When CIOs face audits

|December 3, 2012 0

Pratima H

INDIA: The door bell rings.

Ah! It’s the pizza boy! He sprints to the door, opens with a thankful sigh and pays for the pizza. The boy hands him over a hot parcel and some slips and sachets. You know the ketch-up, chilli flakes, oregano etc.

John meanwhile and still glued inexorably to the TV remote yells a friendly expletive. He shouts back, informing him to come to the kitchen soon, else the mozzarella will dry up.

John, now moving almost like a meteor, hurries up to the kitchen. They have hardly busied themselves munching the delicacy, when someone’s voice at the kitchen door jolts them up.

“You are not supposed to use any other ketch-up with that.” An authority-filled pitch makes its way between what they call ‘there’s many a slip between the cheese and the lip’.

He turns around and to his utter surprise, finds the pizza boy standing and scrutinizing their morsels.

‘How in the world did you enter my flat?’ he demands.

John is disgusted, and takes it out on him. “You must have forgotten to shut the door as always, arrgh!”

But the delivery boy has no time for the buddy-bickering.

“You have to follow our agreement Sir. I am sorry you are violating the same by putting that black pepper from your kitchen.” The boy orders again and then giving a condescendingly nasty look to John adds, “Who is he by the way? You are not supposed to share your pizza with anyone but your family Sir.”

Almost furious by now, he replies, “John is my friend, and by that logic, my family. But why at all are you supposed to ask me that atrocious question?

After you dare to barge into my premises, if I may remind. Let me call your seniors and take up some legal action for a seasoning now.”

He is stopped midway by another startling rejoinder.
“Actually, it’s the other way round Sir. I am afraid you will have to meet our lawyers next. We would be suing you if you continue to not co-operate.”

The boy’s words instigated John this time.

John hurled it back. “Sue him! For what?”

The boy answered in almost a whisper. “I request Sir to not raise your pitch. It’s all written there. On our website as well as the paper-napkins that accompanied the pizza box. Now that you have shared the product we delivered with a non-authorised user and have also consumed it with another brand of accompaniment, we have to resort to a stringent action.”

He was aghast. Perhaps his face was enough to explain his bewilderment.

Guessing the same, the pizza boy continued. “I know it may sound unreasonable at the very first sound of it, but please try to understand our side as well. The pizza is a special recipe from our company and use of any other seasoning than what we prescribe, actually shakes up the taste we intended to present. It harms our business interests if consumers break some instructions.”

John looked at him, puzzled and amused at the same time. He reciprocated. But both stood still, frozen by confusion, repulsion and the sight of a cold pizza.

The feeling is contagious for sure. As we read what ‘he’ went through, it certainly and naturally sounds either a prank from a friend or a totally unreasonable nightmare.

The ‘he ‘ could be ‘you’.

Well, what feels outrageously funny to us as a pizza consumer, would probably sound like a fair expectation if the boy in question was from a cable operator instead. When your operator sells a connection, it’s all right for him to demand that a customer does not misappropriate the connection by cutting and joining wires for his neighbours or tenants or his teenager son upstairs.

It’s also feasible that he would get utterly irate if he spots the customer hiring a plumber to fix the cable antennae, instead of ringing him up for a regular check.

Then what’s wrong?

Asking the customer to observe certain Dos and Don’ts that only augment a product or service’s quality, and in fact, compromise it if the instructions are not respected?

Then why was ‘he’ angry?

For expecting him to bend over backwards and not sprinkle anything over the pizza?

Or for being so uncivil to directly walk into his kitchen?

Or for expecting him to read paper napkins?

Or for not telling him clearly in advance what a simple pizza home delivery can entail?

Would you be angry too if you were ‘he’?

Let’s throw some more questions in the cosmos of IT Software license space before we let you jump to an answer. Some points that do matter when you buy a license next.

