AI Summarize

Share

In-house counsel plays an important role in setting up regular internal audits of software license compliance to help prevent legal liability. Their responsibilities can include identifying risks, monitoring third-party code use, and ensuring compliance with licensing terms.

This article explains what software license compliance audits are and why you need them, and includes a step-by-step software license compliance audit checklist for in-house counsel.


What Is Software License Compliance?

A software license outlines the terms individuals or organizations must follow in order to use software. These terms often include usage, geographic, and distribution restrictions.

Software license compliance means using software in accordance with the licensing rules. This can include limiting usage to the licensed number of copies, verifying all software usage is authorized, avoiding use of software with expired licenses, and making sure open-source code is provided when required

Whether your organization uses internally developed, third-party, or open source software, it's essential that software usage complies with the terms of the license

You can typically find licensing terms within a software license or software licensing agreement, a legal document that specifies user rights and restrictions.

For instance, Minecraft's End User License Agreement (EULA) explains that users are not allowed to distribute its software and includes a link to its Minecraft Usage Guidelines, where users can find a more detailed explanation of what they can and can't do with its software.

Minecraft End User License Agreement explaining the software distribution restrictions

In another example, the GNU General Public License Version 3.0 (GPLv3) open source license explains that when distributing copies of the software, users must ensure recipients can access the software's license and source code

GNU General Public License Version 3.0 outlining the open source software distribution terms

What Is a Software License Compliance Audit?

A software license compliance audit is a formal review that checks whether an organization is using software according to its license terms.

There are different types of software license compliance audits. An internal audit is an organization-initiated audit that can help the company identify and mitigate potential issues

Software vendors or third-party auditors may also conduct software license compliance audits to confirm that businesses that use their software are complying with the terms of their software licenses

What Types of Software Needs to Be Included In a Software License Compliance Audit?

You should conduct audits for third-party and open source software and for any software your organization has developed.

Software license compliance audits typically include the following software and license types:

  • Commercial or proprietary software. Commercial or proprietary software is software that is purchased from vendors under a licensing agreement, such as Microsoft, Adobe, Slack, Dropbox, and Salesforce. Commercial software typically has perpetual, subscription, or user-based licenses. With a perpetual license, you make a one-time payment for the right to use the software, while subscription licenses require recurring payments to access the software. User-based licenses depend on the number of users or devices, and can be perpetual or subscription licenses
  • Open source software. Open source software is software with a publicly available source code, meaning anyone can use, modify, or distribute the software. Common open source software licenses include the MIT, GPL, Apache 2.0, and BSD licenses. These licenses may have specific requirements, such as attribution or distribution obligations
  • Software as a Service (SaaS) and other cloud software: Software that is accessed over the internet instead of installed locally often falls in the commercial software category, and should be a part of a comprehensive internal software license compliance audit
  • Internally developed software. Internally developed software often uses third-party code, meaning you need to check that your organization is in compliance with the code's licensing terms. Additionally, any internally developed software that is distributed to customers should have clearly defined terms

Slack is commercial software that offers user-based, subscription plans for its SaaS platform:

Slack commercial software showing user-based, subscription plans for its SaaS platform

Why Do You Need to Audit Software License Compliance?

Internal software license compliance audits help you identify potential compliance issues, prepare for vendor audits, avoid financial penalties and lawsuits, and comply with internal policies and applicable laws.

Identify Compliance Issues

An internal software license compliance audit helps you identify compliance issues and prevent software license violations by inventorying software, reviewing software licenses and related documents, and checking for unauthorized usage.

Prepare For Vendor Audits

Software vendors may conduct (or have third-party auditors carry out) software license compliance audits to protect their IP and ensure organizations' usage of their software is limited to the scope of their licensed rights

Conducting an internal software license compliance audit can help you identify and correct potential compliance issues and organize your records to make it easier to respond to third-party audit requests.

Avoid Financial Penalties and Lawsuits

Duplicating, distributing, or using software without authorization (such as using more copies of software than you have a license for) is considered software piracy, which is a type of copyright infringement. Software copyright infringement can result in lawsuits and substantial financial damages.

An internal software license compliance audit can help you avoid fines and lawsuits by identifying and resolving software license issues before a vendor audit.

Ensure Compliance With Applicable Laws and Internal Policies

An internal software license compliance audit can also help ensure compliance with laws that may apply to software licenses, including export control, data protection, and IP regulations.

