Express Metrix has released the findings of its inaugural industry report that benchmarks software audit activity, trends, experiences, and perceptions among North American businesses. For the study, Express Metrix surveyed 178 information technology (IT) professionals employed at a wide range of organizations across North America, providing insight into the occurrence and impacts of software publisher and industry trade group audits across the marketplace.
In recent years, a rise in the rate of software license audits has been widely reported by the trade media, industry analysts, and software asset management (SAM) tool and service providers. Anecdotal evidence provided by enterprise software users suggests that software audits are generally very costly and disruptive to the organizations that are targeted. However, there has been a notable absence of unbiased, independent research conducted across a statistically significant cross-section of the marketplace from which truly meaningful conclusions can be drawn.
Given this lack of unbiased research, Express Metrix has begun a yearly benchmarking study to gauge software audit trends, impacts, and outcomes. The first of these studies was executed at the end of November 2013, and involved 178 respondents that were recruited via email invitation to a randomized list of IT/IS professionals with manager- or director-level positions. This represents a 95% confidence sample of 10,000 organizations. The criteria for participation included organizational size (must work at an organization of at least 500 employees), geographic location (must reside in the United States or Canada), and job function (must be responsible for managing software licenses and/or compliance, to ensure sufficient knowledge related to survey topics).
The survey divided respondents into two primary groups depending on whether or not they had worked for an organization that had been audited in the past two years:
The following section provides detail on key findings of the survey that relate to audit trends over the past two years, as well as some general observations and perceptions of respondents.
53% of respondents report that their organizations have been audited within the past two years. Of those, 72% (or 38% of overall respondents) had been audited within the last 12 months (some of whom were also likely audited in the year prior).
The five independent software vendors (ISVs) most likely to have audited organizations within the last two years are: Microsoft, Adobe, Autodesk, Oracle, and SAP, respectively. (Among organizations with 10,000 or more employees, IBM shows up at position #4, bumping Oracle to #5 and SAP off the top five list.)
Organizations with 5,000 or more employees report being audited at a higher rate over the past two years than those with fewer than 5,000 employees; however, it appears that organizations with between 500 and 4,999 employees and more than 25,000 employees were targeted more heavily in 2013 than they were in 2012. This may suggest that ISVs are increasing their focus on organizations of these sizes.
Respondents whose organizations have implemented IT asset management (ITAM) tools report a 32% lower audit rate within the last two years than organizations with no such tools. (This is based on an audit rate of 68% reported among organizations without ITAM tools, and an audit rate of 46% reported among organizations with ITAM tools.) This correlation may exist due to information ISVs and their partners glean over time as to which customers demonstrate a solid understanding of and/or control over their license positions (via ITAM best practices and tool deployment). If certain customers are deemed unlikely to have significant license shortfalls, and the upside in terms of revenue generation is perceived to be limited, those customers may be less likely to be targeted by their ISV(s). It’s also possible that in some cases customers are staving off full-blown audits by presenting compliance reports upon receipt of the initial audit request/letter. This correlation deserves a closer look and will be explored in greater depth in future iterations of this survey.
The top three organizational challenges with respect to staying compliant are: 1) license agreements/entitlements are difficult to understand/interpret 2) complexity of IT environments 3) inability to easily reconcile what software is installed with what software is being used.
The top three attributes of respondents' IT environments that make license compliance most challenging are: 1) diversity of the software portfolio 2) organization size 3) server virtualization. A higher percentage of respondents who have not undergone software audits viewed the existence of mobile devices (both employee-owned and company issued) and mixed desktop environments (PC and Mac) as major challenges with respect to license compliance than those who have undergone software audits. This may indicate that vendors conducting audits generally aren't (yet) taking these factors into account.
An overwhelming number of respondents rate their own understanding of their organizations' license agreements as "decent" or "very strong."
The following section of the study shows key findings among respondents who report having been audited within the past two years. It's important to note that Microsoft, Adobe, and Autodesk represent a disproportionate number of audits that have taken place among respondents, so the reported experiences are heavily skewed toward these vendors (particularly Microsoft).
Nearly half of organizations were given a month or more to prepare for the audit; 45% of the audits lasted three months or longer (from initial audit request to resolution).