1. The agreement says it all

1. Pricing metrics, discounting criteria and terms and conditions should be provided upfront to all customers.Â

2. Clients should be given a choice as to whether they can self-deploy, choose a trained third-party partner or work with the vendor.
3. Selected partners should be able to obtain access to key data and implementation information. In cases where no partner exists, clients should have the option to self-implement with vendor/partner assistance.
4. Move across deployment options. Customers should have the right to deployment choice. This includes the ability to buy public cloud, de2ploy private cloud or license the code for on-premises deployment.
5. Clients should not be limited in discussing the software app with fellow customers, peers, user group members or media.
Sounds familiar to what could have been used in the conversation with pizza boy? Well, yes, or no, these excerpts from The Enterprise Cloud

Buyer’s Bill of Rights, as recommended by a research consultancy firm Constellation, can actually be relevant points of attention while buying other boxes.

But why are we even talking about rights and statutory accessories here? Since when did table talks swerve to legal lingo? Wasn’t buying a technology always about negotiating the best price and squeezing out the extra-maintenance cholesterol?

Have the sales-tables turned into boxing rings?

Hard to believe, but while the industry is still trying to come to terms with a concatenation of patent-wars and other court-room hangovers between all major technology and mobility players; there’s a new form of faint but hard-to-ignore skirmish waiting in the wings around all the big wrestling.

This time it’s between software vendors and customers.

If you have reached for your ear-buds, don’t bother. The wax has started melting. From the big, imaginary statutes that one creates of an ideal vendor. Or shall we say an ideal customer?

2. Not honouring license terms can lead you to a court

Names like 3M, Carver Pump company, Micromatic, Porter Memorial hospital, Infor, Vaughan & Bushnell, Ayrshire etc have hogged a lot of attention around legal corridors in the recent past.

A slew of suits as spotted in many US District Courts are enough to indicate that both sides of software license contracts, whether vendor or customer, have been engrossed in sorting out issues that have suddenly taken a legal complexion.

The issues range from a customer allowing third-party access for an ERP use to letting in a third party maintenance provider fiddle with a vendor’s software. Violating terms or ways of using a software license, exceeding tier-one levels, crossing the allowed number of users, not following upgrade policy, jumping MIPS mainframe limits, crossing the number of sessions are more examples that have hair-balled into lawsuits recently.

This or that, these contentions usually fall under the ambit of what is usually called an ERP audit. To the uninitiated the very idea of a customer being audited may sound outrageous or ridiculous, but as it turns out, the idea is not so alien any more. Some may shrug it off as another tactic by vendors for squeezing more revenues from a drying-up customer pipeline in the ERP tank. Some may feel it’s only just for a vendor to be allowed a peek to ensure if its service is not suffering a scope-, number- or usage-creep.

The matter is grey here as one may deduce so far.

3. Don’t over-use that software

As to the very question and rationale of an audit by any vendor R Ray Wang, the seasoned and deep-cutting expert from Constellation Research minces no words in pointing out that vendors have to make sure users aren’t over using software.

Issues come up at times, as Infor India MD Souma Das concurs. “If a customer is running a license many years old, sometimes, some points have to be sorted out. It only improves the benefits of a fresher portfolio if the approach to usage and difference between right and wrong around some internal factors is appreciated.”

As he interestingly points out, “Customers are usually very co-operative to the concept of an audit., barring some tough exceptions. It is for everyone’s good, at the end of the day.”

There are many ways to check the scope of a software license as Maneesh Sharma, Head- Database and Technology, SAP India, indicates. “System-based movements as we have seen in cases like EPABX or configured limits on number of users etc are automatic ways too. In fact, customers themselves are proactive in reporting the usage, which is an ideal way of going about this issue.”

His argument is seconded by Rajesh MP, Group leader IT, Kancor group. Audits are a regular feature with ERP applications and periodic audits are undertaken and passed on to SAP at his organization.

“They need to ensure that we are in the line of agreement.” As he explains.

But commenting on the degree and validity of these audits he adds that it’s a call that an IT head has to take about allowing a vendor in. “In many cases, simply signing a document without looking at its nitty-gritty points like compliances, or financial implications or penalty clauses can lead to problems.”

