chevron-down Created with Sketch Beta.

Business Law Today

January 2023

Key Readiness Tactics for a Software Audit, Part Two: Contractual Strategies to Mitigate Risk

Andrew G Geyer, Christina Edwards, and John Gary Maynard

Key Readiness Tactics for a Software Audit, Part Two: Contractual Strategies to Mitigate Risk
Photo by Zan on Unsplash

Jump to:

The Great Recession taught an important lesson: if economic pressures prevent your organization from buying new software, then be on the lookout for an audit of your existing software licenses. Software vendors have seized upon noncompliance issues as leverage in convincing reluctant customers to buy new products.

For the past fifteen years, we have advised clients on how to manage software audits, even litigating when necessary. Over time, we’ve seen audits become consistently more sophisticated—employing well-known consulting firms, elaborate and tricky reporting mechanisms, and vendor-friendly scripts or automated review processes.

In part one of this two-part article series, we delved into the steps of a software audit and tips for managing audits. Now, in part two, we will explore ways to improve your license agreements to limit audits or avoid them entirely.

Part Two – Contractual Strategies to Mitigate the Risk of Software Audits

By Andrew Geyer and Christina Edwards

Drafting the Scope of the License to Align with Your Anticipated Use

When preparing and negotiating your license agreements, it is critical that the license grant is comprehensive, accurate, and clear. This process must be supported by a business team with a thorough understanding of who will be using the licensed product, why the organization is procuring the licensed product, and what purpose it is intended to serve.

Intended Users

First, you need to understand who will use the licensed product. This involves an analysis at both the entity level and user level. Consider whether the contracting entity will be the only party using the license or whether the license should extend to the contracting party’s affiliates, business partners, third-party service providers, customers, and other third parties. Once you have determined which entities may need a license, you need to consider which users will need access and how the term user is defined. Vendors often limit the definition of users to named users and limit how licenses can be transferred or reassigned. Closely review any restrictions on seat counts or other licensing metrics and ensure that you are purchasing enough units to cover your anticipated population of users (see recommendations regarding excess usage below). When licenses are restricted by units or quantities, it is important to consider limitations on transferring and reassigning licenses between users. If relevant to your business concerns, negotiate the ability to freely transfer or reassign licenses; if you cannot obtain the unfettered right to do so, provide for a certain number of transfers and reassignments per license over a certain period of time (for example, provide that a license can be transferred or reassigned up to two times in any contract year). Without the ability to reassign or transfer licenses, even ordinary employment changes such as resignations and reassignments can create situations where licenses are fully paid but unable to be used.

Intended Use

Now that you know who will be using the licensed product, you need to determine how they will be using it. Be sure that you have the right to access (including remote access), use, load, and install the product, and consider whether you will need to copy, distribute, make, have made, incorporate, combine, sell, offer for sale, develop, maintain, or make derivative works of the licensed product. This analysis involves a review of both the license grant and any restrictions on usage. First, you should revise the license grant to expressly permit the anticipated usage. Second, you need to closely review any sections of the license agreement that detail restricted or prohibited uses of the licensed product. While it is always wise to include an “except as otherwise permitted herein” proviso at the outset of the restricted or prohibited use section, you should also delete any restrictions that conflict with your anticipated use of the licensed product.

Intended Products

Watch out for licenses that are limited to use with a specific product. If the license is limited to use with certain products, carefully consider how such products may change in the future, and draft the restriction as broadly as possible.

Unintended Geographic or Location-Related Restrictions

Finally, make sure the license grant is not limited geographically, especially if your intended use or users may have cross-border implications. Depending on the type of licensed product, the license agreement may also require that the licensed product is and remains installed or hosted solely by you and on specific equipment or servers. Consider your technology infrastructure, information systems architecture, and potential future plans as they relate to outsourcing or migrating to the cloud, and ensure that you are providing your organization with future flexibility for continued use of the licensed product.

