In May, the Business Software Alliance, the industry's licensing watchdog, launched a six-week blitz to cut the use of illegally copied or counterfeit software across 5,000 businesses in the Manchester area.
Organisations in the city were sent a letter advising them to audit the software installed on their systems and check whether it was properly licensed.
The BSA warned that 11 companies were already under investigation for software licence violations. But it said no legal action would be taken against any company that signed up to its software audit programme by 30 June.
Campaigns such as the Manchester crackdown feature regularly in the BSA's efforts to reduce the proportion of illegal software in use around the world. The organisation says 26% of business software in the UK is illegal, although the way this figure is calculated by research firm IDC has been questioned.
What is not in doubt is that many businesses have a discrepancy between the licences they have bought and the software installed on their systems.
"Typically, this happens because there is not enough control over the process of acquiring software," says Peter Alderson, software asset management specialist at Computacenter.
Although software accounts for a sizeable chunk of IT assets, contributing as much as 40% to the annual cost of ownership of IT, most companies make little effort to maintain accurate records.
"It is rare that people will do this unprompted," says Gregory Lefort, managing director at Staff & Line, an asset management tools company. "Companies tend to firefight rather than anticipate what may happen."
Preparing for audit
All software licences contain clauses about the supplier's right to audit their use. How should a company prepare for the possibility of an audit? The hardest task is to establish what licences it is entitled to. The problem is that it is not enough to prove that a purchase took place. "You need to create evidence of ownership," says Alderson.
Users may be required to produce certificates, product boxes, manuals and even media on which software was supplied, as well as purchase orders and invoices.
Alderson says companies need a dual system: a record of the licences and a physical store of evidence. The record should summarise the number of licences. This avoids double counting when a company buys a new version of software it already owns.
The next step is to find out what software is installed. In most cases, this involves using a discovery tool, such as products from Centennial, Eracent and EasyVista, which dispatch agents to inspect systems and log the software a business is using.
Discovery tools work best with the simplest form of software licence: one installation per machine. It is more complex when a user buys a concurrent licence that might, for example, allow 500 PCs out of a total estate of 1,000 to access a program at any one time. Concurrent licences and licences covering client server systems require metering, which may be difficult to provide retrospectively.
The development of virtual machines has added a further complication.
"Approach virtualisation very carefully," says Phil Heap, head of consultancy and membership products and services at the Federation Against Software Theft (Fast). "Some virtual machines are only licensable when they are switched on, and you need to use tools to record when they are switched on and when they are switched off. One of the exciting things is that hundreds of virtual machines can be created in minutes, but you will need another layer of administration to ensure only certain people can create them."
Reconciling the results from the record of entitlement and the discovery process can be problematic. For instance, some discovery tools record information about the same piece of software in different ways. The Leonard Cheshire Disability charity encountered this problem when tracking 1,600 PCs in 150 locations.
"One of the problems is that with such disjointed systems, keeping everything in one place is no easy task," says Joy Jerram, the charity's service delivery manager. "We did try using Microsoft SMS [now called Configuration Manager] and that discovered all our assets without a problem, but it became extremely labour intensive for us to administer. We had too much information and were spending hours trying to decipher all this data."
Matching company records with suppliers' records can be tricky, too. "Vendors may have a different view from you," says Alderson. "To make matters worse, there are only a small number of vendors who can give you accurate information about what you own."
He stresses that an audit gives only a snapshot of a constantly changing picture. Winning over a sceptical board of directors, who may see software asset management as merely an expense, is the first step to long-term software compliance. Companies should spend 3% to 5% of the value of software they own on managing its use, says analyst firm Gartner.
Not only are there 21 pieces of legislation that affect the software that companies own, including the Computer Misuse Act, the Data Protection Act and the Copyright, Designs and Patents Act, but hefty penalties of up to 10 years' imprisonment associated with flagrant copyright breaches.
The BSA also says an organisation that runs copied software may have to pay fines for past unlicensed use, back licences and legal costs.
But there is also an upside to asset management: the prospect of saving money by using existing licences more effectively. An audit not only reveals gaps in licensing, but also programs for which an organisation may have too many licences.
"If you eliminate software you do not need, you can save millions," says Mark Cresswell, chief executive at Scalable Software, a company that provides software metering tools. "One customer was paying $22,000 a month for three commonly used desktop packages, but had enough copies that they didn't need to buy another licence for four years."
How does a company acquire more licences than it needs? Often it is the fault of the IT department for not watching the comings and goings of employees, so that it buys new licences instead of reassigning existing ones.
Equally, a company may be paying for software for individuals who rarely use it, or managers may have allowed staff to buy programs when licences were already available.
Of course, working out what licences a company needs is not easy. There are more than 500 types of Microsoft licence alone. Licences may be perpetual or for a specific period and they may or may not include an entitlement to patches and upgrades.
"It is important to have a process in place that begins with asking for the business case for acquiring a piece of software," says Heap. "The next question is whether the organisation already has the software that is needed and whether it is tested and approved. The final question is whether you have a licence for it."
In the longer term, it is advisable to introduce controls such as central procurement with management sign-off on purchases, and to appoint an individual with responsibility for ensuring that software is compliant.
Companies looking to kick-start an asset management programme should concentrate on the top five or 10 publishers. They should prepare for an audit by building relationships with suppliers so they can obtain updated information that allows them to check their records.
Some software companies believe helping users to manage their licences not only ensures their products are paid for, but is a welcome additional service. However, the industry's approach to licensing doesn't always make it easy for users to stay on the right side of the law. "The biggest cry is for the industry to simplify these licences," says Heap.
Some commentators go further: accusing suppliers of using confusion about licences to increase revenues. "The industry could do more to make asset management easier. One tactic is to seek out customers who are under-licensed," says Lee Schofield, director for alliances at Trustmarque.
Nonetheless, he maintains more users are taking software auditing seriously. They do not wait for suppliers to come knocking at their doors, but have moved compliance to the top of their agenda.
This was first published in August 2008