KPMG Survey: Is Unlicensed Software Usage Hurting Your Bottom Line

INFORMATION, COMMUNICATIONS
& ENTERTAINMENT

Is Unlicensed
Software Usage
Hurting Your
Bottom Line?
Leading Practices to
Reduce Revenue Loss
September 2007

KPMG LLP

Leaving Big Money on the Table:
Software License Misuse Costs
Publishers Billions
Research conducted by International Data Corporation (IDC) in
2005 concluded that the world’s software companies were losing
USD34 billion1 in revenue to unlicensed installations. This is more
than the gross domestic product (GDP) of 42 countries.2 Said
another way, a USD34 billion software company would be almost
on par with Microsoft’s annual revenue as the second largest
software company in the world. It would be nearly twice as large

© 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. 070322
as IBM’s software business, which racks up USD18 billion in
software revenue annually.3 Any way you look at it, this is a very
significant problem for the industry, one that is due in part to soft-
ware license agreement violations.

With the spotlight on contractual compliance, KPMG sought to understand the issues
faced by most software companies today. How do major software vendors deal with
customers that are not complying with contractual agreements? What steps are soft-
ware companies taking to understand and control the nature and extent of revenue and
intellectual property leakage caused by this issue? Do compliance reviews performed
[SIDEBAR]
by software companies jeopardize their relationships in the marketplace? How are cus-
tomers selected for compliance reviews? Who actually performs the compliance reviews?
This study of the software industry
was conducted in cooperation with If license compliance breaches are found, what approaches are software vendors taking
the International Business Software to resolve them? What percentage of revenue is represented by recovered license-
Managers Association.
compliance revenue? And, are these recovery practices worth the effort for software
[END SIDEBAR] publishers?

KPMG’s Software License Compliance Survey 2007
To find the answers to these and other questions, KPMG surveyed software companies in
cooperation with the International Business Software Managers Association (IBSMA), a
trade group that represents enterprise-level software customers. In addition, KPMG inter-
viewed compliance executives at six prominent software companies to validate the survey
findings and identify software license compliance practices worthy of note. Our objective
was to understand the substantive issues underlying this significant industry problem by
surveying a valid cross-section of software publishers. Our approach also focused on iden-
tifying better practices in license compliance in an effort to present successful strategies
and techniques being applied by software companies today.
,

1
Cumulative of revenue leakage due to software piracy (including unlicensed personal use) as well as contractual noncompliance.
2
Source: International Monetary Fund Report, 2006
3
Software industry revenue ranking source: Standard & Poor’s Industry Surveys, Computers: Software, April 27 2007 ,

1
SOFTWARE LICENSE COMPLIANCE

Our respondents included those responsible for, or with a strong working knowledge of,
license compliance in software publishing companies. The companies surveyed collectively
represented almost 50 percent of total industry revenue.

Demographics
Twenty-eight percent of those who responded are with companies earning USD5 billion
or more in software revenue. In addition, 62 percent are with companies earning more
than USD250 million. Responses from individuals who, based on their stated titles,
had no direct responsibility for license compliance activities have been excluded from
the results.

Of all respondents, nearly 40 percent sell PC software, a like percentage sell middleware
/database software, and 74 percent sell enterprise business applications. Also, 96 percent
of respondents work for companies that sell to enterprises having more than 2,500
employees. Eighty-nine percent of the companies surveyed publish software for the
Microsoft Windows® platform, 78 percent for workstations, 78 percent for UNIX servers,

and 35 percent for mainframes. Only 13 percent said their software is used on other
platforms.

According to the survey results, respondents’ companies sell largely to the financial ser-
vices, telecom, healthcare, and federal or local government industry segments. At least
half of all respondents sell to the manufacturing, information, retail, and entertainment
industry segments.

This survey population proved relevant to uncovering important nuances related to soft-
ware license compliance, and their collective experience provides valuable insights into
both the rewards and the risks associated with licensing matters.

Key Findings
Some important findings and conclusions drawn from this survey include:

• Unlicensed software use has significant and widespread impact on the industry.
• Almost all survey respondents said their companies lose significant amounts of rev-
enue due to unlicensed use of their products. For example, 34 percent of those polled
said losses amount to more than 10 percent of revenue, and 21 percent of respon-
dents said their companies lose over 20 percent of overall revenue.
• A systematic approach to managing software license compliance efforts is a low-risk,
high-reward endeavor.
• A substantial percentage of respondents indicated that compliance-related recoveries
provide more than 5 percent of their annual software revenue streams.
• Most said license compliance activities have a positive or neutral impact on their rela-
tionships with end-user customers and channel partners.
• Use of fairness in the resolution of noncompliance issues with customers is of para-
mount importance in maintaining a positive customer experience and enhancing the
overall relationship.
• Assistance from objective third-party service providers in performing compliance
reviews benefits both the software publishers and their respective customers.

