KPMG Survey: Is Unlicensed Software Usage Hurting Your Bottom Line


Published on

Interesting survey conducted by KPMG relating to trends in software licensing and compliance.

Also reposted on Sand Hill (

Software license compliance
Software licensing and compliance
Software licensing entitlements
Software Asset Management (SAM)
Software Asset Optimization
Electronic License Management (ELM)
Contract Compliance and Risk
ISO 19970

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

KPMG Survey: Is Unlicensed Software Usage Hurting Your Bottom Line

  1. 1. INFORMATION, COMMUNICATIONS & ENTERTAINMENT Is Unlicensed Software Usage Hurting Your Bottom Line? Leading Practices to Reduce Revenue Loss September 2007 KPMG LLP
  2. 2. Leaving Big Money on the Table: Software License Misuse Costs Publishers Billions Research conducted by International Data Corporation (IDC) in 2005 concluded that the world’s software companies were losing USD34 billion1 in revenue to unlicensed installations. This is more than the gross domestic product (GDP) of 42 countries.2 Said another way, a USD34 billion software company would be almost on par with Microsoft’s annual revenue as the second largest software company in the world. It would be nearly twice as large © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 as IBM’s software business, which racks up USD18 billion in software revenue annually.3 Any way you look at it, this is a very significant problem for the industry, one that is due in part to soft- ware license agreement violations. With the spotlight on contractual compliance, KPMG sought to understand the issues faced by most software companies today. How do major software vendors deal with customers that are not complying with contractual agreements? What steps are soft- ware companies taking to understand and control the nature and extent of revenue and intellectual property leakage caused by this issue? Do compliance reviews performed [SIDEBAR] by software companies jeopardize their relationships in the marketplace? How are cus- tomers selected for compliance reviews? Who actually performs the compliance reviews? This study of the software industry was conducted in cooperation with If license compliance breaches are found, what approaches are software vendors taking the International Business Software to resolve them? What percentage of revenue is represented by recovered license- Managers Association. compliance revenue? And, are these recovery practices worth the effort for software [END SIDEBAR] publishers? KPMG’s Software License Compliance Survey 2007 To find the answers to these and other questions, KPMG surveyed software companies in cooperation with the International Business Software Managers Association (IBSMA), a trade group that represents enterprise-level software customers. In addition, KPMG inter- viewed compliance executives at six prominent software companies to validate the survey findings and identify software license compliance practices worthy of note. Our objective was to understand the substantive issues underlying this significant industry problem by surveying a valid cross-section of software publishers. Our approach also focused on iden- tifying better practices in license compliance in an effort to present successful strategies and techniques being applied by software companies today. , 1 Cumulative of revenue leakage due to software piracy (including unlicensed personal use) as well as contractual noncompliance. 2 Source: International Monetary Fund Report, 2006 3 Software industry revenue ranking source: Standard & Poor’s Industry Surveys, Computers: Software, April 27 2007 , 1 SOFTWARE LICENSE COMPLIANCE
  3. 3. Our respondents included those responsible for, or with a strong working knowledge of, license compliance in software publishing companies. The companies surveyed collectively represented almost 50 percent of total industry revenue. Demographics Twenty-eight percent of those who responded are with companies earning USD5 billion or more in software revenue. In addition, 62 percent are with companies earning more than USD250 million. Responses from individuals who, based on their stated titles, had no direct responsibility for license compliance activities have been excluded from the results. Of all respondents, nearly 40 percent sell PC software, a like percentage sell middleware /database software, and 74 percent sell enterprise business applications. Also, 96 percent of respondents work for companies that sell to enterprises having more than 2,500 employees. Eighty-nine percent of the companies surveyed publish software for the Microsoft Windows® platform, 78 percent for workstations, 78 percent for UNIX servers, © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 and 35 percent for mainframes. Only 13 percent said their software is used on other platforms. According to the survey results, respondents’ companies sell largely to the financial ser- vices, telecom, healthcare, and federal or local government industry segments. At least half of all respondents sell to the manufacturing, information, retail, and entertainment industry segments. This survey population proved relevant to uncovering important nuances related to soft- ware license compliance, and their collective experience provides valuable insights into both the rewards and the risks associated with licensing matters. Key Findings Some important findings and conclusions drawn from this survey include: • Unlicensed software use has significant and widespread impact on the industry. • Almost all survey respondents said their companies lose significant amounts of rev- enue due to unlicensed use of their products. For example, 34 percent of those polled said losses amount to more than 10 percent of revenue, and 21 percent of respon- dents said their companies lose over 20 percent of overall revenue. • A systematic approach to managing software license compliance efforts is a low-risk, high-reward endeavor. • A substantial percentage of respondents indicated that compliance-related recoveries provide more than 5 percent of their annual software revenue streams. • Most said license compliance activities have a positive or neutral impact on their rela- tionships with end-user customers and channel partners. • Use of fairness in the resolution of noncompliance issues with customers is of para- mount importance in maintaining a positive customer experience and enhancing the overall relationship. • Assistance from objective third-party service providers in performing compliance reviews benefits both the software publishers and their respective customers. Additional analysis and conclusions can be found in the Executive Summary and the Survey Highlights sections of this report. , 2 SOFTWARE LICENSE COMPLIANCE
