Software license auditing risks conflict of interest
The Big Four are risking conflicts of interest by maintaining and actively promoting specialist divisions to run software audits on behalf of software vendors, which can result in substantial claims against companies who are also their audit clients, a new study claims
23 Nov 2018
‘Software audits’ or ‘software license reviews’ are audits carried out for companies like Microsoft, IBM and SAP in order to establish how software usage compares to the licenses in place at a particular organisation.
Cerno Professional Services, an independent consultancy focussing on software licensing, says that some of the subsequent claims by the software vendors can be very high - sometimes running to seven or eight figure sums - even in respect of corporates with strong compliance controls and a commitment to be fully licensed.
These claims often result in highly confrontational disputes which, although rarely litigated, are overlaid with the possibility of litigation for contract breach or infringement of copyright.
It says that although many hundreds of software audits are carried out each year by each software vendor, few figures are publicised as to the liabilities uncovered. However, in 2016 SAP brought proceedings against Diageo in the High Court in respect of a £58m claim for license fees alleged to be payable and/or damages for infringement of copyright. The case was finally settled on a confidential basis.
In addition, Budweiser brewer, ABN-Inbev, acknowledged in Securities and Exchange Commission (SEC) filings in 2017 that proceedings had been brought against it, also by SAP, for $600m (£467m). The matter was referred to arbitration. No details are available as to any settlement.
Cerno has conducted a study based on freedom of information requests sent to 747 local councils, metropolitan councils, Welsh authorities and universities requesting information about whether they had been subject to a software audit carried out on behalf of any of Microsoft, SAP, Oracle or IBM within the last three years and, if so the name of the consultancy contracted to such software company to carry out the audit.
Of the 472 bodies who replied, 154 confirmed that they had been the subject of a software audit by one of Microsoft, SAP, Oracle and/or IBM within the last three years. Of these audits, 46 had been carried out by one of the Big Four on behalf of those software vendors. Two councils had two audits each.
Of those 46 audits carried out, EY was responsible for 12; Deloitte, 10; KPMG, 18; and PwC, six.
Seven such audits (15%) were carried out by the relevant authority’s own statutory auditors. According to Cerno’s analysis, four public authorities who are audited by KPMG were also subject to a software audit by the firm on behalf of a third party vendor: Sheffield City Council, Windsor and Maidenhead, the University of Salford and Blackpool Council.
Three others had EY as both the statutory auditor and the firm conducting a separate software audit: Watford Borough Council, Three Rivers District Council, and Darlington Borough Council.
Robin Fry, author of the report and a leading software licensing lawyer, said: ‘Statutory audits are intensive exercises requiring full disclosure from, and close working with, the client. Many would view the same firm, seeking to uncover evidence for missing licenses for a different company - the software supplier, as a form of betrayal.’
Fry said those who produced the report had been involved in multiple software license disputes, including a £21.1m claim against a FTSE 100 company brought by Microsoft, and a £4.5m IBM claim against a financial services business.
Cerno has made ten recommendations it says will reduce the risk of conflicts of interest in such cases, which include a bar on statutory auditors from carrying out third party software licence audits during the period of tenure and for three years afterwards. It also calls for the issues to be considered by audit committees and as part of the Financial Reporting Council’s audit quality review process.
Report by Pat Sweet