Additional analysis and conclusions can be found in the Executive Summary and the
Survey Highlights sections of this report.
,

2 SOFTWARE LICENSE COMPLIANCE

Executive Summary
A Low-Risk, High-Reward Endeavor
Overall, KPMG found that a systematic approach to software license compliance efforts
produces good financial results and causes few, if any, negative ramifications. A large
majority of those polled said that the impact of software license compliance activity was
neutral, positive, or very positive at the end of the compliance review process.

Executives responding to follow-up interviews felt that customers ultimately view the
process in a positive light, although initially a software compliance review may be per-
ceived negatively. Christina Crowley, Vice President of License Management Services
at Oracle, explained, “When first contacting a customer regarding a license compliance
review, the perception may be viewed as negative or intrusive. People are nervous about
what it means or how the review will be conducted. However, by providing information
on the process and expectations, we can reduce overall concerns regarding what is
expected during a license review. Another executive asserted that even if some cus-
”

tomers consistently viewed compliance reviews negatively there was no visible impact
on subsequent “repeat” sales to those customers.

More than 94 percent of survey participants said that their companies rarely lost a cus-
tomer due to software license compliance activities. Ninety percent said that escalation
to litigation was rare as well.

Craig Stoeber, Worldwide Software Compliance Executive at IBM, said, “We really
haven’t seen any negative impacts. In some cases relationships have improved because
we’ve accessed customers at higher levels in these organizations. There have been some
issues with mid-level IT managers who are responsible for managing the software and
who become identified as doing a less-than-perfect job, but even those haven’t had a
long-term negative impact.
”

Microsoft’s Rod Ross, Software Asset Management Director, agreed, “Overall, it’s very,
very positive. We’ve approached these situations in different ways over time. It’s always
potentially explosive, but approaching situations within the context of business process
is very positive. We end up with neutral or positive perceptions 96 percent of the time.
”
Michelle Brooks, Worldwide Director of Software Compliance at Attachmate, added,
“I think overall the impact is positive, although not always immediately.
”

Jeff Gustafson, a Worldwide Software Licensing & Compliance executive at EMC, views
compliance primarily as providing value-added information to the overall relationship:
“Software asset management is difficult even under the best of circumstances, with cus-
tomers taking a risk-based approach to resource allocation in managing vendor contracts.
Uncertainty, complexity, and risk in software licensing (e.g., the ‘perpetual license/on-site
deployment’ model) can create perverse asymmetries in the business relationship, result-
ing in decisions based on imperfect information on both sides. In broad terms, compliance
programs are responding by moving toward a relationship management engagement
model in an effort to drive value-added information back into that relationship.
”
,

3

Mostly Nonpunitive Measures
Based on various actions most companies take with noncompliant customers, we found
customers are not being overtly penalized for noncompliance. Rather, many publishers use
the results of compliance reviews as a basis for true-up only, or structuring of go-forward
deals.4 Yet despite that, 30 percent of those surveyed said recovered revenue amounted to
between 5 percent and 10 percent of gross annual software revenue, and 7 percent of
those polled said recovered fees had added 10 percent or more to the top line.

Handle Customers with Care
Follow-up interviews shed light on how these potentially sensitive activities are handled.
“At Attachmate we understand that this can be intimidating, so we try to be very trans-
parent about what customers can expect from us and any third-party partner we may
be working with, said Brooks. IBM’s Stoeber concurred with that practice and added,
”
“We typically have face-to-face meetings with large customers, and we have well-
defined processes and approaches that we follow on each one. We strive for consistency
and we take customers through the processes and explain why we do what we do.
”

EMC’s Gustafson emphasized the customer benefits: “More than simply mitigating legal
and financial risk between the parties, compliance programs provide customers and ven-
dors with other benefits. On one hand, customers can gain information to help optimize
and leverage existing as well as future investments. On the other, vendors can gain a
better understanding of their customers’ usage, thus facilitating a better alignment to
value.
”

Oracle’s Crowley added, “Our goal is to manage compliance risk and in doing so educate
customers on their license inventory, deployment, and usage. In many cases, we are pro-
viding customers with information they may not have and/or are not managing. We report
back to them in a customer-value-added way.
”

Rod Ross from Microsoft acknowledged that things can turn contentious, and indicated
that keeping the conversation focused on business issues is a key for success in dealing
with customers. “We reset the conversation by saying ‘let’s make sure you understand
our goal and what we are proposing to do here.’ We explain that we want to identify their
baseline and see what’s needed.
”

Top-Down Support Works Best
A key characteristic common to successful compliance programs is senior executive
support. The prospect of compliance reviews can be intimidating not only to customers
but also to stakeholders in the publisher’s own sales function. When a C-level executive
endorses compliance practices, internal dissension is reduced. Including stakeholders
from the sales function also helps to make the compliance function more successful.
Interestingly enough, when a publisher review receives the proper executive support at
the customer level (i.e., when an executive such as the CIO is involved in a compliance
review), the whole process is often smoother.