  4. 4. Executive Summary A Low-Risk, High-Reward Endeavor Overall, KPMG found that a systematic approach to software license compliance efforts produces good financial results and causes few, if any, negative ramifications. A large majority of those polled said that the impact of software license compliance activity was neutral, positive, or very positive at the end of the compliance review process. Executives responding to follow-up interviews felt that customers ultimately view the process in a positive light, although initially a software compliance review may be per- ceived negatively. Christina Crowley, Vice President of License Management Services at Oracle, explained, “When first contacting a customer regarding a license compliance review, the perception may be viewed as negative or intrusive. People are nervous about what it means or how the review will be conducted. However, by providing information on the process and expectations, we can reduce overall concerns regarding what is expected during a license review. Another executive asserted that even if some cus- ” © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 tomers consistently viewed compliance reviews negatively there was no visible impact on subsequent “repeat” sales to those customers. More than 94 percent of survey participants said that their companies rarely lost a cus- tomer due to software license compliance activities. Ninety percent said that escalation to litigation was rare as well. Craig Stoeber, Worldwide Software Compliance Executive at IBM, said, “We really haven’t seen any negative impacts. In some cases relationships have improved because we’ve accessed customers at higher levels in these organizations. There have been some issues with mid-level IT managers who are responsible for managing the software and who become identified as doing a less-than-perfect job, but even those haven’t had a long-term negative impact. ” Microsoft’s Rod Ross, Software Asset Management Director, agreed, “Overall, it’s very, very positive. We’ve approached these situations in different ways over time. It’s always potentially explosive, but approaching situations within the context of business process is very positive. We end up with neutral or positive perceptions 96 percent of the time. ” Michelle Brooks, Worldwide Director of Software Compliance at Attachmate, added, “I think overall the impact is positive, although not always immediately. ” Jeff Gustafson, a Worldwide Software Licensing & Compliance executive at EMC, views compliance primarily as providing value-added information to the overall relationship: “Software asset management is difficult even under the best of circumstances, with cus- tomers taking a risk-based approach to resource allocation in managing vendor contracts. Uncertainty, complexity, and risk in software licensing (e.g., the ‘perpetual license/on-site deployment’ model) can create perverse asymmetries in the business relationship, result- ing in decisions based on imperfect information on both sides. In broad terms, compliance programs are responding by moving toward a relationship management engagement model in an effort to drive value-added information back into that relationship. ” , 3 SOFTWARE LICENSE COMPLIANCE
  5. 5. Mostly Nonpunitive Measures Based on various actions most companies take with noncompliant customers, we found customers are not being overtly penalized for noncompliance. Rather, many publishers use the results of compliance reviews as a basis for true-up only, or structuring of go-forward deals.4 Yet despite that, 30 percent of those surveyed said recovered revenue amounted to between 5 percent and 10 percent of gross annual software revenue, and 7 percent of those polled said recovered fees had added 10 percent or more to the top line. Handle Customers with Care Follow-up interviews shed light on how these potentially sensitive activities are handled. “At Attachmate we understand that this can be intimidating, so we try to be very trans- parent about what customers can expect from us and any third-party partner we may be working with, said Brooks. IBM’s Stoeber concurred with that practice and added, ” “We typically have face-to-face meetings with large customers, and we have well- defined processes and approaches that we follow on each one. We strive for consistency and we take customers through the processes and explain why we do what we do. ” © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 EMC’s Gustafson emphasized the customer benefits: “More than simply mitigating legal and financial risk between the parties, compliance programs provide customers and ven- dors with other benefits. On one hand, customers can gain information to help optimize and leverage existing as well as future investments. On the other, vendors can gain a better understanding of their customers’ usage, thus facilitating a better alignment to value. ” Oracle’s Crowley added, “Our goal is to manage compliance risk and in doing so educate customers on their license inventory, deployment, and usage. In many cases, we are pro- viding customers with information they may not have and/or are not managing. We report back to them in a customer-value-added way. ” Rod Ross from Microsoft acknowledged that things can turn contentious, and indicated that keeping the conversation focused on business issues is a key for success in dealing with customers. “We reset the conversation by saying ‘let’s make sure you understand our goal and what we are proposing to do here.’ We explain that we want to identify their baseline and see what’s needed. ” Top-Down Support Works Best A key characteristic common to successful compliance programs is senior executive support. The prospect of compliance reviews can be intimidating not only to customers but also to stakeholders in the publisher’s own sales function. When a C-level executive endorses compliance practices, internal dissension is reduced. Including stakeholders from the sales function also helps to make the compliance function more successful. Interestingly enough, when a publisher review receives the proper executive support at the customer level (i.e., when an executive such as the CIO is involved in a compliance review), the whole process is often smoother. “At the highest levels within IBM, said Stoeber, “support is very, very good. At the mid- ” level, we find people who are not supportive for certain reasons. They require counsel on why they need to be supportive. ” , 4 Note: The approach taken by trade organizations, such as the Business Software Alliance, that act on behalf of publishers dif- fers from the practices of the publishers themselves. BSA seeks a “penalty, or a payment above the true-up cost from users ” that overdeploy. 4 SOFTWARE LICENSE COMPLIANCE