Protecting Yourself from Indirect Access and Excess Usage

Once you have clearly established a comprehensive and accurate license grant, you need to protect yourself in the event that you exceed the scope of the license. This is a real and present concern that you must consider when the license grant is tied to a specific number of users or units. To mitigate this risk, add provisions to the license agreement that address indirect access, and provide the vendor with a sole and exclusive remedy for excess usage.

Indirect Access

Clearly define what does and does not constitute “access” or “use” for purposes of the license grant. The license agreements of certain vendors require you to license users who are not directly accessing or using the licensed product—so-called indirect access. Indirect access can occur when a company’s employees or business partners exchange information with the licensed product through another application or application interface without holding an individual license to the licensed product. To prevent indirect access claims, add language stating that only individuals directly accessing and using the licensed product are considered users for purposes of counting the total number of users and that any indirect access or use by any individuals, bots, sensors, chips, devices, etc., including third-party platforms or third-party software connected to the licensed product, are not chargeable.

Sole and Exclusive Remedy for Excess Usage

Without the contractual protections discussed in this section, if you exceed your license grant, you are in breach of the license agreement, which can result in damages, termination, and copyright infringement claims. To protect yourself from these risks, you should include an excess usage provision that gives the vendor a single remedy in the event of excess usage, namely, the receipt of additional fees for such usage. The provision should state that the vendor’s sole and exclusive remedy for any usage in excess of the number or nature of users provided in the license agreement is to collect additional fees from you for such use. Provide further that the license fees for such excess use should be charged at the per-unit fee set forth in your agreement or, if no such fee is stated, should be determined based on the then-existing charges. Finally, expressly state that any excess usage will not be deemed to be a breach of the license agreement and will not give rise to any other legal claim (such as a claim for copyright infringement).

Identifying and Combating an Audit Provision

Now that you’ve carefully considered the structure of the license and protected your organization from excess usage claims, you need to address any audit provisions in the license agreement—including those that may be hidden in plain sight.

Audit Provisions

When faced with an audit provision in a license agreement, your first negotiation position should be to delete the provision and replace it with self-certification language. If unsuccessful, and if it is a product-based license (e.g., a license for software that will be incorporated into your own products), then try to limit the audit provision to a financial report audit only (i.e., the audit is limited to the accuracy of any financial reports that you are obligated to provide to the vendor). If these options are thwarted by the vendor and you must work with the language of the audit provision, consider negotiating for the following limitations on the vendor’s audit right: (i) conducting the audit only in accordance with a mutually agreed audit plan, (ii) limiting the vendor’s ability to audit to no more than once per year, (iii) requiring adequate advance written notice of an audit (at least sixty days), (iv) requiring that the audit not interfere with your business operations, (v) limiting your involvement in the audit to the vendor’s reasonable requests, and (vi) limiting the vendor’s access to only the information that is necessary for purposes of the audit.

In addition to guardrails around how the audit is conducted, you should also provide protections for the results of the audit, such as (i) requiring all external auditors to sign a nondisclosure agreement that prohibits them from disclosing the results to any entity other than you and the vendor; (ii) obligating the vendor to disclose the results of the audit to you; (iii) providing for your ability to dispute the audit results; (iv) prewiring the license agreement to include a negotiated rate for additional licenses (related to the above recommendation regarding excess usage); and (v) ensuring that the information obtained during an audit, and the results of the audit, are confidential and may not be used against you in court.

Books and Records

Always look closely for a “books and records” provision that allows the vendor to inspect your books and records. These are akin to audit provisions hidden in plain sight, and, if this provision cannot be deleted, you should consider implementing similar guardrails as suggested above.

Conclusion

In conclusion, there are now three certainties in this world: death, taxes, and software audits. While these types of audits can be challenging and strain your organization and its resources, if you have aligned the scope of your license to your anticipated use, protected yourself from indirect access and excess usage, and combated the audit provision (or eliminated it entirely), you will be much better situated when the auditor inevitably comes knocking.

    Authors