“At the highest levels within IBM, said Stoeber, “support is very, very good. At the mid-
”
level, we find people who are not supportive for certain reasons. They require counsel on
why they need to be supportive.
”
,

4
Note: The approach taken by trade organizations, such as the Business Software Alliance, that act on behalf of publishers dif-
fers from the practices of the publishers themselves. BSA seeks a “penalty, or a payment above the true-up cost from users
”
that overdeploy.


“At Attachmate, our primary support comes from the CEO, CFO, and general manager,
”
Brooks said. “By extension, our six-person executive committee has made compliance a
corporate priority and an important part of the charter for the committee.
”

“While strategic support with executives is a key factor, I would not overlook the impor-
tance of tactical alignment with the grass roots, says EMC’s Gustafson. “I have not met
”
an account executive or key internal business stakeholder who wasn’t interested in
enabling his or her business relationship, rather than burning it.
”

BEA’s Christian Pruitt, Senior Director of Worldwide Compliance, also enjoys top-down sup-
port. “To a degree, the higher up, the more supportive [our executives] are, he explained.
”
“The EVP of sales genuinely wants to do more, but is concerned that his team may already
be overextended. At the country manager level, they’re supportive—when compliance
activities are not unduly painful to them, they’ll make a good business decision.
”

Fair Settlement Policies
Again, the common denominator in settlement policies is the word “fair. However, that
”

said, software companies rightly expect to be fairly compensated for the products that
customers install and/or use. Some believe that the “letter of their contracts” is paramount
and require full look-back measures (such as interest on payments) for overdeployed soft-
ware. Other companies are content reducing discounts commensurately, rather than
charging for interest. The net result may be the same, but the perception of punitive actions
may be different. Still, many publishers extend regular discounts and no look-back charges.

Microsoft’s Ross indicated that conditional aspects of the company’s settlement approach
are important to his customers. “There is naturally a very careful approach to such situa-
tions. When customers are willing to be reasonable and cooperative, settlement resolution
is a very collaborative and cooperative process.
”

According to Stoeber, IBM sees itself as being in the middle of the spectrum on settle-
ment policies. “We do not have penalties or interest. We believe customers do not want
to be out of compliance; some customers are simply not good at managing their soft-
ware assets. We ask only that customers pay a fair price for an IBM software solution.
We assume that our enterprise customers truly expect to pay fairly for what they use,
and for related support. On that basis we ask customers, for example, to show us how
long they have been using our products, to ensure they are in compliance with our main-
tenance policies.
”

BEA’s Pruitt also used the word “fair” to describe the relationship his company expects
to have with its customers. “I want a fair resolution when a contract violation occurs.
That means what is fair to our customer. They only have to pay for what they use and
what they need. What is fair to BEA is being compensated, at the right price, for what a
customer used. They should not expect to ask me to let them uninstall something and
not pay for it. If they used the software, then they should pay for it. If, on the other hand,
they can demonstrate that they installed something but never used it, we are tolerant.
”

It is important to point out here that fairness is closely related to each publisher’s revenue
model. Some publishers, such as cable television providers, believe the value is inherent
in the installation. Compensation is based on installation rather than use. Electric utilities,
on the other hand, charge by usage. Settlement policies would therefore be different
,

with respect to one publisher who charges for installation and another whose revenue
model is based on users and usage.

5

Software Executives Speak Out on Third-Party Reviews
“One large benefit of using a partner is to obtain an accurate view, and complete and accu-
rate remedy, that both Attachmate and the customer accept, said Attachmate’s Brooks.
”
“Partners give us depth and breadth. Sophisticated customers will also understand that they
will learn quite a bit from the compliance review process that our partners take them through.
We know our compliance review firm is going to find everything that’s there. Both our cus-
tomers and Attachmate see the value of a partner as a mediator/moderator in the process.
”

EMC’s Gustafson agreed, “The presence of a third party tasked with performing a profes-
sional, accurate, and complete software licensing assessment between the parties lends
objectivity, credibility, and confidentiality to the engagement and, ideally, to the business
relationship.
”
KPMG’s Top 10 Recommendations for
“We’re not the compliance review experts, added BEA’s Pruitt. “Third parties bring a much
”
Successful Compliance Reviews
broader skill set to the table. If I tried to hire, train, and manage the level of resources I
Based on our experience working with numer-
ous software companies and the results of our need, I would also need my own team of HR people. I would need to quadruple my team
survey, KPMG has identified these leading
and manage that broad spectrum of skills. Third parties have an infrastructure around them

