Software License Forensics & Dispute · PDF file · 2015-07-284 Software License...

Software License Forensics & Dispute Services

Resolving disputes relating to software license complianceSoftware is mission-critical for most businesses. While quality software can enhance business operations significantly, lack of controls (leading to use of unapproved and non-standard software) can create compliance-related issues. This can snowball into a financial, legal and reputational risk if it is not detected during internal compliance-monitoring processes and addressed in a timely manner. The challenges originate from the inherent characteristics of an intangible asset such as software, which is difficult to track and quantify. Furthermore, licensing rules change dynamically from publisher to publisher and product to product.

In order to protect their intellectual property and ensure compliance, major software publishers have been proactive in conducting software license compliance audits for most of their customers —small or large.

Publisher-driven audits and non-compliance risks have been a wake-up call for most organizations, making them aware of the urgent need to proactively manage their license-compliance status and implement relevant controls and support technologies.

Organizations are finding it increasingly difficult to manage their software licenses. This has led to a rise in non-compliance with licensing rules and disputes with software publishers during license-compliance audits.

Our team can proactively help you obtain knowledge about licensing rules by preparing an accurate inventory of your usage/purchases, and also use forensic tools to establish facts to address a potential dispute with a software publisher.

In our experience, we have observed the following:

• Almost all organizations with high dependence on software go through at least two publisher-driven audits in a year.

• Each audit takes an organization’s IT department an average of three to six months, with the continuous involvement of the CIO under the oversight of the CFO.

• Financial settlements of non-compliance identified during an audit are made at non-discounted rates. In most situations, installation of software is deemed as usage. Therefore, lack of control on installations/ deployment is the major reason for non-compliance.

• Negotiating power rests with publishers in such cases.

• On an average, compliance-related settlements can amount to US$1000 per computer asset per publisher audit, e.g., an organization with 4000 computers ended up settling with a middle-ware publisher for US$4 million, although actual deployment of its software was only on the servers.

Software License Forensics & Dispute Services 3

4 Software License Forensics & Dispute Services

Over usage of license

Rogue codes, cracks, keygens & pirated software

Interpretation of contract

Complexity of virtual environment

Incorrect access given to the users based on roles

and departments

Indirect access from third party application to Enterprise Software

Multiple and concurrent logins by vendors and

employees for updating inventory

Caus

es fo

r license

compliance d

ispu

tes


Major causes of disputes (Distributed software and ERP Applications)

Over usage of license• One of the causes could be lack of or inaccurate

accounting of usage/deployment due to misconceptions about licensing (multiple and concurrent logins or access to shared user accounts, inappropriate access assigned to users, geographic location of access, segregation of employees and non-employees and indirect access to third-party applications).

• Adoption of bring your own device (BYOD) and virtualization technologies raise more questions than answers related to licensing.

Rogue codes, cracks, keygens and pirated software• Cracks, keygens and rogue codes are hard to detect and

control, especially for mobile workforce and users with elevated privileges.

• If a publisher-driven audit discovers the presence of these rogue codes, this can lead to serious legal, financial and reputational risks. We have a methodology using which we conduct fact-based forensic investigations on usage of rogue codes, which would reveal actual usage and identification of control lapses that led to their presence.

Interpretation of contract• Licensing contracts are complex and require technical and

legal teams to work jointly while accepting or executing them.

• Vague terms and conditions can lead to multiple interpretations, which can snowball into larger disputes during publisher-driven audits.

Complexity of virtual environment• Virtualization requires shared hardware resources to run

multiple operating systems and/or applications.

• Organizations are finding it difficult to measure the hardware and software deployed in such a virtualized environment and provide a clear and effective license, based on rules relating to software licensing.

• We provide specialized tools and techniques to measure utilization and requirements of licensing in virtualized environments.

Indirect access of third-party application to ERP software• India’s e-commerce market grew at a staggering 88% to

US$16 billion in 2013, riding on booming online retail trends. Figures suggest that India has close to 10 million online shoppers —a number that is growing at a CAGR of 30%, compared to a global growth rate of 10%.


• When a customer makes an online purchase, information has to be transferred from the web portal to the ERP system. During license audits, the publisher may see this as violation of licensing rules, but on the other hand, it may not be feasible for the company to license millions of online customers.

• A vague understanding of licensing options and alternate solutions may create friction, frustration and mistrust between a company and a software publisher.