57% of respondents characterize their organizations' relationships with the ISV during the audit process as "consultative/collaborative," while 20% describe it as "contentious." Among organizations with 10,000 employees or more, however, the percentage of those who describe the relationship as "contentious" doubles to 40%. This may be because so much more money is on the line with larger organizations, increasing the anxiety and stress levels of those involved.
Respondents overwhelmingly report the greatest challenge related to audits is the sheer amount of time consumed by the audits.
Just over half of organizations had a software asset management tool in place prior to their audits. Of those with tools, a vast majority of respondents were more pleased than not with their tools' effectiveness in providing the information needed for the audits.
43% of participants report owing no money to their software vendor at the conclusion of the audit. Of those organizations that did owe money, the largest subset owed between $50,000 and $250,000. (Among organizations with 10,000 or more employees, the percentage of those who owed no money drops to 31%.)
Around two-thirds of respondents say their organizations have modified their approaches to IT asset management since being audited. Respondents cite changes to licensing/purchasing practices, more frequent internal software audits, and implementation of new technology to assist with license management.
The second half of this study gauges the perception of organizations that have NOT undergone software audits within the past two years, and, where possible, compares them to the actual experiences of those organizations that have been audited. In most cases, with just a few notable exceptions, the perceptions of those responsible for license compliance very closely mirrored reality, suggesting that most organizations have a fairly well-developed understanding of license compliance risk and best practices for maintaining favorable license positions.
The perceived risk of being audited in the next 12 months (42%) is slightly higher than the actual frequency of audits ("actual risk") that took place over the last 12 months (38%).
Among respondents who feel they have a 20% or less probability of being audited, most believe they will not be targeted because their vendors know they make a "good-faith effort" to be compliant.
Of those who estimate the likelihood of being audited is 30% or higher, most believe it is "just a matter of time" before they get audited (versus any identifiable reason for being targeted).
Generally speaking, respondents have a fairly accurate assessment of which vendors are auditing most frequently. However, participants significantly underestimate the probability of being audited by Autodesk and Attachmate, and overestimate the likelihood of a VMware audit.
Most respondents believe they would fare well or reasonably well in the event of an audit. While it's difficult to compare how respondents characterize their likely outcomes with actual financial outcomes, this belief seems well aligned with results regarding the actual financial outcomes of audits, as shown in Figure 12.
Almost three-quarters of respondents whose organizations haven't been audited within the past two years have a software asset management tool in place (compared to just under half of organizations that have been audited with such a tool). Of these, an overwhelming percentage believe their tools would be more effective than not at providing the information needed in the event of an audit. When compared to the perceptions of tool effectiveness among organizations that have undergone an audit within the last two years, it appears respondents' assessments of their tools' abilities are well-aligned with reality.
The Express Metrix Software Audit Industry Report for 2013 substantiates a broadly held perception among IT professionals, namely that complexity remains a major barrier to licensing compliance. Complex license agreements, complex IT environments and difficulties in differentiating between what's installed and what's actually being used make maintaining a favorable license position a significant, ongoing challenge for organizations, regardless of size. While the outcome of audits generally appear to be in line with respondent expectations, many organizations endure long, time-consuming audits that can drag on for several months or more. The survey indicates these asset management challenges are especially acute for very large organizations, but small companies face similar challenges and appear to be under increasing scrutiny by ISVs.
The good news is that organizations are learning from their own experiences and the experiences of others. For one thing, the findings suggests that perceptions about license compliance risk and effective strategies for dealing with them are largely aligned with reality. It's also clear from the data that IT asset management tools are very helpful to organizations of all sizes, both in mitigating the risk of audits and, overwhelmingly, in dealing with the audit process itself. Finally, while just over a third of respondents report having being audited in the last year, the software audit risk touted by analysts such as Gartner and widely publicized in the media appears to be significantly overstated.
Organizations that have undergone audits appear to have leveraged their experience to further refine their approach to compliance, including changing internal practices, investing in licensing expertise, and increasing the frequency of internal audits.
In the complex world of software licensing, momentum appears to be building in IT departments toward higher levels of understanding, more systematic "best practices" approaches to achieving compliance, and the use of technology to streamline the process and mitigate risk.