For example, the U.S. Export Administration Regulations (EAR) applies to exports of certain encryption software, U.S. Copyright Law protects software from unauthorized use, and software that involves users' personal data may need to comply with data protection regulations such as the European Union's (EU) General Data Protection Regulation (GDPR).

Article 3 of the GDPR explains who the law applies to, including entities that process (use) personal data (information that can be used to identify an individual) belonging to EU residents and organizations located outside of the EU that offer goods or services to or monitor the behavior of individuals located in the EU

Article 3 of the GDPR explains its applicability to software that processes personal data

An internal software license compliance audit can also help ensure compliance with internal software-related policies, such as Software Asset Management (SAM) or software usage policies

The U.S. Department of Education's Software Asset Management and Acquisition Policy (SAMA Policy) governs how the organization acquires, tracks, uses, manages, and removes software

U.S. Department of Education Software Asset Management and Acquisition Policy outlining the software management approach

In addition to the reasons listed above, an internal software license compliance audit can help your organization maintain an accurate software inventory, optimize software usage by identifying underused or unused licenses, and keep software licenses and related documents organized.

What Is In-House Counsel Responsible for In a Software License Compliance Audit?

In-house counsel's responsibilities in an internal software license compliance audit can include reviewing software licenses and license agreements, identifying potential issues, ensuring compliance with applicable laws, and providing guidance on how to resolve any issues.

While the exact role of in-house counsel in a software license compliance audit depends on the organization, responsibilities often include:

  • Analyzing software licenses and related documents. In-house counsel reviews software licenses, license agreements, and contracts to interpret how the organization is allowed to use software and identify potential issues
  • Assessing risk. In-house counsel can help identify potential legal risks associated with software usage and license violations
  • Helping to establish internal audit, software usage, and SAM policies. In-house counsel can help ensure that internal audit and software-related policies are enforceable and comply with licensing terms.
  • Collaborating with and advising internal personnel. In-house counsel works with and advises IT, procurement, and compliance teams and stakeholders on how to comply with license terms, next steps for resolving issues, and how to implement best practices.
  • Preparing for external software license compliance audits. Organizing documents, identifying potential risks, and advising on mitigation efforts before vendor audits can help third-party audits go smoothly
  • Ensuring compliance with applicable laws. In-house counsel makes sure internal policies and organizational software usage comply with broader regulations (such as IP, export, and privacy laws) to help organizations avoid penalties or potentially costly lawsuits.
  • Training staff. In-house counsel often plays a role in training staff on allowed and restricted usage of software and how to comply with license terms.

Software License Compliance Audit Checklist for In-House Counsel

A software license compliance audit typically involves several steps, including setting up an audit team, inventorying software, and gathering and analyzing software license documents

Following the steps outlined in this checklist when conducting internal software license compliance audits can help in-house counsel identify and mitigate potential risks and avoid legal disputes or fines.

Step 1. Set Up an Audit Team

A software license compliance audit isn't a one-person job. Assembling a team of IT, procurement, and compliance staff can help you find information about the software your organization uses and efficiently identify, resolve, and prevent issues.

Step 2. Identify the Software to Be Audited

The next step is inventorying the software your organization uses. You'll want to list all commercial, open-source, or custom-built software, including software that is installed locally, cloud-based software, and software that uses embedded third-party code

Third-party code is software or components developed by external parties. Examples of third-party code include open-source libraries, software development kits (SDKs), application programming interfaces (APIs), analytics tools, and third-party plugins. It's important to identify third-party code use, evaluate the legal risks involved with using such code, and confirm license compliance

Software can be organized by name, version, license model, and the department, team, or project that uses the software.

If a software inventory report already exists, you should verify that it accurately reflects the software your organization uses.

You can use tools such as Lansweeper or PDQ Connect to scan devices and networks and discover installed software and usage.

To strengthen this process, organizations should implement Software Asset Management (SAM) tools that offer continuous license tracking and automated alerts when usage nears or exceeds licensed entitlements. Platforms like Flexera, Snow License Manager, or ServiceNow can integrate with your inventory systems to reconcile usage data in real time, helping reduce reliance on manual audits and improve audit readiness year-round.

You'll need to gather software licenses, license agreements, and related documents that outline the rules your organization must follow when using software and serve as proof of purchase.