Multiple and concurrent logins by vendors and employees to update inventory• When the Enterprise system is at the implementation

stage, the focus is on the business requirement for various modules, and compliance is not the key priority. Therefore, at the implementation stage, multiple and concurrent access is allowed to update inventory and stocks.

• However, if multiple and concurrent access is found to be active after the implementation stage, this may lead to a dispute with regard to password-sharing and violation of named user licensing.

Incorrect access given to the users based on roles and departments• Every user is given predefined access to interact with

the system. Key modes of access include “create,” “update,” “write,” “read,” “view” and “delete.” Based on access classification, licensing options are finalized for every user. For example, if all users are given access to “create,” this may require the company to purchase the highest category of licenses, resulting in revenue loss and exposure to risk.

Addressing issues relating to license life cycle of software

Procurement

Utilization

Maintenance

Retirement

Deployment


Challenges faced by organizations and pitfalls leading to disputes

Vague contracts

• Unable to identify relevant contract terms with software publishers (e.g., indirect access to ERP software, licensing based on employee/CPUs/asset size)

• Incorrect or vague documentation supporting the contract

Complexities of purchase programs

• Lack of clarity around suitable purchase programs, keeping in its mind future growth (e.g., perpetual, subscription-based or unlimited license agreements)

• Difficulties in identifying suitable purchase program

Quantities

• Buying too little or too many• Timing purchases• Managing old and unused versions• Missing license quantities (lost documents)

Monitoring techniques

• Lack of appropriate technology to track compliance (manual reports outdated or inaccurate)

• Lack of controls to prohibit unauthorized software usage• Absence of required skill-sets

Lack of focus and attention

• Management's lack of seriousness to address risks relating to non-compliance• Relevant business functions, e.g., legal, procurement and HR, not involved• IT assumed to be responsible for end-to-end compliance-related activities


Myths related to compliance with software license rules

No documentary evidence maintained of software purchases If you own it, prove it

“We have volume license, we are compliant….”Provides flexibility for purchase, with standard audit clauses

License compliance is only IT team's responsibility

Tracking software license not on priority list — license sprawl

“We won’t get audited.” Everybody gets audited

Software is just installed but not in useIn most cases license is required for deployment/ installation

No one will know if software is installed Software may send phone-home signal to publisher if inappropriate usage is detected

Reality


Sr. no. Myth Fact Conclusion

1. Compliance is only for small and mid-sized organizations, we will not get audited

Gartner’s report indicates that 63% of the clients it has polled have been audited by at least one software vendor in the last 12 months

All organizations get audited — small or large

2. We have a volume license agreement, so we are compliant

Volume license agreements do not include unlimited licenses; they provide flexibility for purchases, but include standard audit clauses

Standard audit clauses are applicable for volume license agreements

3. Since the user is not using deployed software, a license is not required

Licensing rules are applicable if the software is installed or available to a user, irrespective of usage

Licensing rules are applicable for software deployed/assigned and not on its usage

4 We have procured software from an authorized vendor

Documentary evidence (license on paper, publisher’s license summary report, invoices, etc.) should be maintained, indicating that it has been purchased from an authorized vendor

If you own, it prove it

5 No one will ever know software is installed in our environment

Some of these software products are embedded with phone-home technology and can alert a software vendor of illegal deployment in a corporate environment and trigger an audit

Do not use pirated software or rogue codes

6 Software compliance is the IT department’s responsibility

Every employee is responsible for compliance and needs to comply with corporate IT- and security-related rules

Compliance with software-related rules is everyone’s responsibility


What could go wrong?• Increased procurement costs due to unavailability

of accurate inventory of purchases• Increased financial exposure during

publisher-driven spot audits due to over-usage of licenses

• Increased cost of maintenance/support due to use of non-standard version of product

• The absence of automated tools and processes makes it difficult for an organization to exercise control over its software assets, which results in incorrect accounting and reporting

• This gives rise to additional support costs while tracking and supporting software manually

• Software publishers drive license audits aggressively, and any exposure, even if it is unintended, can result in loss of reputation

• The presence of pirated cracks and keys, installed by a rogue employee, can circulate across the network and cause stability-related issues

What could go wrong?

Increased costs and exposure

Increased threat to

security of information

Increased risk to reputation

Lack of control and productivity


Maturity levels in IndiaOur assessment covered various companies in India and looked at the on the ground situation across industry sectors. We assessed maturity levels taking into account three factors:

1. Cracks and keygens: This indicates the presence of cracks and keygens, which can lead to usage of cracked software.

2. Non-compliance with licensing rules: This indicates non-compliance relating to over-usage — buying X and using more than X.