  6. 6. “At Attachmate, our primary support comes from the CEO, CFO, and general manager, ” Brooks said. “By extension, our six-person executive committee has made compliance a corporate priority and an important part of the charter for the committee. ” “While strategic support with executives is a key factor, I would not overlook the impor- tance of tactical alignment with the grass roots, says EMC’s Gustafson. “I have not met ” an account executive or key internal business stakeholder who wasn’t interested in enabling his or her business relationship, rather than burning it. ” BEA’s Christian Pruitt, Senior Director of Worldwide Compliance, also enjoys top-down sup- port. “To a degree, the higher up, the more supportive [our executives] are, he explained. ” “The EVP of sales genuinely wants to do more, but is concerned that his team may already be overextended. At the country manager level, they’re supportive—when compliance activities are not unduly painful to them, they’ll make a good business decision. ” Fair Settlement Policies Again, the common denominator in settlement policies is the word “fair. However, that ” © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 said, software companies rightly expect to be fairly compensated for the products that customers install and/or use. Some believe that the “letter of their contracts” is paramount and require full look-back measures (such as interest on payments) for overdeployed soft- ware. Other companies are content reducing discounts commensurately, rather than charging for interest. The net result may be the same, but the perception of punitive actions may be different. Still, many publishers extend regular discounts and no look-back charges. Microsoft’s Ross indicated that conditional aspects of the company’s settlement approach are important to his customers. “There is naturally a very careful approach to such situa- tions. When customers are willing to be reasonable and cooperative, settlement resolution is a very collaborative and cooperative process. ” According to Stoeber, IBM sees itself as being in the middle of the spectrum on settle- ment policies. “We do not have penalties or interest. We believe customers do not want to be out of compliance; some customers are simply not good at managing their soft- ware assets. We ask only that customers pay a fair price for an IBM software solution. We assume that our enterprise customers truly expect to pay fairly for what they use, and for related support. On that basis we ask customers, for example, to show us how long they have been using our products, to ensure they are in compliance with our main- tenance policies. ” BEA’s Pruitt also used the word “fair” to describe the relationship his company expects to have with its customers. “I want a fair resolution when a contract violation occurs. That means what is fair to our customer. They only have to pay for what they use and what they need. What is fair to BEA is being compensated, at the right price, for what a customer used. They should not expect to ask me to let them uninstall something and not pay for it. If they used the software, then they should pay for it. If, on the other hand, they can demonstrate that they installed something but never used it, we are tolerant. ” It is important to point out here that fairness is closely related to each publisher’s revenue model. Some publishers, such as cable television providers, believe the value is inherent in the installation. Compensation is based on installation rather than use. Electric utilities, on the other hand, charge by usage. Settlement policies would therefore be different , with respect to one publisher who charges for installation and another whose revenue model is based on users and usage. 5 SOFTWARE LICENSE COMPLIANCE
  7. 7. Software Executives Speak Out on Third-Party Reviews “One large benefit of using a partner is to obtain an accurate view, and complete and accu- rate remedy, that both Attachmate and the customer accept, said Attachmate’s Brooks. ” “Partners give us depth and breadth. Sophisticated customers will also understand that they will learn quite a bit from the compliance review process that our partners take them through. We know our compliance review firm is going to find everything that’s there. Both our cus- tomers and Attachmate see the value of a partner as a mediator/moderator in the process. ” EMC’s Gustafson agreed, “The presence of a third party tasked with performing a profes- sional, accurate, and complete software licensing assessment between the parties lends objectivity, credibility, and confidentiality to the engagement and, ideally, to the business relationship. ” KPMG’s Top 10 Recommendations for “We’re not the compliance review experts, added BEA’s Pruitt. “Third parties bring a much ” Successful Compliance Reviews broader skill set to the table. If I tried to hire, train, and manage the level of resources I Based on our experience working with numer- ous software companies and the results of our need, I would also need my own team of HR people. I would need to quadruple my team survey, KPMG has identified these leading and manage that broad spectrum of skills. Third parties have an infrastructure around them © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 practices: that would be very difficult for me to replicate. ” • Make license compliance a C-level priority. “Software compliance reviews are not a core competency here, and never will be, ” Having compliance as a top-down priority signals