He cautions how an IT customer should know what one is stepping into. Getting information from peers on upfront as well recurring costs or compliance burdens is crucial. Roadmap clarity should not be neglected, he adds.

Having himself been witness to a very small degree of license issue with a provider last year, he has a hands-on view to how audits matter.

“We had taken a license for a small number of users but as we grew, we came to realize that there was only way to augment, a license procurement. It’s necessary that as a CIO or IT manager ensures that all facets like skill-set needs, cost escalations apart from tangible benefits are calibrated well.”

4. Maintenance can prove costly, both ways

Audits may not be a chicken and egg situation between clients and vendors.

But there’s a very interesting flip side to this not-so-appeasing omelette. The challenge as it turns out, is, that if they audit, clients may realize they are overpaying for maintenance on software they aren’t using.

R “Ray” Wang , Principal Analyst and CEO, Constellation Research sharply underlines how most customers are over-licensed and are sitting on tons of software purchased and not deployed – “shelf ware”.

Third-party maintenance had emerged like a hot cake. It is hard to ignore, for the quintessentially-maintenance-charge-burdened customer. And also for the ERP vendors who still have a major chunk of their revenues coming out of cash cows called maintenance-upgrade fees, more so in a market where ERP spending has been drying for quite some time.

Talking about this option, Rajesh MP from Kancor opines that this point is usually out of an audit scope. If it’s an AMC-bound license, resorting to a third-party option can have legal vulnerability as well as product-related issues. “Another aspect is that of functionality. Small companies usually depend on service support from channel partners or integration vendors locally. There is some reluctance if an audit spoils one’s heavy-ticket-maintenance options for customers. It is something naturally possible. But then, it’s all about the agreement.”

Observing nuances of cloud-contracts, Ray Wang advises that vendors may also provide an option to apply credits to a newly merged entity. Vendors should give customers ample time (e.g. 30, 60 or 90 days) to prepare for an upgrade. “The vendor should provide a clear maintenance window when upgrades are going to occur. This includes keeping the lines of communication open, preparing the appropriate training materials, providing guidance on testing and working.”

5. Do not be bullied into it

Â

The very idea of a vendor-led audit may sound like an arm-twisting exercise at the first hint of it. To ensure that it doesn’t hurt a customer’s posture and is something to be seen as mutually-useful is naturally critical on the vendor’s part.

While lately, some vendors have indeed used this as a bullying tactic to start the discussions on additional maintenance or the need to buy more licenses, as Wang notes, this isn’t usually a positive outcome.

It is not arm twisting at all in the opinion of Shailendra Joshi from Godrej Real Estate. “We are license-compliant as a customer. We always ensure to plan shortfalls.”

Having faced audits from Microsoft and Auto CAD software, his experience has been not negative at all, thanks to factors like clarity and advance-caution taken care of. “There was prior intimation and often they were friendly audits. At the end of the day, it’s about a report and there were no contentious issues faced.”

A vendor usually charges on MRP in case of number-shortfalls if any spotted, as Joshi reckons. “Or a vendor may offer a discount is my guess. Also in US, any link or interface to any application probably also calls for access nods for the users. Extensions etc are part of this territory.”

6. Bell the cat, in advance

Â

You are definitely a CIO with more than the technical legerdemain if you have always ensured taking care of the legal contours before diving in s/w license waters.

If not, there might be a few things that would come handy to ensure that all gaps are filled well in any dotted line you sign up next. From contract negotiations to SLA drafting, there’s so much that will tell IT departments it doesn’t hurt to be a bit legally-savvy.

Wang advises to follow the general rule. And what is that? To provide enough advanced notice.

In most Constellation suggests that clients have 60 days written notice. Konk-off time is something that makes a great side dish here.

“We also put the onus of failure or down time caused by the audit on the vendor, so if the system, goes down, they incur the liability of the loss of revenue or business for that day. You want to put these clauses into the contract upfront.”