practices:
that would be very difficult for me to replicate.
”
• Make license compliance a C-level priority.
“Software compliance reviews are not a core competency here, and never will be,
”
Having compliance as a top-down priority
signals everyone, customers included, that chimed in IBM’s Stoeber. “An independent third party brings credibility to the process,
compliance merits serious attention.
and allows our customers to be more open in a non-threatening environment.
”
• License contracts should have clearly
“We don’t have to sell their merits and attributes. Our customers already know that,
”
stated auditing provisions. Without contrac-
said Ross of Microsoft. “The Big Four really have the market cornered on having every-
tual consent, a publisher’s right to audit is
subject to legal interpretation and ambiguities. one’s respect.
”
• Every license contract should clearly
define how the publisher verifies compli- Resolution Philosophy
ance. Definitions of overdeployment, compli-
No matter what the actual losses due to unlicensed software installations are, everyone
ance findings, and other important concepts
agrees they are significant. Some portion is due to counterfeiting, and software license
should be included as well as some com-
compliance programs will typically not identify that type of risk. But a big portion of rev-
mentary on what methods may be applied
to understand the entitlement-versus-deploy- enue loss is due to noncompliance with licensing contracts. Whether a publisher takes a
ment position. Although approaches may
look-back or look-forward approach to settlements, significant amounts of revenue could
vary on a case-by-case basis, a broad discus-
be added to the top line.
sion of how compliance findings would be
resolved also may be included.
Best practices are emerging. Compliance programs are taking in far more than they cost
• Customers to be reviewed should be
to operate, and companies that already have successful programs in place are planning
selected deterministically. Random auditing
to expand them. Others that have not adopted a formal approach are seriously consider-
may reveal the extent of noncompliance and
ing doing so. Not a single respondent to KPMG’s survey said the company planned to
provide significant value to the publisher.
However, a more targeted approach, based discontinue or downsize an existing compliance program.
on probabilistic analysis, is far more efficient
A new industry standard for Software Asset Management (SAM), ISO 19770-1, was
in focusing on the key issues facing the pub-
lisher in the marketplace from a compliance released in May of 2006, representing growing awareness of the critical role of SAM
standpoint.
within organizations and of the challenges and complexities associated with governing
Continued on next page.
SAM programs. A second part to the standard, 19770-2, is currently being developed and
will include requirements for software publishers on tagging their software products to
facilitate easy and accurate discovery by customers.

By its very nature, the software business is different from dealing in physical wares. It is
often difficult to determine if an enterprise is using more than it’s paying for.
,

Nevertheless, based on our survey findings, publishers that do what’s necessary to
ensure they are justly compensated for their intellectual property are recovering more
revenue than they are investing in the recovery process.


Inadvertent Noncompliance Is an Easy Pitfall
• Compliance review decisions should be
made with stakeholder participation. Every software company deserves a return on the value (installation- or usage-based) its
Far greater success can be achieved when
software provides to its customers. Software licensing is a way to establish such com-
conducting a compliance review if it is
pensation mechanisms. However, virtually everyone agrees that millions of dollars of
sanctioned by internal stakeholders, such
as sales, legal, and finance, as appropriate. value go unpaid every year. For software users, it’s not very difficult get to out of compli-
ance with publishers’ contracts.
• Customer discomfort should be dealt
with respectfully. Compliance audits, and
Here are some of the common reasons for getting into an overdeployed position:
meetings leading up to them, can be diffi-
• Complex, vague, and ever-changing licensing and pricing rules. Publishers are frequently
cult. They should be conducted with con-
changing how their software products are licensed. This is typically done in response
cern for the sensitivities of all involved.
to marketplace demands and in an attempt to provide more flexibility to customers.
• Ideally, use objective third-party profes-
However, a side effect may include creating additional confusion around an already-
sionals to conduct the reviews. There is
complex matter. As a result, we have found that a key element of many compliance
nearly universal agreement that third parties
programs is customer education as to current usage rights.
bring resources, experience, and dispas-
sionate execution to an otherwise awkward • Disconnects between the procurement function that purchases the licenses and the
and demanding engagement. IT department that actually uses the licenses. This disconnect can cause a misunder-
standing of the licensing terms and conditions per the contract and may lead to
• Reviews should be designed to leverage

inappropriate use of the software. It is common to find that software is deployed on
information the customer already has in
place. Instead of trying to recreate the machines with a higher number of CPUs than purchased, or using virtualization tech-
inventory from scratch (for example, by niques that the licensing metrics either do not allow for or require additional licenses to
introducing external discovery tools) a more support. Another example is using development licenses in a production environment.
efficient approach in many situations is to Other examples may include granting widespread access to limited-user software or
perform procedures (such as sample test-
hosting applications to the Internet without actually being entitled to do so.
ing) that will allow the publisher to rely on
• Changes to IT environments that modify the use of hardware resources such as
the completeness and accuracy of the
servers and workstations that have licensed software installed on them. Although
customer’s own data. This is not only the
software vendors allow moving software from one server to another if changes in the
most efficient approach but also promotes
a healthy long-term relationship and trust environment occur, the expectation is that once software in reinstalled on a new
between the publisher and the customer. server, it is also uninstalled from the older machines. Software users often overlook
In addition, if it turns out the customer did this expectation, and before they know it, their environment has more software
not get the inventory right, this process will deployed than they are entitled to.
show the customer where its process went
• Mergers and acquisitions can complicate both entitlements and deployments. When one
wrong so it can be corrected going forward.
company acquires another, the acquiring company does not automatically inherit any soft-
• Reviews should be a learning experience
ware licenses that were owned by the company acquired, unless the contract expressly
for the customer. Reviews provide oppor-
allows it. Often the acquiring company has no way of knowing what software is being
tunities for software publishers to teach
used by the new entity, or where. Unless due diligence is performed in understanding the
customers how to better manage their
nature and extent of software assets and related contracts, the acquiring company may be
software assets.
opening itself to significant liabilities in license and support fees. It is strongly recom-
• Customers should expect to pay for
mended that this due diligence be performed and all software assets are appropriately
overdeployments. It is important to estab-
assigned before signing on the dotted line.
lish from the outset of a compliance-related
discussion that overdeployment is no dif-
ferent from receiving additional packaged
products. The software company should
make it clear that it expects to be paid for
Survey Highlights
that overdeployment.

