An audit clause within a software agreement is the mechanism used by software publishers to instigate a software audit.
Software is not “owned” but instead customers buy the “right to use” software. This right to use has terms and conditions, typically laid out in the software agreement. The audit clause is their way of checking you are adhering to the terms.
For example, here is an old software audit clause from a WRQ software agreement:
As you can see. The customer signing this agreement has to put safeguards in place to manage the IP it is buying access to, keep records and cooperate with a software audit.
If the audit result deviates by more than 5% from what is expected, the customer will need to pay for the cost of the audit and buy the missing software without any discounts applied. (This is why many organisations aim for a 95%+ accuracy rate for ITAM data).
It’s a bit like renting a house and accepting an inspection from time to time, or buying a rail ticket and having it inspected whilst you travel. However in terms of right and wrong, defending a software audit is closer to Law or Taxes, in that there is right, wrong and 50 shades of interpretation in between. Hence the need for “Audit defence”.
To manage risk it is recommended that customers perform a “dress rehearsal” or periodic internal practice audit from time to time to prevent any surprises during a real audit and hone their processes. To facilitate this you’ll need to replicate the audit and be able to calculate as the publisher would.
To prevent abuse of the audit mechanism and allow customers to be self sufficient and adhere to the audit terms, I recommend asking the following questions before agreeing to an audit clause:
As stated on the first term of the WRQ audit clause above, customers need to “implement internal safeguards” to manage the IP they are renting access to – which is the development of a modern ITAM practice.
An audit request can be thwarted by periodically presenting a compliance position to publishers before it’s even requested or having a reputation for excellent ITAM. Audits are a costly exercise for publishers and they will readily skip your audit if they think it’s going to be a waste of time. Independently proving the quality of your ITAM practice is something the development of the new certification program for ISO/IEC 19770 will unequivocally demonstrate.
If you have any other recommendations please contact me or leave a comment below.