3. Wastage: This indicates wastage of licenses due to incorrect tracking, budgeting or un-used old versions.

Magnitude of issues found — the larger the issues, the lower the maturity

20%

35%

52%

5%

30%

40%45%

53%

69%

25%27%

32%

25% 25%20%

5%

15%

20%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Banking IT/ITeS Manufacturing Pharma Real Estate Telecom

Cracks and kegyens Non-compliance with license-related rules Wastage Maturity Level


We also measured the overall process maturity (top-down) approach and compared it with global maturity levels

0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

Controlenvironment

Inventoryprocesses

Life cycleprocess

interfaces

Operationsmanagement

processes

Planning andimplementation

Verification andcompliance

India Global

• Our experience indicates an average assessment score of 2.25 of 5 across Indian industry (across sectors), compared to a global average of 3.5. The major pain areas identified by us were in the areas of overall governance, roles and responsibilities, and policies and procedures mandated for management of software and related assets.


What you require?• Exhaustive inventories of licenses capturing what is used, how

much is used and who is using it

• Identification of all license purchases till date in various forms and through different channels

• Forensic analysis of misuse of license, e.g., in the form of cracks and pirated keys

• Detailed report quantifying overall exposure and usage on the basis of specific product-/brand- licensing rules

• Dashboards and processes to proactively manage software assets in the future

• Mitigation of wastage, financial/legal/InfoSec risks due to unauthorized usage of software

Benefits of being proactive• Accurate and up-to-date knowledge relating to utilization and

investment in software

• Avoidance of reputational risk and disputes during license-related audits conducted by software publishers

• Implementation of industry’s standard best practices relating to management of software assets and compliance

• Identification of pirated software media, cracks and license keys to avoid huge fines during license-related audits to enable immediate preventive action

• Increased awareness of the do’s and don’ts for managing software contracts and processes to avoid risks, e.g., the risk of procuring counterfeit software that looks genuine

Your requirement

Compliance

Financial benefits

Resource planning and utilization

Corporate value

PeopleTechnologyP

roce

ss Assets


Summary Issues Your need Our solution

Software deployment management

• Lack of product-specific licensing

• Unavailability of efficient reporting tools

• Significant asset base

• Accurate reporting of software inventory

• Prepare accurate software deployment report using forensic approach

• Provide product -/ publisher-specific licensing view

• Ensure maximum coverage

Software entitlement management

• No single view of what has been procured by organization

• No view of software- publisher partnership licenses

• Accurate entitlement statement (of procured licenses)

• Provide accurate list of software license entitlements

• Provide access to online automated dashboards for regular review

Optimization and automation of processes and contracts

• No central repository of organization-wide software license entitlements — consequently, no view of what is required and what needs to be disposed of

• Lack of understanding of industry best practices

• Lack of transparency in licensing contracts

• Identification of automated tools that suit the environment

• Adoption of best practices and standards

• Optimization of contracts, based on best suited and available options and industry best practices

• Identify weaknesses in processes and recommend improvement measures in line with industry benchmarks

• Develop a maturity model that can be tracked by stakeholders in the future

• Develop policies and procedures

Malicious codes • Cracks bypassing normal licensing mechanism and being hard to detect

• Software publishers levying huge fines due to their identifying cracks during license-related audits

• Verification of whether there is a malicious code, e.g., a crack, in the organization

• Identify presence of malicious codes, cracks, illegitimate license keys, counterfeit software, etc., and thereby help organization take informed decisions

How we can help?


Our approach — SAP license compliance and optimization

Ourapproach

Understanding SAP landscape, process flow diagram, business process and its licensing model

Deliver automated reporting tool to identify license type (Professional, Ltd professional, ESS, Workshop) based on actual usage and licensing rules between client and SAP

Review of contracts from a forensic perspective for license model and license cost charge back across various SAP modules

Advising on the actual license requirement as per user roles and usage rather than what configured on the system. Highlight unutilized high category license that can be moved to low categoryHighlight present

utilization of SAP licenses with the no. of licenses procured v’s license deployed. This will over or under utilization of licenses

Understanding existing license utilization against business function and respective user roles

