Using Legal Tactics to Defend Against Software Audits

When it comes to software audits, the rule is that the trade association or software publisher always has the legal advantage. Thus, it pays to know your options before your respond. Below are some points to keep in mind, with illustrative examples.

Attorney Rob Scott uses standard legal tactics when he defends clients accused of software piracy. “The difference between what we do and a professional services firm is that all reports generated by a law firm’s network are privileged and cannot be discovered in the event of litigation.” This important difference will not mean much to defendants, unless their case goes to court. If the case does end up in court, audits conducted by the defendant or a services firm can be called as evidence—potentially to be used against the defendant. Inventory details and other documents discovered by legal counsel as part of an internal investigation are covered under attorney-client privilege.

Attorney Tom Dickinson represents middle-market firms on a variety of business issues. One of his clients recently settled a dispute with the Business Software Alliance (BSA). Dickinson says the biggest mistake people make is responding intuitively to an audit letter from the BSA. His client conducted an audit and found they were 72 percent compliant. The noncompliant 28 percent was personal software installed by employees on their office computers. The company thought they had things under control, but the BSA’s lawyers insisted on fines and penalties, and it demanded that the company institute a clear software-use policy. Dickinson brought in Scott to negotiate a settlement with the BSA, saving the company time and money.

Libby Wong, an attorney in Santa Ana, brought Scott in to consult on a dispute for one of her clients. The client, a small technology company, was also the target of an audit. The company settled the case and, Wong says, Scott’s experience and negotiation tactics were instrumental in reaching a settlement. It seems that experience does indeed make a difference.

Many organizations, large and small, have tried a go-it-alone strategy with software publishers and trade associations, with mixed results. One compliance manager with a large insurance company reported that business relationships and sound negotiation practices turned a multimillion dollar claim by Adobe Systems into a less-expensive, enterprise-wide licensing agreement.

A software manager at a large financial firm reports that they have been in negotiations with Oracle for months, focusing on how to conduct an audit. According to the manager, Oracle admits the company is probably in compliance but wants to conduct the audit just to be sure (the contract gives Oracle the right to do so). Another IT manager at a midsize manufacturing company told ECP that a software publisher approached it to conduct an audit, claiming the terms of an expired agreement gave it the right to do so.

These real-life audit examples (initiated by software publishers) differ from trade association audits by virtue of a guiding contractual agreement. Even in these cases, end users would be wise to engage legal counsel—whether in-house or external—with specific expertise in interpreting software contracts. Professional services firms, including large-company auditors Deloitte Touche Tohmatsu, KPMG International and others, as well as niche players CompuCom Systems, Elements Group, Tenax, RiverBend Solutions and Scott’s firm—Scott & Scott LLP—provide audit, discovery and contract-reconciliation services. If one includes the IT outsourcers HP, EDS, IBM and Computer Sciences Corp., public- and private-sector enterprises have quite a range of options to choose from. Yet, are these the parties to bring in or represent your interests in the event of an audit? Probably not, and most likely these providers will decline to represent you in a legal dispute.

The risks of negative press and fines demand handling by qualified professionals, and, with good reason, most firms are reluctant to outsource sensitive matters, especially disputes involving legal matters, to technical services firms. If you need expert advice in this situation, it is wise to seek a third party (or parties) competent in the legal and technical issues at hand (e.g., specialized contract negotiations, business dispute mediation, purchase-price negotiation, technical review and analysis of data).

Good negotiation practice dictates that a well-prepared and informed response at the outset of an audit is more likely to result in a successful resolution. Scott says that he categorizes organizations into two types: those being audited and those concerned about compliance. His point is a good one; the service providers and tactics you take will be different if your goal is to ensure compliance. Once you receive an audit letter, the matter becomes a legal one, requiring the advice and guidance of experienced legal counsel.

Setting the Standard for ITIL Best Practices

The BSI Code of Practice for IT Service Management, known as BS 15000, is the first formal standard for IT service management developed by the British Standards Institute. Based on the IT Infrastructure Library (ITIL®), the standard specifies a set of interrelated management processes. It is expected to receive international accreditation as the basis for ISO 2000 later this year.

The Standard

BS 15000 comprises two parts. Part one sets out what an organization must do to comply and receive certification. Part two expands on these requirements to guide companies that offer products and services aimed at helping organizations meet the standard.

