Five Secrets to Understanding the Business Software Alliance’s Audit Procedures
BSA| The Software Alliance (“BSA”) is an organization that investigates copyright infringement claims on behalf of software publishers such as Adobe, Autodesk, Microsoft, CNC, and Parametric Technology Corporation.
The process for software audits can be tricky, time consuming, and confusing. The BSA has a very specific process that audit targets are expected to follow. Following the initial audit letter, the BSA typically sends an Audit Standards letter, which details the specific information the BSA is seeking, and includes an audit template to complete. However, if all of the information is conveyed to the BSA, completing the specific template the BSA provides is not necessary.
The following are key steps in the software audit process and advice on how to avoid pitfalls.
The First Step: Identify the scope of the audit and the Effective Date
One of the most important initial steps is to identify the scope of the audit. The initial letter will identify the name of the company being audited, whether any affiliates or subsidiaries are included, the BSA members participating, and the Effective Date.
The first paragraph of the initial audit letter will identify the specific software publishers participating in the audit. It is important to note that not all BSA members participate in each audit. This means that they will not grant a release of liability for any penalties paid for non-compliance. It is important to pay attention and not include any extraneous software information that may be out of scope.
The following is a sample of the initial paragraph of a BSA letter that identifies the specific publishers participating in the audit:
Additionally, the Effective Date is the date of the initial letter and is the single most important date in the audit process. The BSA seeks a snapshot in time of the installations as of this date. Therefore, any software decommissioned or uninstalled prior to that date is not relevant for audit purposes. Additionally, any software installed after that date is also not within the scope of the audit. It is critical to obtain a baseline as close to that date as possible in order to ensure the audit is accurate.
The Second Step: Inventory all computers and servers
The BSA does not typically employ third-party auditors, so a company targeted by the BSA is expected to collect all of the BSA-member software installations on its network either manually or with a RMM (Remote Monitoring and Management) tool or another scanning tool. Generally, if a company already has an agent deployed across its network, it is ideal to use that tool to scan the network and collect the inventory of each computer and server owned by the company.
The size of the company will often dictate the optimal tool. Some very small companies with only a handful of machines may choose to conduct a manual inventory or take screenshots of the installations on each machine. A larger company may be better served with a RMM tool that is capable of deployment across the network and adaptable for remote users. There are several resources for collecting software inventories that range from free to expensive. Large enterprises often have tools already in place that can provide the relevant information about the installations on the network.
Some companies that use outside vendors to manage their IT environments want the existing vendors to assist with some aspects of the audit. In that case, the vendor should execute a non-disclosure agreement preventing the disclosure of any information related to the audit. Because the use of outside vendors during a software audit could potentially waive the attorney-client privilege, it is important to proceed carefully to preserve the privilege, if it is possible.
The inventory report must provide information on all software installations for each individual computer rather than a more general summary of the total quantities of software installed across the network. This allows a deeper examination of the installations to determine whether any software is a trial version, free reader, or other free tool rather than a full installation. Additionally, information about the operating system for each machine must be collected.
If a customer has any virtualized computers, those must be inventoried as well even if the only software installed is a Windows operating system. Although the BSA does not require it, Scott & Scott recommends creating a physical to virtual mapping to ensure all of the physical hosts and virtual boxes are properly licensed.
The Third Step: Secondary review for completeness and accuracy
Once the company collects its inventory data, is collected, it should confirm that all machines have been scanned and included in the results. If any machines are missing, they must be re-scanned and included with the data.
The Fourth Step: Collect and review entitlements
The BSA has a very specific set of requirements for documentation that demonstrates ownership of the software licenses. The documentation must include the date and price of the software, the quantity, and the name of the company on the receipt. The following is a list of documentation the BSA will not accept:
- Images of discs or media;
- Windows Genuine Stickers or keys;
- Purchase Orders without corresponding evidence of payment;
- Receipts without a date listed;
- Receipts for software bought at less than 80% of retail price; and,
- Most purchases from eBay.
Collecting valid proof of purchase documentation is often the most time-consuming step of the audit process because many companies do not have a centralized procurement department or thorough record-keeping.
The Fifth Step: Compare the entitles to the installations
It is rare for a company to be able to locate 100% of the documentation demonstrating ownership of all the software on its network, even if all of the software was legitimately purchased. Unfortunately, this means that the company may have to pay a penalty for each installation of software for which it was unable to locate a license, even if that means paying for it twice.
The reconciliation will identify any gaps between the installations and entitlements. The BSA calculates its settlement demands by taking the MSRP value of the product at issue and multiplying it by the number of installations. The BSA breaks down any suites of products (Creative Suites or Office suites, for example) by assessing a penalty for each component of the suite. The BSA also adds an arbitrary multiplier of three and its own attorney’s fees to each settlement calculation.
After the reconciliation is complete, the audit results are ready for final review before production to the BSA. After securing appropriate legal protections, the BSA will analyze the audit materials and will sometimes send and audit demand. Once the matter is settled, it is critically important that a company is confident in its IT assets to ensure a complete and accurate audit and ongoing software asset management. Additionally, it is important to consult competent legal counsel who specialize in defending companies against copyright infringement claims related to software audits.