To establish the authority of this survey and the resulting report, KPMG identified these
critical criteria:
• Executives polled were from across the software publishing industry, representing
enterprises of all sizes.
• These executives have direct responsibility for, or at least a working knowledge of,
software license compliance.
,

In addition to our objective field survey, executive interviews were conducted to validate the
key survey findings. The survey was conducted online from March 27 through May 25, 2007 .

7

A Significant Impact on the Software Industry
IDC’s 2005 Software Industry Survey concluded that as much as 35 percent of software
applications currently in use are illegally installed, amounting to some USD34 billion in
lost revenue for the industry (these numbers include revenue leakage due to software
piracy as well as unlicensed personal use of software). Seventy-seven percent of those
polled by KPMG in 2007 agreed with the estimate when asked about the accuracy of
that statistic. Nine percent of respondents thought that the amount of revenue loss was
even higher, and 6 percent thought the loss was lower than projected. Interestingly,
though, nearly two thirds of respondents (62 percent) believe their companies have fared
better than the average when considering the magnitude of their losses. Regardless,
almost everyone included in our survey (87 percent) indicated their companies suffer
losses due to unlicensed software use, with 34 percent saying losses to their companies’
top line amount to more than 10 percent, and 21 percent reporting revenue losses higher
than 20 percent.

Question 1: A 2005 study conducted by IDC on behalf of the Business Software
Alliance (BSA) reported 35 percent of software installed on PCs worldwide
is unlicensed, amounting to USD34 billion in lost revenue for software
companies. Taking into account the entire universe of software companies
across the world, do you agree with this estimate?

Most Agree 35% of Software Is Unlicensed
g g

6%

77%
9%

9%
80
40 60
0 20 100

I think the actual amount is higher
I think the actual amount is lower
Other
I think the amount is about right Does not total 100 percent due to rounding.
Source: KPMG LLP 2007
,

[RT CHART 1]

Question 2: Compared with the IDC/BSA survey, what would you say is the percentage
of your company’s revenue loss to unlicensed users?

Most Believe Their Company’s Revenue Loss Is Below Average

62%
13%
9%
17%
60 80
20 40
0
,

Below average Average

Above average Does not total 100 percent due to rounding.
Don’t know
,


Question 3: What is the approximate percentage of your company’s revenue loss due
to unlicensed users?

A Third Say Revenue Loss Is More Than 10%
y

13%
34%

19%
9%
4% 34%

21%
20 40
0

16–20%
0 6–10%
,
11–15%
1–5% More than 20%

KPMG’s Analysis
Most of the respondents thought the IDC/BSA survey had it right—35 percent of installed
software is unlicensed and unpaid for. However, nearly all of the respondents believed
their own losses were considerably less than that. The survey figure of USD34 billion
included both overdeployment and pirated software as well as all varieties of software.

KPMG believes the 35 percent figure is affected by significant PC software piracy.
So, while it may be representative of the industry as a whole, the losses for enterprise
software companies due to noncompliance are more in line with the lower losses the
respondents believed they sustained. Thus, the enterprise software segment of the
industry may not have lost USD34 billion, but a quick correlation of respondents’ esti-
mates and their companies’ software revenue strongly corroborates annual losses of
billions of dollars.

License Compliance and Revenue Recovery
Programs
A majority of those polled, 64 percent, said their companies have a software license
compliance program, and of those, 67 percent said executive management is a strong
proponent. According to respondents, none of the companies that now have such a
program has ever discontinued or downsized a license compliance program.

Two thirds of those polled said they apply the program in every country where they do
business. In post-survey interviews with executives at various software publishers, virtu-
ally everyone agreed that there are significant differences when applying these programs
across different regions. Differences in contract law along with different business and
social customs must be considered with regard to how compliance programs are applied.

Of the 36 percent of respondents whose companies do not have a compliance program,
,

almost 60 percent believe they have no license compliance issues. Almost as many exec-
utives cited resource limitations as the reason for not implementing a program. Others

9

are concerned about negative impact on customer relationships, and still others think
that such a program would not have sufficient return on investment to warrant it. A small
group said competitors are not doing compliance reviews, and they don’t want to be at

© 2007 KPMG LLP a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International,
a competitive disadvantage.

