There are several types of software license audits, each with their own risks and variables, experts say.
Trade groups like the Business Software Alliance often ask companies to conduct "self-audits," where customers collect software installation and usage information and report back any instances of noncompliance. Customers who receive a request for a self-audit should consider the benefits of this option, such as more flexibility over its timing, according to Scott & Scott, a Dallas law firm that specializes in software audits.
Self-audits are also preferable to ones by an independent third-party auditor, since the customer has no say in who is selected, or the audit's length or scope, according to a blog post by the law firm.
And it is "never advisable" to agree to an audit conducted by a software vendor itself before looking into every possible alternative, it adds. These types of audits are "the most intrusive and least impartial of all," it states.
Customers should also be mindful of "informal audits," which are typified by letters from sales representatives that ask for information about a customer's software installations, perhaps in the hopes of uncovering some noncompliance and making an easy sale to remedy the problems.
An official audit letter should specifically cite that the customer's contract requires cooperation, according to Eliot Arlo Colon, president of Miro Consulting, a Woodbridge, New Jersey, firm that offers advice on Oracle licensing. "If you don't have that, then it's an informal audit."
Such inquiries must be dealt with carefully, according to Colon.
"What you have is this implied threat," he said. "[The sales representative is saying], 'We're trying to save you from an audit. We're being your buddy here. If you tell me what's going on, I can save you from the audit people.'"
Even if a customer takes the bait and provides the information, the salesperson isn't an official auditor and can't certify a customer is actually in compliance with Oracle, he said.
At minimum, customers who receive an informal audit request should respond to any questions with more questions, Colon said. "If they ask you, how many users are you running, it's OK to ask them, 'Why are you asking me?' You shouldn't be providing any information unless you know what it's going to be used for."
And get it in writing. "A lot of times, reps do this verbally. Say to them, 'I'd like you to respond in this e-mail chain.' Sometimes all that will happen is you won't hear from that person again."