everyone, customers included, that chimed in IBM’s Stoeber. “An independent third party brings credibility to the process, compliance merits serious attention. and allows our customers to be more open in a non-threatening environment. ” • License contracts should have clearly “We don’t have to sell their merits and attributes. Our customers already know that, ” stated auditing provisions. Without contrac- said Ross of Microsoft. “The Big Four really have the market cornered on having every- tual consent, a publisher’s right to audit is subject to legal interpretation and ambiguities. one’s respect. ” • Every license contract should clearly define how the publisher verifies compli- Resolution Philosophy ance. Definitions of overdeployment, compli- No matter what the actual losses due to unlicensed software installations are, everyone ance findings, and other important concepts agrees they are significant. Some portion is due to counterfeiting, and software license should be included as well as some com- compliance programs will typically not identify that type of risk. But a big portion of rev- mentary on what methods may be applied to understand the entitlement-versus-deploy- enue loss is due to noncompliance with licensing contracts. Whether a publisher takes a ment position. Although approaches may look-back or look-forward approach to settlements, significant amounts of revenue could vary on a case-by-case basis, a broad discus- be added to the top line. sion of how compliance findings would be resolved also may be included. Best practices are emerging. Compliance programs are taking in far more than they cost • Customers to be reviewed should be to operate, and companies that already have successful programs in place are planning selected deterministically. Random auditing to expand them. Others that have not adopted a formal approach are seriously consider- may reveal the extent of noncompliance and ing doing so. Not a single respondent to KPMG’s survey said the company planned to provide significant value to the publisher. However, a more targeted approach, based discontinue or downsize an existing compliance program. on probabilistic analysis, is far more efficient A new industry standard for Software Asset Management (SAM), ISO 19770-1, was in focusing on the key issues facing the pub- lisher in the marketplace from a compliance released in May of 2006, representing growing awareness of the critical role of SAM standpoint. within organizations and of the challenges and complexities associated with governing Continued on next page. SAM programs. A second part to the standard, 19770-2, is currently being developed and will include requirements for software publishers on tagging their software products to facilitate easy and accurate discovery by customers. By its very nature, the software business is different from dealing in physical wares. It is often difficult to determine if an enterprise is using more than it’s paying for. , Nevertheless, based on our survey findings, publishers that do what’s necessary to ensure they are justly compensated for their intellectual property are recovering more revenue than they are investing in the recovery process. 6 SOFTWARE LICENSE COMPLIANCE
  8. 8. Inadvertent Noncompliance Is an Easy Pitfall • Compliance review decisions should be made with stakeholder participation. Every software company deserves a return on the value (installation- or usage-based) its Far greater success can be achieved when software provides to its customers. Software licensing is a way to establish such com- conducting a compliance review if it is pensation mechanisms. However, virtually everyone agrees that millions of dollars of sanctioned by internal stakeholders, such as sales, legal, and finance, as appropriate. value go unpaid every year. For software users, it’s not very difficult get to out of compli- ance with publishers’ contracts. • Customer discomfort should be dealt with respectfully. Compliance audits, and Here are some of the common reasons for getting into an overdeployed position: meetings leading up to them, can be diffi- • Complex, vague, and ever-changing licensing and pricing rules. Publishers are frequently cult. They should be conducted with con- changing how their software products are licensed. This is typically done in response cern for the sensitivities of all involved. to marketplace demands and in an attempt to provide more flexibility to customers. • Ideally, use objective third-party profes- However, a side effect may include creating additional confusion around an already- sionals to conduct the reviews. There is complex matter. As a result, we have found that a key element of many compliance nearly universal agreement that third parties programs is customer education as to current usage rights. bring resources, experience, and dispas- sionate execution to an otherwise awkward • Disconnects between the procurement function that purchases the licenses and the and demanding engagement. IT department that actually uses the licenses. This disconnect can cause a misunder- standing of the licensing terms and conditions per the contract and may lead to • Reviews should be designed to leverage © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 inappropriate use of the software. It is common to find that software is deployed on information the customer already has in place. Instead of trying to recreate the machines with a higher number of CPUs than purchased, or using virtualization tech- inventory from scratch (for example, by niques that the licensing metrics either do not allow for or require additional licenses to introducing external discovery tools) a more support. Another example is using development licenses in a production environment. efficient approach in many situations is to Other examples may include granting widespread access to limited-user software or perform procedures (such as sample test- hosting applications to the Internet without actually being entitled to do so. ing) that will allow the publisher to rely on • Changes to IT environments that modify the use of hardware resources such as the completeness and accuracy of the servers and workstations that have licensed software installed on them. Although customer’s own data. This is not only the software vendors allow moving software from one server to another if changes