And by the way, Oracle’s been talking about DBAs going away for, Larry Ellison announced we wouldn’t need DBAs, what, 30 years ago, at this point, 20 years ago, and DBAs are still here and strong. So I can tell you, given that it raises revenue, software audits are not going away.

Final Thoughts

Rich Gibbons:

Yeah, yeah, I think you’re right. That’s the main thing, that’s why acquisitions usually spark audits because you’ve just spent six billion or whatever it might be, how would you get as much of it back as fast as you can? You go and mop up all the alleged underpayments. So I’m conscious we’ve been chatting for nigh on an hour and I feel like we’re only just getting started to be honest, but we will need to draw this to a close.

So I guess I always like to try and finish on a takeaway or a more uplifting note, so I’m going to put each of you on the spot a little bit and just ask you, what’s the kind of one thing that people listening should take away, or the one thing that they should do when they close the media player, to take action on some of the things that we’ve spoken about today. And I’m going to go in the order that you are on my screen, it’s alphabetical, so that gives you a little bit of an idea of where I’m going first, hopefully. So Art, what is your kind of key takeaway for the listeners today?

Art Beeman:

Well, and I want to thank you for the time and ITAM for the time and this discussion, which I know I have very much enjoyed with my colleagues. I think the takeaway here is know the rules of engagement, know what you’re involved in. No one sits down behind a chessboard and tries to play the game without knowing the rules. And the rules of engagement with the audit, as we’ve tried to underscore, generally people know what’s up because something formal has been invoked, but still take the time to understand the rules there, as Joel pointed out earlier, which relate to the reasonableness of the audit, you want to know what you’re involved in. The so-called soft audit, which maybe from this point forward will be known as the stealth or submarine audit, you have to know and understand and appreciate the perils when you are disgorging information upon the request of a vendor.

Joel’s point earlier, that you don’t owe them anything in that situation, is incredibly important. And that doesn’t mean you disappear, but it does mean that you need to know your leverage point. And if you’re not obliged legally to give some information, some data to the vendor, then they better have a pretty good reason to be asking for it. And you probably should have a pretty good reason to impart it to them, or for that matter, even set forth conditions for the transmittal of the information. But you have to know what you’re involved in, and I’ll just put the headline on, know the rules of engagement.

Rich Gibbons:

I like that, that’s a good takeaway for sure. I like the chess analogy of understand the rules before you start playing, I think that’s good advice for all walks of life, I think. Maybe we can branch out from talking about software and just talk about life in general on the next one. So next up is, Dean.

Dean Bolton:

All right, well thank you to everyone for listening. I agree with everything Art said. I think my takeaway would just be this is complex and dynamic and I agree with what Art said, that you have to know the rules of the game you’re playing, but I started as a DBA, I know day to day DBA tasks and it does not involve all of this stuff. So I think my takeaway from this would be that this is complicated and because of the dollar figures that can be involved, because of the pitfalls that can be involved, I would say it needs to be treated with a lot of seriousness in there. And that could be a dedicated internal team for the customer, it could be external experts to help with that, but just understand that this is a shifting environment.

We do this all the time and it’s difficult for us to keep on top of it. And so I think if you’re trying to do this in addition to another job as kind of like your side gig, that’s a great way to run into problems. And so treat this with the care it requires, the seriousness it requires and go from there.

Rich Gibbons:

Great advice, as always. I think you’re right, I find it with Microsoft, that it keeps me busy just tracking all the updates and the changes. And if I had, as you say, an actual, another job to do primarily, there’s no chance. And maybe easier said than done, but as you say, internal resource or budget to pay a third party to bring you up to speed quarterly or annually, I think would be money well spent for any organization. So thank you very much. Joel, what’s your key takeaway?

Joel Muchmore:

Again, I agree with what everybody has said about being careful, being vigilant in everything, but I just want to drill down on just a data point that kind of borrows on what you were talking about earlier, Rich, that I think does bring all of this home. You had mentioned, of course, that Quest and Micro Focus are most recently that OpenTech has purchased, and are entering the fray and having the aggressive auditor on top of aggressive auditor. If you just look at the numbers, when Micro Focus originally sold back in 2014, it was for 1.2 billion. They then entered their aggressive process of auditing, and they just sold to OpenTech for six billion. Quest sold to Francisco Partners and some other venture capital groups in 2016, for two billion, tripled that when they sold to Clear Lake for six billion in 2021.

So let’s just say that aggressive auditing and making everybody hate you and becoming the prize of the business, is good business, and it is causing these companies to have extraordinary gains when they get sold again on the market. So my takeaway would be past is prologue, it’s working, just don’t be a victim to it as it spreads across the country and spreads across this industry.

Rich Gibbons:

That’s very interesting, those numbers, because I think people, when we talk to people about aggressive auditors, everyone kind of looks at it from an individual perspective or a human perspective and they kind of think, oh, surely they can’t carry on being this aggressive, no one likes them. And that’s sad. But as you’ve shown there, if you can triple yourself up to six billion, anyone who’s watched any Netflix program about venture capitalists, understands that tripling your money is way more important than anyone liking you. So that’s interesting to people to understand the frame of reference, it’s not about whether everyone hates them or not, it’s are they now worth four billion more than they were a couple of years ago? So yeah, some great numbers there. And then you’ve got perhaps the hardest job of all now, Mike, you’re alphabetically last, so you have to try and think of something that no one else has said. But yeah, over to you to wrap us up.

Michael Corey:

Yeah, I guess I would go back to basics, get your house in order. Just as you would get an annual financial audit, at least once have a vendor like a LicenseFortress come in and determine if you’re in software compliance. I can tell you, after a decade of doing these, we’ve yet to find a company that we could say was 100% compliant because then when you know what the issues are, it’s easy to correct them, so when the vendor does audit you, it’s not a problem, and then long term, come up with a strategy. It really bothered me when 69% of the survey respondents said they don’t have any way of monitoring and keeping their environment in compliance. That’s just putting your head in the sand and making yourself an easy target for the vendors. So like I would say, just get your house in order so you have time to deal with it, so that it’s not a problem during the next audit.

Rich Gibbons:

Completely agree. And I think that last point probably speaks to the need for IT asset management to be more prevalent and more resourced within organizations. We still see a surprising number of organizations that are surprisingly large, which have little or no asset management capability internally. And ITAM Review, we talk about, you wouldn’t have a business without a finance department, without a security team, why would you have a business without an IT asset management department or software licensing management? And so I completely agree with you there, Mike, that as long as there are software vendors, there will be software audits, so being able to protect yourself is fundamental to good business, I would say. So on that note, I want to say thank you as always to all four of you. This has been a wonderful discussion, I very much enjoyed it. I think we’ve covered a lot of great topics, which will hopefully spark actions and thoughts and improvements for all the listeners. So yes, thank you all for your time, it’s been really, really appreciated.

Art Beeman:

Thank you.

Dean Bolton:

Thank you.

Joel Muchmore:

Thank you.

Rich Gibbons:

And then thank you to everyone listening to this podcast. Any questions, feel free to get in touch with us at ITAM Review, connect with the speakers directly on LinkedIn and get in touch that way. But yeah, I hope this has been useful and I will see you all on the next podcast. Thank you very much.