Question 4: Does your company have a program designed to ensure customer
compliance with license agreements?

Majority Has a Program to Ensure Compliance with License Agreements

64%

36%

20 40 60 80
0

Yes No Source: KPMG LLP 2007
,

Question 5: On a scale of 1–5 how would you rate the extent to which your company’s
C-level executives support your compliance program?

Two Thirds Say C-Level Executives Strongly Support

a Swiss cooperative. All rights reserved. 070322
Compliance Program Efforts

0%

33%

,
67%

20 40 60 80
0

Neutral (3)
Weak (1–2) Strong (4–5) Source: KPMG LLP 2007
,


Question 6: In which regions do you operate your compliance program
(select all that apply)?

Two Thirds Operate a Compliance Program in Every
Country Where They Do Business

In every country in which
66%
your company operates

34%
U.S.A.

24%
Europe

24%
Canada

Other Asia
17%
Pacific countries

17%
South America

17%
Mexico

14%
Japan

Africa 7%
3%
Other

0 20 40 60 80

Small base size, findings are directional only.
,

What is the approximate percentage of your company’s total global
Question 7: compliance activity by region?

Distribution of Compliance Activity by Region

55%

32%

13%
0 20 40 60

Americas Asia Pacific
Europe, Middle East, and Africa
,

KPMG’s Analysis
KPMG recommends that:
Of the 36 percent of respondents whose companies had no compliance program, more
• Companies that do not have a
than half believe they have no compliance issues. This survey finding is consistent with
compliance program consider
a minority of the population of publishing companies KPMG encounters in the market-
running pilots with just a few
place. We recommend that those without a program consider running a pilot with a few
customers
customers. The outcome would either confirm their no-problem assumptions or give
• Companies use caution when
them a tangible reason to reconsider having a compliance program.
they elect to conduct piece-
With regard to customers using software on a global scale, KPMG advises caution
meal reviews in individual
when electing to conduct piecemeal reviews in individual regions. More often than not,
regions
,

understanding entitlement for global customers requires considering purchases and

11

deployments on a global basis. Reviews that are limited to one country only make sense
if entitlements could be determined for that one country. Generally, if license agreements
are global, reviews should be global.

The rate of success in collecting unpaid license fees varies between geographies. In North
America and Western Europe, it is generally easier to collect on findings, even on those
that are relatively insignificant. In Asia, although the magnitude of findings may be much
greater, publishers have found it difficult to collect on them.

Embedded Controls: A “Catch-22”
More than half of those polled (53 percent) said that some of their products have soft-
ware that includes embedded controls that help prevent overdeployment. Of these,
68 percent use license validation “keys. Another 40 percent use node-locking controls.
”
Twenty percent use third-party commercial license management tools, and 20 percent
use other methods. However, we found in our post-survey interviews that many compa-

nies—particularly those offering large enterprise business applications—thought it was
counterproductive to put controls into their software that may inhibit a customer’s ability
to operate under any circumstances. Their comments can be summed up as, “We think
it’s bad business because automated controls often limit a customer’s ability to run the
production environment effectively and efficiently.
”

Question 8: Does your software include embedded controls to restrict
overdeployment?
[INSERT CHART 23]
Half Say Software Includes Embedded Controls to Restrict Overdeployment

53%

47%
20 40 60
0

No
Yes Source: KPMG LLP 2007
,

Question 9: If your software includes embedded controls to restrict overdeployment,
which of the following do you use most frequently (select all that apply)?

Controls Most Frequently Used to Restrict Overdeployment

68%
40%
20%
20%
20 40 60 80
0

Online validation license key required for activation FlexLM
,

Node locking* Other built-in control mechanisms

*License key issues to an IP/MAC address or
range, or similar
,


Of those without embedded controls, only a few indicated that they had plans to imple-
ment such measures in the future.

Question 10: If your software does not include embedded controls to restrict over-
deployment, does your company have plans to add them?

Just over One Quarter Plan to Add Embedded Controls to
Restrict Overdeployment

29%

71%
80
20 40 60
0

Yes No
,

[INSERT CHART 25]

KPMG’s Analysis
Compliance controls embedded in software can be a double-edged sword. No technolog-
ical solution that exists today would provide 100 percent coverage against overdeployment
or eliminate the need to engage in compliance activities with customers. Some companies
have embraced embedded control technology that can potentially reduce overdeploy-
ment. KPMG advises companies to consider embedded controls carefully while fully
weighing the advantages and disadvantages. For example, KPMG has encountered
publishers that used embedded controls, only to find that the technology makes the
software application more difficult for the customer to use. Some have subsequently
abandoned these embedded controls.