in the most efficient approach but also promotes a healthy long-term relationship and trust environment occur, the expectation is that once software in reinstalled on a new between the publisher and the customer. server, it is also uninstalled from the older machines. Software users often overlook In addition, if it turns out the customer did this expectation, and before they know it, their environment has more software not get the inventory right, this process will deployed than they are entitled to. show the customer where its process went • Mergers and acquisitions can complicate both entitlements and deployments. When one wrong so it can be corrected going forward. company acquires another, the acquiring company does not automatically inherit any soft- • Reviews should be a learning experience ware licenses that were owned by the company acquired, unless the contract expressly for the customer. Reviews provide oppor- allows it. Often the acquiring company has no way of knowing what software is being tunities for software publishers to teach used by the new entity, or where. Unless due diligence is performed in understanding the customers how to better manage their nature and extent of software assets and related contracts, the acquiring company may be software assets. opening itself to significant liabilities in license and support fees. It is strongly recom- • Customers should expect to pay for mended that this due diligence be performed and all software assets are appropriately overdeployments. It is important to estab- assigned before signing on the dotted line. lish from the outset of a compliance-related discussion that overdeployment is no dif- ferent from receiving additional packaged products. The software company should make it clear that it expects to be paid for Survey Highlights that overdeployment. To establish the authority of this survey and the resulting report, KPMG identified these critical criteria: • Executives polled were from across the software publishing industry, representing enterprises of all sizes. • These executives have direct responsibility for, or at least a working knowledge of, software license compliance. , In addition to our objective field survey, executive interviews were conducted to validate the key survey findings. The survey was conducted online from March 27 through May 25, 2007 . 7 SOFTWARE LICENSE COMPLIANCE
  9. 9. A Significant Impact on the Software Industry IDC’s 2005 Software Industry Survey concluded that as much as 35 percent of software applications currently in use are illegally installed, amounting to some USD34 billion in lost revenue for the industry (these numbers include revenue leakage due to software piracy as well as unlicensed personal use of software). Seventy-seven percent of those polled by KPMG in 2007 agreed with the estimate when asked about the accuracy of that statistic. Nine percent of respondents thought that the amount of revenue loss was even higher, and 6 percent thought the loss was lower than projected. Interestingly, though, nearly two thirds of respondents (62 percent) believe their companies have fared better than the average when considering the magnitude of their losses. Regardless, almost everyone included in our survey (87 percent) indicated their companies suffer losses due to unlicensed software use, with 34 percent saying losses to their companies’ top line amount to more than 10 percent, and 21 percent reporting revenue losses higher than 20 percent. © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 Question 1: A 2005 study conducted by IDC on behalf of the Business Software Alliance (BSA) reported 35 percent of software installed on PCs worldwide is unlicensed, amounting to USD34 billion in lost revenue for software companies. Taking into account the entire universe of software companies across the world, do you agree with this estimate? Most Agree 35% of Software Is Unlicensed g g 6% 77% 9% 9% 80 40 60 0 20 100 I think the actual amount is higher I think the actual amount is lower Other I think the amount is about right Does not total 100 percent due to rounding. Source: KPMG LLP 2007 , [RT CHART 1] Question 2: Compared with the IDC/BSA survey, what would you say is the percentage of your company’s revenue loss to unlicensed users? Most Believe Their Company’s Revenue Loss Is Below Average 62% 13% 9% 17% 60 80 20 40 0 , Below average Average Above average Does not total 100 percent due to rounding. Don’t know Source: KPMG LLP 2007 , 8 SOFTWARE LICENSE COMPLIANCE
  10. 10. Question 3: What is the approximate percentage of your company’s revenue loss due to unlicensed users? A Third Say Revenue Loss Is More Than 10% y 13% 34% 19% 9% 4% 34% 21% 20 40 0 16–20% 0 6–10% Source: KPMG LLP 2007 , 11–15% 1–5% More than 20% © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 KPMG’s Analysis Most of the respondents thought the IDC/BSA survey had it right—35 percent of installed software is unlicensed and unpaid for. However, nearly all of the respondents believed their own losses were considerably less than that. The survey figure of USD34 billion included both overdeployment and pirated software as well as all varieties of software. KPMG believes the 35 percent figure is affected by significant PC software piracy. So, while it may be representative of the industry as a whole, the losses for enterprise software companies due to noncompliance are more in line with the lower losses the respondents believed they sustained. Thus, the enterprise software segment of the industry may not have lost USD34 billion, but a quick correlation of respondents’ esti- mates and their companies’ software revenue strongly corroborates annual losses of billions of dollars. License Compliance and Revenue Recovery Programs A majority of those polled, 64 percent, said their companies have a software license compliance program, and of those, 67 percent said executive management is a strong proponent. According to respondents, none of the companies that now have such a program has ever discontinued or downsized a license compliance program. Two thirds of those polled said they apply the program in every country where they do business. In post-survey interviews with executives at various software publishers, virtu- ally everyone agreed that there are significant differences when applying these programs across different regions. Differences in contract law along with different business and social customs must be considered with regard to how compliance programs are applied. Of the 36 percent of respondents whose companies do not have a compliance program, , almost 60 percent believe they have no license compliance issues. Almost as many exec- utives cited resource limitations as the reason for not implementing a program. Others 9 SOFTWARE LICENSE COMPLIANCE
