Software Compliance: A Risk and an Opportunity

Computerworld - The brand-new CIO of a large financial services organization had been on the job less than a week when a major software vendor handed him a bill for unauthorized usage to the tune of $1 million. By contract, the burden of proof fell to the organization, which was expected to pay up or prove that it was in compliance.
This isn't an isolated incident. Software vendors and trade associations are aggressively auditing organizations with little advance warning, often resulting in heavy fines. Industry watchdog groups such as the Business Software Alliance (BSA) that represent software manufacturers took in piracy settlements of $12 million in 2002, and they say they catch an organization that's out of compliance every working day. Gartner Inc. estimates that the probability of an audit for a midsize to large organization is 40% over the next two years and that it will increase by 20% each year.
In the 1990s, software compliance was seemingly a non-issue. Today, it's a crucial business issue with major cost and regulatory implications. How did this happen?
During the economic explosion of the '90s, organizations purchased software with little concern for cost. No one, including the software manufacturers, paid much attention to software license compliance. Toward the end of 2001, as the growth in technology slowed considerably, the economic effects of Sept. 11 were painfully being felt, and a growing tide of regulatory reforms were being implemented, cost containment became the major issue for CIOs. CIOs found themselves under increasing pressure from both the chief financial officer and the chief risk officer to control costs while addressing increasing regulatory requirements, and they significantly curtailed their software purchases. As their traditional sources of revenue dried up, software manufacturers adopted an aggressive new approach, pursuing organizations they believed were out of compliance as a source of revenue.
Today, software vendors continue to generate significant revenues from zealous auditing, and there's no end in sight. The BSA estimates that 25% of organizations that do business in the U.S. have some form of noncompliance, resulting in an estimated $6 billion in lost revenues to software manufacturers.
Potentially noncompliant organizations are identified in a variety of ways by software vendors:

• They compare their records of license sales against public information including the published number of employees and send a bill for the difference. The organization receiving the bill incurs the burden of proof to demonstrate compliance.


• They conduct audits themselves or through audit firms, often doing sweeps by geographical region or industry.


• They learn of suspected software piracy from disgruntled employees via anonymous Web sites and toll-free hot lines. With increasing IT turnover rates and offshore outsourcing, the incidence of piracy reporting by disgruntled employees has risen exponentially.