Some of the software license documents you may need to gather for an internal audit include:

  • Software licenses, including commercial licenses for software such as Microsoft or Adobe, and open source licenses such as MIT or GPL
  • License agreements, such as EULAs or Master License Agreements (MLAs)
  • Subscription terms for SaaS software
  • Terms of Service agreements for cloud or SaaS software
  • Internal policies concerning how employees can use software
  • Custom vendor contracts, such as SDK agreements
  • Purchase orders and invoices

Microsoft's Software License Terms explain that users cannot reverse engineer, make additional copies of, or lease its software, among other prohibited uses

Microsoft's Software License Terms mentioning restrictions on software use

Smaato's SDK License Agreement gives users the right to use its SDK for certain program development purposes.

Smaato's SDK License Agreement detailing SDK usage permissions

Once you have collected all software-related documents, it's a good idea to store them in a centralized location, such as Google Workspace or Microsoft OneDrive for business. Your organization can also use a document management platform such as DocuWare or Egnyte to store software-related documents.

Step 4. Review Software License Terms

The next step is reviewing software licenses and related documents to ensure that your organization is adhering to those terms

In-house counsel should also be aware that some license models, such as core-based licensing, virtual machine environments, or geographic usage restrictions, can introduce hidden compliance risks. Vendor-specific agreements (e.g., for Oracle, IBM, or SAP software) often contain nuanced language that requires detailed legal interpretation.

For open-source software, consider referencing ISO/IEC 5230 (OpenChain) to structure compliance efforts and ensure third-party code reuse follows best practices.

Analyzing software license terms can help you:

  • Identify software usage restrictions. Software licenses may limit the number of users or installations or may include geographic or distribution restrictions.
  • Discover license breaches. Common software license violations include over-deployment (using more software than is allowed by the license), unauthorized use (such as use of software with an expired license), unauthorized modification, sharing, or redistribution of the software, and use of pirated software.
  • Confirm that all software is licensed. Whether it's installed locally or cloud-based, all software your organization uses needs to have a valid license.
  • Identify unused software. One money-saving benefit of an internal audit is discovering unused software that can be eliminated or reallocated
  • Ensure compliance with internal policies and applicable laws. Reviewing license terms can help you confirm internal policies are properly implemented and ensure your organization's software usage complies with legal requirements.

For example, reviewing Adobe's General Terms of Use can help you determine that any organizational attempts to recreate its software or use its software to train AI are prohibited.

Adobe's General Terms of Use providing guidelines on Adobe software usage

Tools like Open iT and Certero can help you track and manage software license usage.

Step 5. Identify Potential Issues

Your next step is identifying and documenting potential software license compliance issues.

License compliance issues can include:

  • License incompatibility. Some software licenses (such as certain open source licenses) don't allow their code to be combined with other software
  • Open source license violations. Open source software licenses may have specific requirements, such as those involving modification or redistribution.
  • Unauthorized usage or distribution. Software license terms often limit how many users or devices can access the software, where and how the software can be used, whether the software can be modified or reverse-engineered, and how long the software can be used. They can include attribution, sublicensing, and redistribution restrictions
  • Shadow IT risks. Shadow IT includes unauthorized software installations, which can result in security risks and software license violations. These risks can be mitigated by automated discovery tools that scan for unauthorized installs and by adopting strong procurement controls enforced through your Software Asset Management (SAM) policy. Establishing a cross-functional license compliance team can further support risk identification across business units.
  • Expired or missing licenses. Continued software usage despite license expiration, failure to fulfill upgrade requirements, discrepancies between software usage and the number of licenses required, and unauthorized user access or credential sharing are all examples of potential software license violations.
  • Legal violations. Software usage in violation of IP, export, or data protection laws can result in lawsuits, financial penalties, and damage to your organization's reputation
  • Weak or nonexistent internal policies. It's important to have strong internal policies that clearly explain how employees are allowed to use software and how to comply with software license requirements

Capita's Software Asset Management Policy explains that employees cannot individually source software from the internet or media and that only Capita's IT team can install or remove software

Capita's Software Asset Management Policy describes software usage rules

You can use tools such as Flexera or ServiceNow to track software licenses and entitlements vs. actual usage and identify compliance gaps.

Step 6. Report Audit Findings

Your audit report should include information about methodology, the scope of the audit, any legal, financial, or security risks or license violations the audit uncovered, and recommended action steps.