Purchase History and Entitlement Information:
To Tell or Not to Tell?
According to our survey respondents, software companies could be doing a better job of
helping their customers understand what they have purchased and what types of usage
their license agreements allow. Only 36 percent make such information easily accessible
to their customers, while 43 percent said they share such information on a case-by-case
basis. In addition, the information that is made available may not be as comprehensive
as necessary. While 45 percent said their entitlement information is comprehensive,
55 percent said the data may provide only an average or limited level of understanding.
Interestingly however, almost all respondents think that their companies accurately deter-
mine whether or not a customer calling in for support is entitled to it.

KPMG’s Analysis
We believe this problem involves more than just information clarity and access. As
previously mentioned, the disconnect between procurement and IT can lead to misun-
derstandings about agreed-upon terms and conditions of software use. An effective
,

practice would provide processes for communicating license terms and conditions to the
people who actually use the software. Sharing entitlement information with customers

13

can better enable them to understand what they have, what they need, and whether
or not they are in compliance with the contracts. Having the right baseline information
before a sales discussion with the customer is always a good idea.

Compliance Programs: Elements and Methods
To understand the software license landscape, we asked survey participants about the
foundations on which their license agreements were based. In other words, how do
companies license their software and what metrics form the basis of measuring compli-
ance with license agreements? We found that publishers are using a mix of approaches
to license software to customers.

Fifty-seven percent of respondents based their licenses on the number of unique or
registered users, while 54 percent use the number of servers and other machines on
which their software is deployed. Another 54 percent of respondents license their soft-

ware based on the number of concurrent or simultaneous users, and 48 percent use the
per-CPU/Processor model.

Question 11: Which of these metrics do you use as a basis for your product licenses
(select all that apply)?

Use of Metrics as a Basis for Product Licenses

Per unique/
57%
Per unique/registered user
registered user
Per server/machine
54%
Per server/machine

Per concurrent/simultaneous
ncurrent/ simultaneous user
54%
user (high-water mark)
(high watermark)

Per CPU/Processor 48%
Per CPU/Processor

Per number of employees/ work-
umber of employees/work-
43%
stations in the entire organization
ns in the entire organization

30%
Per PC
Per PC

Other 17%
Other

0 20 40 60

,
[INSERT CHART 10]

Almost all respondents (89 percent) said all or some of their contracts include audit
clauses, but only 55 percent said all of their contracts specify such clauses. When it
comes to enforcing their license agreements, publishers do not rely on any one type
of metric for determining where to conduct compliance reviews of their customers
and channel partners. Over half (52 percent) said their compliance review decisions are
triggered by data analytics. In second place, customer history is used by 45 percent of
those polled. Random selection and external information are each used by 28 percent
of respondents’ companies.
,


Question 12: How many of your license agreements typically include an audit
clause that gives your company the right to audit your customers
or channel partners?

Most Include an Audit Clause in Some Portion of Their License Agreements

55%
89%
34%

11%
0 20 40 60 80

Some None
All Source: KPMG LLP 2007
,

[INSERT CHART 12]

Question 13: What criteria do you use to select the individual customers or channel

partners that will be reviewed as part of your software license compliance
program (select all that apply)?

Data Analytics Most Common Criterion for Selecting Audit Subjects

52%
45%
28%

28%
21%
0 20 40 60

Random selection
Data analytics suggesting higher risk of
noncompliance
External information*
Known historical issues your company has had with
Other
the licensee/sales force experience and referrals
*E.g., licensee reputation in the marketplace,
recommendation by external party
[INSERT CHART 13] Small base size, findings are directional only.
,

More than half of those polled said they or third-party firms conducting reviews on their
behalf use proprietary software or internal product capabilities (commands or logs) for
compliance discovery. Thirty-one percent of respondents use nonproprietary (commercial)
software and 28 percent rely on the customers’ own software-asset management tools
or capabilities.
,

15

Question 14: What tools (discovery methods) do you use in your software license
compliance program (select all that apply)?

Half Use Proprietary Tools in Software License Compliance g
p y p Program

52%

31%
28%

17%
40
20
0 60

Proprietary tools No tools, we work with whatever SAM capabilities the customer may have in place

Nonproprietary/commercial tools Other
,

[T CHART 14]

Fifty-four percent of respondents use an independent third-party to perform software
license compliance reviews. This group uses the services of Big Four firms most often.

KPMG’s Analysis
Clearly there are differences in how software companies license their software. It would
probably be easier if there were more consistency, but that is unlikely to happen. There-
fore, it is critical that contracts clearly define how the software company computes
installation and/or usage and how it verifies the chosen approach.

There is disparity in the inclusion of an audit clause in contracts. We strongly urge every
software company to include an audit clause in every enterprise software contract. Even
if the company is unlikely to audit, the clause may encourage compliance. Without that
clause, compliance verification options are somewhat limited.

There is no consensus with regard to the question of compliance-related tools. Today, a
majority of software companies use proprietary tools and capabilities. There is clearly an
opportunity for commercial tools to serve this market, either data analytic tools or some
of the customers’ own software asset–management tools. At first glance, the latter would
appear to be more appealing to customers. Tools may help make the compliance review
process more efficient and save costs for both sides, and they may provide ongoing
capabilities to customers.