Compliance gap

Review of existing and previous

licensing contracts

Automated SAP license tool

assessmentUtilization mapping

License optimization

Assessment of present state

As-is understanding Forensic compliance assessment Automated license tool


Credentials

• Identified gaps in processes and prevented financial exposure and significantly reduce license wastage

• Identified rogue employees who were mis-using IT assets and violating policies

• Real-time license compliance, utilization and wastage monitoring

• Resolved dispute with the publisher resulting in elevated relationship with them

Result

• Forensically establish actual utilization of SAP license across geographies

• Conduct data analysis to identify actual procurement of licenses over the years

• Identify process-related gaps that may lead to non-compliance

• Prepare data to substantiate facts relating to utilization of licenses

• Develop and implement SAP license-optimization tool

• Define system auditing rules• Identify overall IT

infrastructure-related gaps that adversely affect SAP licensing

Our service

• To understand and optimize SAP license-related contracts

• To resolve dispute with SAP regarding issues including alleged non-compliance with rules relating to engine licenses, indirect access, multiple logins, etc.

• To mitigate risk of non-compliance with license-related rules by understanding usage and requirement

• To understand process and technology controls that prevent non-compliance

Compliance with SAP license-related rules: a large chemicals company and a big private telecom organization

Business need

Case study 1


Case study 2

• Identified gaps and suggested improvements in processes and awareness, which averted significant financial exposure

• Identified rogue employees who were mis-using IT assets and violating policies

• Benchmarked software asset management processes against industry practices and ISO 19770, and suggested process improvements

• Conducted training programs for client teams to understand sensitivities relating to software licensing

Result

• Forensically establish actual software utilization across geographies

• Conduct data analysis to identify actual procurement of licenses over the years

• Identify non-compliance of business entity to enable charge-back

• Identify rogue employees deploying cracked and pirated licenses

• Conduct process-diagnostic exercise based on ISO 19770 (software asset management)

• Implement real-time license-compliance dashboard

• Conduct workshops on complex publisher-specific licensing agreements and rules

Our service

• To develop a flexible license-compliance program for all software used across the organization and client projects

• Help on interpreting and understanding complex license-related agreements and contracts

• To derive the maximum benefits on expenditure on software in terms of the value derived and wastage eliminated

• To identify and avoid misuse of IT assets

• To resolve disputes with software publishers on contract management and terms

A large Indian multinational provider of IT, consulting and outsourcing services with more than 100,000 employees

Business need


Case study 3

• Helped the bank avoid significant financial exposure

• Helped bank save large amounts in its negotiation with publisher while renewing license by providing relevant insight on licensing rules and required quantities

• Identified, remediated and enabled bank to prevent further misuse and/or abuse of software assets

• Helped bank implement best industry practices in its processes, compliance dashboard and MIS

Result

• Forensically establish actual utilization of software

• Identify rogue employees deploying cracked and pirated licenses

• Free IT resources mis-used by employees by using media files and inappropriate digital content

• Conduct process-diagnostic exercise based on ISO 19770 (software asset management)

• Implement real-time license- compliance dashboard

• Conduct workshops on complex publisher-specific licensing agreements and rules

Our service

• To develop a flexible license- compliance program for all software used by the bank

• To help in interpreting and understanding complex license agreements and contracts

• To derive the maximum benefits from expenditure on software in terms of the value derived and wastage avoided

One of the largest private sector banks in India

Business need


Notes


Dealing with complex issues of fraud, regulatory compliance and business disputes can detract from your efforts to achieve your company’s potential. Enhanced management of fraud risk and compliance is a critical business priority — whatever the industry sector. With our more than 2000 fraud investigation and dispute professionals around the world, we will

assemble the right multi-disciplinary and culturally aligned team to work with you and your legal advisors. In addition, we will provide you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our global activities.

About EY’s Fraud Investigation & Dispute Services (FIDS):


• Deep competencies: Our FIDS team has specific domain knowledge along with wide industry experience.

• Forensic technology: We use sophisticated tools and established forensic techniques to provide requisite services to address individual client challenges.

• Global exposure: Our team members have been trained on international engagements and have had global exposure to fraud scenarios.

• Market intelligence: We have dedicated field professionals, who are specifically experienced and trained in corporate intelligence, and

are capable of conducting extensive market intelligence and background studies on various subjects, industries, companies and people.

• Thought leadership: We serve a variety of leading clients, which gives us deep insight into a wide range of issues affecting our clients and business globally.