  11. 11. are concerned about negative impact on customer relationships, and still others think that such a program would not have sufficient return on investment to warrant it. A small group said competitors are not doing compliance reviews, and they don’t want to be at © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a competitive disadvantage. Question 4: Does your company have a program designed to ensure customer compliance with license agreements? Majority Has a Program to Ensure Compliance with License Agreements 64% 36% 20 40 60 80 0 Yes No Source: KPMG LLP 2007 , Question 5: On a scale of 1–5 how would you rate the extent to which your company’s C-level executives support your compliance program? Two Thirds Say C-Level Executives Strongly Support a Swiss cooperative. All rights reserved. 070322 Compliance Program Efforts 0% 33% , 67% 20 40 60 80 0 Neutral (3) Weak (1–2) Strong (4–5) Source: KPMG LLP 2007 , 10 SOFTWARE LICENSE COMPLIANCE
  12. 12. Question 6: In which regions do you operate your compliance program (select all that apply)? Two Thirds Operate a Compliance Program in Every Country Where They Do Business In every country in which 66% your company operates 34% U.S.A. 24% Europe 24% Canada Other Asia 17% Pacific countries 17% South America 17% Mexico 14% Japan © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 Africa 7% 3% Other 0 20 40 60 80 Small base size, findings are directional only. Source: KPMG LLP 2007 , What is the approximate percentage of your company’s total global Question 7: compliance activity by region? Distribution of Compliance Activity by Region 55% 32% 13% 0 20 40 60 Americas Asia Pacific Europe, Middle East, and Africa Small base size, findings are directional only. Source: KPMG LLP 2007 , KPMG’s Analysis KPMG recommends that: Of the 36 percent of respondents whose companies had no compliance program, more • Companies that do not have a than half believe they have no compliance issues. This survey finding is consistent with compliance program consider a minority of the population of publishing companies KPMG encounters in the market- running pilots with just a few place. We recommend that those without a program consider running a pilot with a few customers customers. The outcome would either confirm their no-problem assumptions or give • Companies use caution when them a tangible reason to reconsider having a compliance program. they elect to conduct piece- With regard to customers using software on a global scale, KPMG advises caution meal reviews in individual when electing to conduct piecemeal reviews in individual regions. More often than not, regions , understanding entitlement for global customers requires considering purchases and 11 SOFTWARE LICENSE COMPLIANCE
  13. 13. deployments on a global basis. Reviews that are limited to one country only make sense if entitlements could be determined for that one country. Generally, if license agreements are global, reviews should be global. The rate of success in collecting unpaid license fees varies between geographies. In North America and Western Europe, it is generally easier to collect on findings, even on those that are relatively insignificant. In Asia, although the magnitude of findings may be much greater, publishers have found it difficult to collect on them. Embedded Controls: A “Catch-22” More than half of those polled (53 percent) said that some of their products have soft- ware that includes embedded controls that help prevent overdeployment. Of these, 68 percent use license validation “keys. Another 40 percent use node-locking controls. ” Twenty percent use third-party commercial license management tools, and 20 percent use other methods. However, we found in our post-survey interviews that many compa- © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 nies—particularly those offering large enterprise business applications—thought it was counterproductive to put controls into their software that may inhibit a customer’s ability to operate under any circumstances. Their comments can be summed up as, “We think it’s bad business because automated controls often limit a customer’s ability to run the production environment effectively and efficiently. ” Question 8: Does your software include embedded controls to restrict overdeployment? [INSERT CHART 23] Half Say Software Includes Embedded Controls to Restrict Overdeployment 53% 47% 20 40 60 0 No Yes Source: KPMG LLP 2007 , Question 9: If your software includes embedded controls to restrict overdeployment, which of the following do you use most frequently (select all that apply)? Controls Most Frequently Used to Restrict Overdeployment 68% 40% 20% 20% 20 40 60 80 0 Online validation license key required for activation FlexLM , Node locking* Other built-in control mechanisms *License key issues to an IP/MAC address or range, or similar Small base size, findings are directional only. Source: KPMG LLP 2007 , 12 SOFTWARE LICENSE COMPLIANCE
  14. 14. Of those without embedded controls, only a few indicated that they had plans to imple- ment such measures in the future. Question 10: If your software does not include embedded controls to restrict over- deployment, does your company have plans to add them? Just over One Quarter Plan to Add Embedded Controls to Restrict Overdeployment 29% 71% 80 20 40 60 0 Small base size, findings are directional only. Yes No Source: KPMG LLP 2007 , © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 [INSERT CHART 25] KPMG’s Analysis Compliance controls embedded in software can be a double-edged sword. No technolog- ical solution that exists today would provide 100 percent coverage against overdeployment or eliminate the need to engage in compliance activities with customers. Some companies have embraced embedded control technology that can potentially reduce overdeploy- ment. KPMG advises companies to consider embedded controls carefully while fully weighing