To demonstrate that it complies with BS 15000, an organization submits to a third-party audit of its processes. To prepare, the organization should:

> Assess and compare its practices with BS 15000 process requirements
> Study documentation requirements and specifications
> Plan continuous improvement
> Implement changes to create compliance

Compliance is tightly bound with the nature of the organization’s business. For example, large banks are expected to have strong and complex financial management processes, while a small business with few employees can have rigorous but less-complex processes.

What is a Standard?

ITIL is a framework—not a standard—outlining a set of assumptions guiding the design of underlying processes. Organizations can use ITIL as a guide for developing processes and procedures.

Standards, derived from numerous implementations of a framework, are viewed across the industry as a crucial step in turning best practices into reality. They set out requirements for management systems, service planning and delivery, process relationships and process control and release.

Both the British Standards Institute (BSI www.bsi-global.com) and Standards Australia (AS 8018 www.standards.com.au) have codified a service-management standard based on ITIL. The existence of a standard set of processes and procedures offers both tool providers and end users the opportunity to be evaluated and certified compliant with the standard.

This is similar to how a firm conforming to the generally accepted accounting principles (GAAP) may declare its financial statements “GAAP compliant”—but only after it has been audited and certified by an accounting firm.

However, we hesitate to apply the term “ITIL compliant” to tools or processes, because the phrase implies that ITIL is more than a process framework. Tools and processes go hand in hand, and each organization has its own approach to them. An organization may claim its processes or tools conform to ITIL, but to state that an organization is ITIL compliant requires it to be certified by BS 15000 or AS 8018.

The Role of Software Tools and Service Providers

To achieve compliance, many larger organizations will turn to companies providing IT management and process-improvement software tools and services.

However, the BSI prohibits these service providers from performing BS 15000 audits, because of an inherent conflict of interest for these companies if they audit their own customers. Consequently, audits can only be performed by BSI-certified companies.

Service providers—whether software, subject-matter experts, or technical or process consultants—will likely focus on the assessment, comparison, documentation and planning of continuous improvement of processes, and later on the implementation and maintenance phases of BS 15000.

Brian Johnson contributed to this article. Johnson, the ITIL worldwide practice manager for Computer Associates, was part of the British government team that developed the standards for ITIL and has written extensively on the subject.

Deborah Jakubowski, ITIL architect with EDS, also contributed to this article.

The Next Generation of BMC’s Integrated Asset-Service Management Product

Version 6 of BMC Software's Remedy Asset Management is a major upgrade that might intimidate some users of this product's previous versions into waiting to make the step up. Released in January, this fully web-enabled (Java platform) application is similar in appearance to Windows-client versions. It will require customers to migrate data to BMC’s new configuration management database (CMDB). Plans are in the works for a migration tool by midyear. There's much more to this advanced product, which looks likely to push BMC Software into a leading position among its chief rivals.

In version 6, the new CMDB serves as the foundation data repository for its Action Request System (ARS)-based service desk and asset management product suite, as well as for Marimba discovery and configuration-management tools. The repository is designed with a relationship-oriented data model (it ships with a standard model and complete documentation) and full ITIL-like configuration-item management.

The CMDB introduces a new level of configuration management to asset and service management. The integrated console's design makes this immediately evident, combining IT financial management (e.g., contract management, relationship management, inventory management and software license management) with ARS’s full service-management functionality.

BMC also added a programmable discovery-data reconciliation engine (reconciling new data with existing repository data and different data sets with each other), a function lacking in version 5. Software-license reconciliation is planned for a future release.

As with prior versions, users can customize the interface. For organizations not ready for integrated asset and service management, this may be the way to go. Getting to a CMDB-like data architecture will require a lot of work, and the integrated console may confuse users of other IT asset-repository products, as well as those of Remedy’s version 5. In fact, users we spoke to said they already had their hands full learning version 5, and had no immediate plans to upgrade.

BMC has a huge worldwide customer base. We estimate its Remedy product is installed in more than 5,000 organizations—many in Europe and Canada, where a CMDB and compatibility with the ITIL™ process framework are often prerequisites for market acceptance. Acceptance is lower for such a combined product in the United States.

Coupled with the anticipated integration with BMC’s Marimba product line, the company is well-positioned to offer a full service-asset-configuration management-software deployment suite, all based on the company's CMDB. Although competitors (e.g., HP, Altiris, Peregrine and CA) offer their own integrated suites and interfaces between product families, BMC, with its large Remedy customer base, looks ready to move to the head of the technology pack, providing it can deliver on its promise of a well-integrated toolset.