• Qualified professionals: We have a qualified and experienced mix of chartered accountants, certified fraud examiners, lawyers, CIAs, CISAs, engineers, MBAs and forensic computer professionals.

FIDS India

For more information please contact:

Arpinder SinghPartner and National LeaderDirect: +91 22 6192 0160Email: [email protected]

Mukul ShrivastavaPartnerDirect: +91 22 6192 2777Email: [email protected]

Amit JajuAssociate DirectorDirect: +91 22 6192 0232Email: [email protected]

For more information, visit www.ey.com/in

Connect with us

Assurance, Tax, Transactions, Advisory A comprehensive range of high-quality services to help you navigate your next phase of growth

Read more on ey.com/IN/en/Services

Our services

Centers of excellence for key sectors Our sector practices helps ensure our work with you is tuned in to the realities of your industry

Read about our sector knowledge at ey.com/IN/en/Industries

Sector focus

Easy access to our knowledge publications. Any time.

http://webcast.ey.com/thoughtcenter/

Webcasts and podcasts

www.ey.com/subscription-form

Follow us @EY_India Join the business network from EY

Stay connected

Our officesAhmedabad2nd floor, Shivalik Ishaan Near C.N. VidhyalayaAmbawadiAhmedabad - 380 015Tel: + 91 79 6608 3800Fax: + 91 79 6608 3900

Bengaluru12th & 13th floor“UB City”, Canberra BlockNo.24 Vittal Mallya RoadBengaluru - 560 001Tel: + 91 80 4027 5000 + 91 80 6727 5000 Fax: + 91 80 2210 6000 (12th floor)Fax: + 91 80 2224 0695 (13th floor)

1st Floor, Prestige Emerald No. 4, Madras Bank RoadLavelle Road JunctionBengaluru - 560 001Tel: + 91 80 6727 5000 Fax: + 91 80 2222 4112

Chandigarh1st Floor, SCO: 166-167Sector 9-C, Madhya MargChandigarh - 160 009 Tel: + 91 172 671 7800Fax: + 91 172 671 7888

ChennaiTidel Park, 6th & 7th Floor A Block (Module 601,701-702)No.4, Rajiv Gandhi Salai, Taramani Chennai - 600113Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120

HyderabadOval Office, 18, iLabs CentreHitech City, MadhapurHyderabad - 500081Tel: + 91 40 6736 2000Fax: + 91 40 6736 2200

Kochi9th Floor, ABAD NucleusNH-49, Maradu POKochi - 682304Tel: + 91 484 304 4000 Fax: + 91 484 270 5393

Kolkata22 Camac Street3rd floor, Block ‘C’Kolkata - 700 016Tel: + 91 33 6615 3400Fax: + 91 33 2281 7750

Mumbai14th Floor, The Ruby29 Senapati Bapat MargDadar (W), Mumbai - 400028Tel: + 91 022 6192 0000Fax: + 91 022 6192 1000

5th Floor, Block B-2Nirlon Knowledge ParkOff. Western Express HighwayGoregaon (E)Mumbai - 400 063Tel: + 91 22 6192 0000Fax: + 91 22 6192 3000

NCRGolf View Corporate Tower BNear DLF Golf CourseSector 42Gurgaon - 122002Tel: + 91 124 464 4000Fax: + 91 124 464 4050

6th floor, HT House18-20 Kasturba Gandhi Marg New Delhi - 110 001Tel: + 91 11 4363 3000 Fax: + 91 11 4363 3200

4th & 5th Floor, Plot No 2B, Tower 2, Sector 126, NOIDA 201 304 Gautam Budh Nagar, U.P. IndiaTel: + 91 120 671 7000 Fax: + 91 120 671 7171

PuneC-401, 4th floor Panchshil Tech ParkYerwada (Near Don Bosco School)Pune - 411 006Tel: + 91 20 6603 6000Fax: + 91 20 6601 5900

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in.

Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016

© 2014 Ernst & Young LLP. Published in India. All Rights Reserved.

EYIN1404-037 ED None

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

AGK

Ernst & Young LLP

EY | Assurance | Tax | Transactions | Advisory

EY refers to the global organization, and/or one or more of the independent member firms of Ernst & Young Global Limited

Software License Forensics & Dispute · PDF file · 2015-07-284 Software License...

Documents

Transcript of Software License Forensics & Dispute · PDF file · 2015-07-284 Software License...