BSA Licensing Audits

Following on from my post about Microsoft Licensing Options, I thought it prudent to cover what may happen if your licensing isn’t in order and you end up getting audited. The BSA (Business Software Alliance) represent many vendors, not just Microsoft so are the most likely ones to be involved with an audit.

Regardless of how up to date your licensing is, it’s possible for the BSA to audit you if they suspect you’re not compliant. This can be down to a number of reasons but most commonly boils down to an ex-employee informing them that your software licensing doesn’t add up. They do require credible information though, so an angry ex-employee with unfounded accusations probably isn’t going to get very far.

Can I refuse a licensing audit?

As for the rest of this article, I need to preface that IANAL, however refusing to deal with the BSA is likely not a good idea. By refusing to work wit them you risk ending up in a lawsuit over Intellectual Property licensing, which is almost always a seven digit sum.

As soon as you hear from the BSA you should speak to senior management, if you haven’t done already, and get company lawyers involved. They are likely going to advise you that the last thing you want to happen is to end up in court, unless you’re completely confident that all your software is correctly licensed.

Can I just un-install the infringing software?

One of the first things you’ll hear from the BSA is that you shouldn’t remove installed software. You’ll be sent a legal document from them as the first piece of communication, as of the date on the document you’re tied into what you’re using. During the process it’s very unlikely they’ll consider allowing removal of software as a way to become compliant.

Frustratingly they’ll also tell you that you’re not authorised to purchase any more software from the vendor that you’re being audited for. Your legal team should be able to have the sanction preventing you purchasing software lifted fairly early into the process, allowing you to purchase licenses for any new installations.

How will I be audited?

This surprised me the first time I was aware of the BSA and how they function, but you will probably never meet a representative. You will be required to audit your license usage and accurately report it to them. What you will report will form a legal document, so understating your used licenses will be considered perjury and will not work in your favour should it go to court.

As part of the report you’ll need to produce information on what license counts you have deployed and what licenses you have. When determining the licenses you have you must be completely convinced they’re valid, you may be required to provide evidence if the case goes to court.

How can I self audit?

There are various software asset management (SAM) solutions on the market, with support for various vendors. The solution you choose is likely going to depend on why you’re being audited, if it’s mainly Microsoft software you can look towards a free Microsoft application known as the MAP Toolkit. The MAP Toolkit provides agenetless inventory and reporting of your environment. Whilst it doesn’t compare to various commercial solutions, if you just want something for Microsoft software to quickly provide number of installations it’ll do the job.

How much is it going to cost?

This is a tricky question as it’ll depend on your negotiation process between your legal team and the BSA. Once you’ve self-audited and understand the number of missing licenses I’d advise working out what the retail pricing will be. The initial settlement offer from the BSA is going to be a few times higher than this, but during the negotiation process it’s probably reasonable to work down to 2x or even 1.5x retail price.

Can I find out who reported my company to the BSA?

In short, probably not. The only way it’s possible is through what’s known as “Discovery”, which is (as far as I know) only possible if you take the case to court. This is likely to reduce your negotiation options when it comes to price, so unless there’s a definite requirement to know who it’s probably best to just focus on correcting the licensing situation.

Published by

Dave Hope

Dave works in IT for a leading UK based retirement developer, in his spare time he enjoys tinkering with technology and rock climbing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.