the advantages and disadvantages. For example, KPMG has encountered publishers that used embedded controls, only to find that the technology makes the software application more difficult for the customer to use. Some have subsequently abandoned these embedded controls. Purchase History and Entitlement Information: To Tell or Not to Tell? According to our survey respondents, software companies could be doing a better job of helping their customers understand what they have purchased and what types of usage their license agreements allow. Only 36 percent make such information easily accessible to their customers, while 43 percent said they share such information on a case-by-case basis. In addition, the information that is made available may not be as comprehensive as necessary. While 45 percent said their entitlement information is comprehensive, 55 percent said the data may provide only an average or limited level of understanding. Interestingly however, almost all respondents think that their companies accurately deter- mine whether or not a customer calling in for support is entitled to it. KPMG’s Analysis We believe this problem involves more than just information clarity and access. As previously mentioned, the disconnect between procurement and IT can lead to misun- derstandings about agreed-upon terms and conditions of software use. An effective , practice would provide processes for communicating license terms and conditions to the people who actually use the software. Sharing entitlement information with customers 13 SOFTWARE LICENSE COMPLIANCE
  15. 15. can better enable them to understand what they have, what they need, and whether or not they are in compliance with the contracts. Having the right baseline information before a sales discussion with the customer is always a good idea. Compliance Programs: Elements and Methods To understand the software license landscape, we asked survey participants about the foundations on which their license agreements were based. In other words, how do companies license their software and what metrics form the basis of measuring compli- ance with license agreements? We found that publishers are using a mix of approaches to license software to customers. Fifty-seven percent of respondents based their licenses on the number of unique or registered users, while 54 percent use the number of servers and other machines on which their software is deployed. Another 54 percent of respondents license their soft- © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 ware based on the number of concurrent or simultaneous users, and 48 percent use the per-CPU/Processor model. Question 11: Which of these metrics do you use as a basis for your product licenses (select all that apply)? Use of Metrics as a Basis for Product Licenses Per unique/ 57% Per unique/registered user registered user Per server/machine 54% Per server/machine Per concurrent/simultaneous ncurrent/ simultaneous user 54% user (high-water mark) (high watermark) Per CPU/Processor 48% Per CPU/Processor Per number of employees/ work- umber of employees/work- 43% stations in the entire organization ns in the entire organization 30% Per PC Per PC Other 17% Other 0 20 40 60 Source: KPMG LLP 2007 , [INSERT CHART 10] Almost all respondents (89 percent) said all or some of their contracts include audit clauses, but only 55 percent said all of their contracts specify such clauses. When it comes to enforcing their license agreements, publishers do not rely on any one type of metric for determining where to conduct compliance reviews of their customers and channel partners. Over half (52 percent) said their compliance review decisions are triggered by data analytics. In second place, customer history is used by 45 percent of those polled. Random selection and external information are each used by 28 percent of respondents’ companies. , 14 SOFTWARE LICENSE COMPLIANCE
  16. 16. Question 12: How many of your license agreements typically include an audit clause that gives your company the right to audit your customers or channel partners? Most Include an Audit Clause in Some Portion of Their License Agreements 55% 89% 34% 11% 0 20 40 60 80 Some None All Source: KPMG LLP 2007 , [INSERT CHART 12] Question 13: What criteria do you use to select the individual customers or channel © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 partners that will be reviewed as part of your software license compliance program (select all that apply)? Data Analytics Most Common Criterion for Selecting Audit Subjects 52% 45% 28% 28% 21% 0 20 40 60 Random selection Data analytics suggesting higher risk of noncompliance External information* Known historical issues your company has had with Other the licensee/sales force experience and referrals *E.g., licensee reputation in the marketplace, recommendation by external party [INSERT CHART 13] Small base size, findings are directional only. Source: KPMG LLP 2007 , More than half of those polled said they or third-party firms conducting reviews on their behalf use proprietary software or internal product capabilities (commands or logs) for compliance discovery. Thirty-one percent of respondents use nonproprietary (commercial) software and 28 percent rely on the customers’ own software-asset management tools or capabilities. , 15 SOFTWARE LICENSE COMPLIANCE
  17. 17. Question 14: What tools (discovery methods) do you use in your software license compliance program (select all that apply)? Half Use Proprietary Tools in Software License Compliance g p y p Program 52% 31% 28% 17% 40 20 0 60 Proprietary tools No tools, we work with whatever SAM capabilities the customer may have in place Nonproprietary/commercial tools Other Small base size, findings are directional only. Source: KPMG LLP 2007 , [T CHART 14] © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 Fifty-four percent of respondents use an independent third-party to perform software license compliance reviews. This group uses the services of Big Four firms most often. KPMG’s Analysis Clearly there are differences in how software companies license their software. It would probably be easier if there were more consistency, but that is unlikely to happen. There- fore, it is critical that contracts clearly define how the software company computes installation and/or usage and how it verifies the chosen approach. There