Starting your statutory audit? Don’t overlook this hidden risk

Within the next 3 weeks, many corporates will be initiating their Financial Year 2019 audits. The exhaustive process will include requests to internal stakeholders and key external advisers to formally declare their knowledge of any claims or liabilities as at year-end.

Both actual and latent liabilities must necessarily be fully obtained in order for the company to produce a true and fair view of its position (in IFRS terms, a ‘fair presentation’) as at the balance-sheet date. This is paramount but one risk is habitually overlooked because of its arcane nature.

Software licensing is assumed to be a non-issue

The issue is one of software licensing. The liability here usually only becomes exposed when a demand for a software license review arises, or the Business Software Alliance / Federation Against Software Theft invites a settlement. Until then, a business’s software licensing is assumed to be a non-issue: licenses have after all been paid for, support contracts regularly renewed and there is a commitment to compliance.

But recent cases show that this attitude is unsound: Diageo received an unexpected demand for £58m/US$76m claim for seemingly misinterpreting SAP’s licensing reach; and ABN-Inbev was dragged into arbitration over a US$600m claim also sought by SAP for under-licensing. Even the best-managed corporates struggle with software under-licensing and it is rare that any major corporate does indeed know its licensing exposure at any one moment.

How can this be so when the IT director can simply count usage and the lawyers can check the contracts?

No simplicity in software licensing

The reason is that there is no simplicity here:

o The main software vendors have huge numbers of product lines — IBM’s software catalogue for instance has over 60,000 items — with 250 different metrics on which program usage is charged;

o The license agreements have been developed iteratively over 30–40 years but many key concepts (‘use’, ‘access’, ‘processor’, ‘running’) are still left undefined;

o As technology has moved on with cloud usage, virtualisation and robotics, the vendors have sought to bolster the reach of their licensing schemes. Users are pointed to multiple guidance notes, ‘partitioning policies’, white papers, manuals and special conditions all loaded onto their websites with many further cross-references to other documents deep in the vendor’s library: no such thing here as a single license agreement with understandable terms.

The major vendors (Oracle/IBM/Microsoft/SAP) all carry out a cycle of ‘software license reviews’ (in truth, software audits). Although presented as simple fact-checking, these audits are determinedly revenue-generation exercises. And, worryingly, they take no account of any long-term or trusted relationship between the customer and the vendor.

Under-licensing is a present liability

The out-turn is always a claim for under-licensing — with remediation expected at list-prices with penalties, back support and audit costs to be paid. Claims often run into 7 or 8 figures. But, provisions will rarely have been made for these in the financial statements of the target: the audit committee either neglects to ask the question or it is (wrongly) assumed that there is, at most, a contingent liability that does not crystallise unless and until a claim has been asserted and then assessed.

The latency of this risk is compounded by an absence of publicity on the issue.

First, corporates are anxious about key enterprise software being turned off: global food producer, Mars, Inc., for instance, was forced to bring a claim for an injunction after Oracle gave notice terminating Mars’ (perpetual) software licenses when Mars contested Oracle’s claims for under-licensing.

Second, there is reputational concern in being seen to be infringing IP rights. Even if an audit is ultimately settled, its nature is not one that corporates seek to publicise.

How to identify the risks?

There are certain key characteristics where latent software license risk will be high: each of the following raises the risk level:

1) Large business with long-standing ‘on-premise’ software usage;

2) Use of Oracle, SAP, IBM, Adobe or Microsoft software;

3) Use of any systems as a bureau service eg for payroll or hosting, or extensive access to systems by customers or suppliers eg for ordering or fulfilment services;

4) Recent moves to robot process automation;

5) Use of VMware or virtualised IT environments;

6) Global usage but where licenses may have been acquired in the name of only one group company;

7) Number of legacy businesses where specific IT infrastructure knowledge may no longer be in place;

8) Acquisitions dependent on transitional IT services from seller;

9) No software vendor audits within last 2 years.

Can’t these issues simply be ignored until a claim is made?

It is naïve –and plainly wrong — to think that the under-licensing liability does not exist until it is asserted. The liability is current rather than non-current and may well have a material impact on the financial statements — even if the putative claimant (the software supplier) has not yet exercised their right to initiate their software license review. In IFRS terms (IAS 37), the liability is also present rather than contingent: a provision is therefore required.

Disturbing consequences for non-disclosure

The sums often sought can be notoriously high — and therefore material. Any disregard could then be a material misstatement with dramatic consequences including (in the UK and similarly elsewhere):

- An obligation to restate the accounts;

- criminal liabilities under Section 463 and 507 Companies Act 2006 (Liability for false or misleading statements in reports and statements);

- liabilities under Section 507 Companies Act 2006 (Offences in connection with auditor’s report);

- Liabilities under Section 89 Financial Services Act 2012 (misleading statements);

- Penalties on issuers eg under Section 91 Financial Services And Markets Act 2009; and

- Regulatory sanctions on listed entities and responsible persons pursuant to DTR 4.1 FCA Handbook as to the Annual Financial Report,

as well as possible claims for fraud and conspiracy, if liabilities are knowingly ignored.

Moreover, increased actions by shareholders for instance as a securities class action (SCA) or, in the UK, under Schedule 10A of Financial Services And Markets Act 2009 would be inevitable if shareholder value were seemingly affected.

Summary

The opacity and complexity of licenses from the main software vendors — IBM, Oracle, SAP, Microsoft etc — combined with changing IT infrastructures mean that corporates can rarely be sure that they are correctly licensed. This ‘under-licensing’ however represents a present liability on the corporate and must either be immediately remediated or provisioned-for.

Businesses — and external auditors — need to confront the issue of software license risk as a possibility. Audit committees must also include this as an area of risk to be examined with appropriate proof of full compliance.

Even absent a formal demand by the software supplier, the risk figure should be quantified through the commissioning of an internal license review and, if this then indicates a probable settlement at less than list price, then for this to be accommodated as an adjusting event under IAS 10.

We begin 2020 with optimism in the markets but still a very poor understanding by audit committees and boards as to the risks in this area.

Robin Fry, Cerno Professional Services, London