As we’ve seen, more than half of respondents use third-party help in conducting compli-
ance reviews.
,


Industry Associations and Standards
to the Rescue?
We wanted to know if publishers were turning to industry associations or using industry
standards in their attempts to thwart license compliance problems.

Interestingly, a majority of companies represented in our survey indicated that they
do not leverage industry associations for compliance enforcement activities. We tested
for affiliation with the Business Software Alliance and the Software and Information
Industry Association as well as other trade groups with respect to compliance and
enforcement activities.

The SAM standard ISO 19770-1 has been formulated to provide an internationally recog-
nized standard against which organizations can measure the maturity of their software
license compliance programs. It also assists in providing effective support to help IT
departments maintain compliance with legal and contractual requirements and to
demonstrate good corporate governance.

Our survey found that this standard is not well known by software publishers (55 per-
cent of respondents are unfamiliar with it). Of those who are familiar with the standard,
81 percent feel it would benefit the industry. However, 71 percent said a customer’s
19770-1 certification would not influence how compliance program activities are applied
to that customer.

Question 15: Are you familiar with the ISO SAM Standard 19770-1?

Slight Majority Not Familiar with ISO SAM Standard 19770-1

45%

55%

20 40 60
0

No
Yes Source: KPMG LLP 2007
,

Question 16: Do you believe the ISO SAM Standard 19770-1 benefits the industry
overall?

8 in 10 of Those Familiar with the Standard Believe It Is Beneficial to the Industry

81%

19%

0 20 40 60 80 100

Yes No
,
,

17

Question 17: In your opinion, will your company’s future software license compliance
activities be influenced by whether or not a customer is certified under
the standard?

[INSERT CHART 18]

7 in 10 of Those Familiar with the Standard Say Compliance Activities
Will Not Be Influenced by Customer Certification Status

29%

71%

0 20 40 60 80

No
Yes Small base size, findings are directional only.
,

KPMG’s Analysis
Though ISO SAM Standard 19770-1 can help the companies that implement it with
improving their software license compliance profiles, publishers are reluctant to rely on
the standard in lieu of compliance activities for a number of reasons. First, independent
certification against the standard is not currently available, so publishers would need to
rely on customers’ self-assessments. Second, even if independent certification was avail-
able, it could not address compliance with specific software license agreements, which
is what publishers are really after. Furthermore, other ISO certifications have tended to
focus more on whether you “say what you do” rather than on whether you actually “do
what you say. Third, as it is written, the standard does not provide adequate guidance
”
as to how its recommendations should be implemented. Alternatively, KPMG’s Software
Asset Management (SAM) methodology provides enterprises with guidance to help
them move efficiently up the SAM maturity curve, thereby improving their software
compliance profiles as a by-product.

Organizational Footprint
Of those polled, 80 percent said that their compliance programs report to either the

,
sales or finance function. Of these, 47 percent said finance and 33 percent said sales.
The remaining 20 percent said compliance reported to other functional areas, including
legal and internal audit.


Question 18: To which functional area does your compliance program report?
INSERT CHART 19]
Compliance Programs Generally Report to Finance or Sales/Sales Operations

47%
33%
7%
3%
10%
20 40 60
0

Finance Internal Audit
Sales or Sales Operations Other

Legal Source: KPMG LLP 2007
,

When it comes to where credit is given for revenue generated for license compliance,
nearly half of those polled (47 percent) said “sales representatives” receive commissions
for compliance revenue. About 17 percent of respondents said both the compliance and
sales organizations share in commissions on compliance revenue, while 13 percent said
that compliance recovery commissions went exclusively to the compliance organization.

Question 19: Who receives commissions for compliance revenue?
I
Sales Generally Receives Largest Portion of Compliance Revenue Commissions

47%
64%
17%

17%

13%
7%
0 20 40 60

Compliance professionals
Sales representatives

Other
Both sales and compliance

Neither Does not total 100 percent due to rounding.
,

NSERT CHART 21]

KPMG’s Analysis
There is no clear trend emerging for where to put a compliance group. Today, about
half report to sales and half to finance. It would be interesting, in a follow-up survey,
to compare the results for those reporting to sales and those reporting to finance.
Advantages in having the compliance program report to finance may include manage-
,

ment’s existing mindset of compliance and audits as well as objectivity and separation
from the sales force.

19

KPMG Survey: Is Unlicensed Software Usage Hurting Your Bottom Line

KPMG Survey: Is Unlicensed Software Usage Hurting Your Bottom Line

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à KPMG Survey: Is Unlicensed Software Usage Hurting Your Bottom Line

Similaire à KPMG Survey: Is Unlicensed Software Usage Hurting Your Bottom Line (20)

Dernier

Dernier (20)

KPMG Survey: Is Unlicensed Software Usage Hurting Your Bottom Line