For vendor-initiated audits, legal counsel should develop a standard audit response framework, including:

  • A template for audit notification response
  • A communication plan designating a single point of contact
  • A process to pause new software procurement involving the audited vendor
  • Guidelines for protecting privileged information during auditor access

Treating external audits as formal legal events ensures consistency, limits risk exposure, and upholds your contractual rights during potentially adversarial reviews.

The Software License Management Audit Report conducted by the Office of Inspector General (OIG) of the United States Postal Service (USPS) recommends implementing a compliant software license management program, modifying IT software contracts that don't include required provisions and clauses, and establishing a process for ensuring contracts have the required provisions and clauses.

Software License Management Audit Report example from the USPS Office of Inspector General's findings

Step 7. Provide Guidance on Remedying Issues

Depending on the potential issues uncovered during the audit, you may advise internal stakeholders to take the following steps:

  • Unlicensed software installation or usage. Remove unauthorized software, purchase additional licenses, train staff on how to request approval for software installation or usage.
  • Using more software than the organization has licenses for. Uninstall or disable access to excess software, purchase additional licenses, use tools to track software licenses and entitlements, update SAM policy to track software usage.
  • Using software with an expired license. Decommission expired software, renew software licenses for expired software, assign software renewal role to specific staff.
  • Misuse of open source software. Train staff on complying with open source software licensing requirements, create open source software policies to ensure applicable requirements are met
  • Nonexistent or weak policies for procuring, tracking, or using software. Establish appropriate policies, including SAM, software usage, and software license compliance policies.
  • Violation of laws governing software usage. Take steps to remedy violations (such as fulfilling notification requirements or paying penalties), train staff, create or update policies

Additionally, legal teams should educate internal stakeholders, particularly procurement, engineering, and IT staff, on the implications of license misuse. Consider implementing recurring training sessions that address both commercial and open-source software risks, how to interpret license obligations, and when to escalate legal concerns. Ongoing awareness significantly reduces future violations and audit exposure.

Whether or not the audit uncovers problems, it's a good idea for your organization to set up a SAM program to prevent future software license compliance issues

An effective SAM program involves:

  • Maintaining accurate software inventory
  • Establishing software-related policies and procedures
  • Monitoring software usage
  • Managing software licenses
  • Training staff
  • Following procurement processes
  • Conducting regular software and software license compliance audits
  • Managing software throughout its lifecycle–including procurement, usage, maintenance, renewals, and retirement

Sowela Technical Community College's Software License Compliance Policy helps ensure that the organizations and entities within the Louisiana Community and Technical College System (LCTCS) comply with software vendors' license terms. It requires all software installations to be carried out by IT staff and all portable devices with loaded software to be brought on campus during the annual audit period, among other requirements.

Sowela Technical Community College's Software License Compliance Policy details

Summary

Software license compliance means ensuring software is used in accordance with the terms of its license

A software license compliance audit is a review of whether an organization is using software in compliance with the terms of the license

Software that should be a part of an internal software license compliance audit includes:

  • Commercial/proprietary software
  • Open source software
  • SaaS and other cloud software
  • Internally developed software

Reasons to conduct an internal software license compliance audit include:

  • Identifying software license compliance issues
  • Preparing for software vendor audits
  • Avoiding financial penalties and lawsuits
  • Ensuring compliance with internal policies and applicable laws

In-house counsel's role in an internal software license compliance audit can involve analyzing software, assessing risk, helping establish software-related policies, collaborating with and advising internal staff, preparing for software vendor audits, ensuring compliance with applicable laws, and training staff.

Following the steps in this checklist can help in-house counsel conduct a thorough software license compliance audit:

  1. Set up an audit team
  2. Identify the software to be audited
  3. Gather software licenses and software-related documents
  4. Review software license terms
  5. Identify potential issues
  6. Report audit findings to internal stakeholders
  7. Recommend action steps to remedy issues

Keep in mind the following tools and standards for ongoing compliance:

  • International Standards

    • ISO/IEC 5230 (OpenChain): defines best practices for managing open source license compliance, increasingly adopted by enterprises globally.
    • ISO/IEC 19770-1/2: provides a framework for software asset management, including software identification tagging (SWID).
  • License Management Tools

    • Flexera, Snow License Manager, Certero: full-suite SAM solutions for large organizations.
    • Open IT, ServiceNow, Lansweeper: inventory, discovery, and license tracking.
  • Document Management Platforms

    • DocuWare, Egnyte, SharePoint, Google Workspace: useful for storing license agreements, audit records, and procurement contracts.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy