Eight steps to reduce exposure to a software piracy audit

January 16, 2011 10:02 am

By Alan Plastow, The Institute for Technology Asset Management

Software piracy audits, (AKA: compliance audits, license reviews, or software audits) can cost even the smallest enterprise more than $2,000 per computing device in fines and penalties. If your enterprise cannot produce a baffling array of documentation, in a specific format, within a very short time span you will find yourself victim of yet another software piracy settlement-a statistic in the ‘War on Piracy’.

What is software piracy?

Are there genuine software pirates operating near you? Absolutely-and I’m sure we all agree that those who intentionally violate copyright should be brought to task for their violations-whether in software, graphics, fonts, audio, visual, gaming, or other formats. However, as business owners and managers, what we see as common errors in technology life cycle management are being utilised by entire industries as excuses to conduct ill-defined punitive audits of our enterprises-frequently accompanied by crippling fines and penalties. The lines between genuine pirates and typical business users have been blurred so that every enterprise has become an easily convicted piracy suspect, regardless of intent.

Companies need to understand a fundamental truth: there are literally no rules regarding software audit methodologies. In your enterprise, the license for each software title clearly states that the copyright holder, or its representatives, has a right to audit you for compliance. In 99% of those licenses, you will find that that is the only reference to compliance auditing. You will not find a clear definition of audit triggers, required documentation, longevity of retention, audit processes, or any of a dozen key essential expectations. In fact, if cornered, nearly every copyright holder will define each of these expectations in a different manner.

Also you must keep in mind that it is virtually impossible to deny a copyright holder the right to audit your environment for compliance. Once notified of the intent to audit, you must comply or face rapidly escalating legal action.

The eight keys to a compliance assurance wall of due diligence

For our immediate purposes, we’ll consider compliance to involve your ability to deliver the minimal essentials during an audit. If you start locating and isolating these essentials now, before you are targeted, you will be well ahead of the punitive auditors when they come calling. Consider the following keys in terms of preparing your company to confront the inevitable. You must have:

  1. A clear and accurate inventory of specific copyright protected products that are actually loaded on each computing device at any given location
  2. An original license covering each copyright protected product in your possession
  3. One or more acceptable proofs of purchase for each product you possess
  4. If required, an original proof of authenticity for each product in your possession
  5. If required, you will have to produce the original media on which the product was delivered
  6. Any license key or activation code for each product in your possession
  7. In some rare cases you may actually have to produce the original user manuals
  8. Clear and substantive documentation that proves that the numbers and types of licensed products actually in use on your systems match and do not exceed the number which you are legally entitled to possess

Bonus key – bring all of this information together in a central location and secure it. Keep it up to date and ready for the auditors.

My guess is that you and your enterprise, along with a majority of other enterprises around the globe, will be hard pressed to produce this critical documentation. The key to minimising your exposure to piracy audits-software license compliance audits-is to be proactive in your due diligence. Reactively responding to an enforcement agency audit will always be more costly, as well as substantially disruptive to operations. Avoid reactive responses if at all possible. Establish your own compliance assurance wall of due diligence.

Alan L. Plastow, MAT, PMP, SAM, TPM, is the founder and CEO of The Institute for Technology Asset Management. The Institute is a global non-profit association of technology asset management professionals providing cost effective, supplier-neutral, and competency-based training, credentials, and technology portfolio management resources to practitioners and enterprises.