is disparity in the inclusion of an audit clause in contracts. We strongly urge every software company to include an audit clause in every enterprise software contract. Even if the company is unlikely to audit, the clause may encourage compliance. Without that clause, compliance verification options are somewhat limited. There is no consensus with regard to the question of compliance-related tools. Today, a majority of software companies use proprietary tools and capabilities. There is clearly an opportunity for commercial tools to serve this market, either data analytic tools or some of the customers’ own software asset–management tools. At first glance, the latter would appear to be more appealing to customers. Tools may help make the compliance review process more efficient and save costs for both sides, and they may provide ongoing capabilities to customers. As we’ve seen, more than half of respondents use third-party help in conducting compli- ance reviews. , 16 SOFTWARE LICENSE COMPLIANCE
  18. 18. Industry Associations and Standards to the Rescue? We wanted to know if publishers were turning to industry associations or using industry standards in their attempts to thwart license compliance problems. Interestingly, a majority of companies represented in our survey indicated that they do not leverage industry associations for compliance enforcement activities. We tested for affiliation with the Business Software Alliance and the Software and Information Industry Association as well as other trade groups with respect to compliance and enforcement activities. The SAM standard ISO 19770-1 has been formulated to provide an internationally recog- nized standard against which organizations can measure the maturity of their software license compliance programs. It also assists in providing effective support to help IT departments maintain compliance with legal and contractual requirements and to demonstrate good corporate governance. © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 Our survey found that this standard is not well known by software publishers (55 per- cent of respondents are unfamiliar with it). Of those who are familiar with the standard, 81 percent feel it would benefit the industry. However, 71 percent said a customer’s 19770-1 certification would not influence how compliance program activities are applied to that customer. Question 15: Are you familiar with the ISO SAM Standard 19770-1? Slight Majority Not Familiar with ISO SAM Standard 19770-1 45% 55% 20 40 60 0 No Yes Source: KPMG LLP 2007 , Question 16: Do you believe the ISO SAM Standard 19770-1 benefits the industry overall? 8 in 10 of Those Familiar with the Standard Believe It Is Beneficial to the Industry 81% 19% 0 20 40 60 80 100 Yes No Small base size, findings are directional only. Source: KPMG LLP 2007 , , 17 SOFTWARE LICENSE COMPLIANCE
  19. 19. Question 17: In your opinion, will your company’s future software license compliance activities be influenced by whether or not a customer is certified under the standard? © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 [INSERT CHART 18] 7 in 10 of Those Familiar with the Standard Say Compliance Activities Will Not Be Influenced by Customer Certification Status 29% 71% 0 20 40 60 80 No Yes Small base size, findings are directional only. Source: KPMG LLP 2007 , KPMG’s Analysis Though ISO SAM Standard 19770-1 can help the companies that implement it with improving their software license compliance profiles, publishers are reluctant to rely on the standard in lieu of compliance activities for a number of reasons. First, independent certification against the standard is not currently available, so publishers would need to rely on customers’ self-assessments. Second, even if independent certification was avail- able, it could not address compliance with specific software license agreements, which is what publishers are really after. Furthermore, other ISO certifications have tended to focus more on whether you “say what you do” rather than on whether you actually “do what you say. Third, as it is written, the standard does not provide adequate guidance ” as to how its recommendations should be implemented. Alternatively, KPMG’s Software Asset Management (SAM) methodology provides enterprises with guidance to help them move efficiently up the SAM maturity curve, thereby improving their software compliance profiles as a by-product. Organizational Footprint Of those polled, 80 percent said that their compliance programs report to either the , sales or finance function. Of these, 47 percent said finance and 33 percent said sales. The remaining 20 percent said compliance reported to other functional areas, including legal and internal audit. 18 SOFTWARE LICENSE COMPLIANCE
  20. 20. Question 18: To which functional area does your compliance program report? INSERT CHART 19] Compliance Programs Generally Report to Finance or Sales/Sales Operations 47% 33% 7% 3% 10% 20 40 60 0 Finance Internal Audit Sales or Sales Operations Other Legal Source: KPMG LLP 2007 , © 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322 When it comes to where credit is given for revenue generated for license compliance, nearly half of those polled (47 percent) said “sales representatives” receive commissions for compliance revenue. About 17 percent of respondents said both the compliance and sales organizations share in commissions on compliance revenue, while 13 percent said that compliance recovery commissions went exclusively to the compliance organization. Question 19: Who receives commissions for compliance revenue? I Sales Generally Receives Largest Portion of Compliance Revenue Commissions 47% 64% 17% 17% 13% 7% 0 20 40 60 Compliance professionals Sales representatives Other Both sales and compliance Neither Does not total 100 percent due to rounding. Source: KPMG LLP 2007 , NSERT CHART 21] KPMG’s Analysis There is no clear trend emerging for where to put a compliance group. Today, about half report to sales and half to finance. It would be interesting, in a follow-up survey, to compare the results for those reporting to sales and those reporting to finance. Advantages in having the compliance program report to finance may include manage- , ment’s existing mindset of compliance and audits as well as objectivity and separation from the sales force. 19 SOFTWARE LICENSE COMPLIANCE