Â

7. Be ready for what to expect?

Â

What does a typical audit like this entail? How much can a vendor touch when it comes to a customer’s internal systems? Does it get complicated in heterogeneous IT environments with rival products flanked around? Questions pop out like corns once the rabbit called ‘audit’ is out of a license hat.

In Wang’s experience, most modern software audits can be conducted remotely. They use the admin consoles and user provisioning systems to calculate usage.

If any gaps or aberrations are at all found, vendors usually are looking to validate if they are within the authorized usage counts. This could be users, number of orders, revenue limitations, server sizes, or CPU’s. CIOs can use the bill of rights to establish frameworks for business units to speed up the vendor selection process. Procurement staff can standardize templates to ensure speedy yet compliant purchases. Include the Enterprise Cloud Buyer’s Bill of Rights in SaaS evaluation and selection criteria, for example, as Wang suggests.

“Use the rights as a starting point in establishing a long-term, productive client-vendor relationship. The bill of rights should serve as a launch-pad for discussions. Customers should also keep in mind their responsibilities as a client in the relationship. Understand that some rights push today’s limits and are designed as conversation starters.”

Commenting on the splurge of suits in this space and the quintessential role of audits, Wang argues that the bottom line is that – audits are a necessary check and balance.

“When customers abuse trust, vendors need to receive payment. When vendors use these as a sales tactic, customers need rules of engagement like the Customer Bill of Rights.”

8. Know your rights, duties and options

Do CIOs really have a choice in matters of licenses and audits?

Rajesh lets on that unfortunately the options are very limited and any decision comes at a cost. If you want to add rich features to an ERP package, the sales guy who pitches it to you, may himself not have a clear picture to start with. The implementation team has to look well into many dimensions. You do not want to be in a spot where you are violating a clause o paying a fine just because you were using a feature you deem reasonable enough, he warns.

It wouldn’t hurt if takes note of all the above points and some more suggestions as below, specially, in light of the complexity of agreements that have grown as time and the phenomenon called ‘Cloud’ grows. The Constellation Research Cloud Buyer Bill of Rights offers quite a variety of categories: from the critical ones to the good-to-have. It depends on what you choose and what best you can use.

Like: Prospects should receive updates and alerts when changes are made. Terms around user and usage metrics should be made clear. Also, Standard contracts and renewal provisions should be made available for review. Vendors should be required to give a good notice period (e.g. 180 days) before changing terms and conditions. Plus, Clients should not be asked to sign no-disparagement clauses. Both sides should be open in their communication.

9. Communication is not only good, but crucial

Clients should be able to freely discuss issues with the software vendor, including but not limited to security issues, bugs and relative pricing ranges, as the Bill of Rights outlines too.

Also note that clients of on-premises software vendors moving to SaaS and other on-demand models should be able to convert user and usage models across different deployment options. Equivalency ratios should be determined ahead of time.

Interestingly, as per this Bill of Rights, Customers should be able to provide access to and usage of the software to majority-owned affiliates.

Customers and vendors should determine how to treat usage assignment with other related organizations. Clients should be given the option to combine contracts to achieve more generous discount levels or pricing tiers during mergers and acquisitions. In cases where the software will no longer be used, limited access licenses should be provided for the use of pre-merger files, compliance requirements or historical trending data. SaaS vendors should provide an option for clients to pare down usage or terminate during divestitures.

10. Don’t sweat over it. Perspire.

Â

As long as a customer honours criteria like usage, scope, access, authentication and a clear upgrade policy, audits are never a headache.

As to whether you really want to pay for expensive maintenance or for how long or what would you rather define as the reasonable user to software, it’s better to spell it out in advance, not after, but before the agreement.

Not with the sales guy but someone consequential and with more clarity on the product and usage terms at the vendor’s side.

And not like a demanding or a naïve customer but someone who is both reasonable as well as cognizant of what is right to expect.

Don’t sign the agreement blindly if you do not agree. Once you sign it, there’s no point if you disagree.

Either ways, you don’t have to worry if you are doing the right thing. You will have all the answers even if a pizza boy rang your doorbell to ask ‘Who moved my cheese?”