The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

ARTICLE: Ten Leaks In Your Software Management Process

There is only one thing worse than being audited by a software vendor and finding yourself out of compliance – and that’s allowing it to happen again a few years down the line.

From a known compliant state, fully licensed and up to date – how does an organisation slowly fall out of compliance?

Where are the leaks?

End User Leaks
1. End users on the network install software themselves without an appropriate license. This can be through;

  • Deliberate abuse
  • Ignorance of terms and conditions or
  • Not checking that the business is covered.

2. End users buy legitimate software themselves but don’t pass on purchase and license information to the purchasing department or breach the terms and conditions.
3. End users buy legitimate software but via the wrong channels e.g. not via the recognised volume agreement.

IT Department Leaks
4. IT Department install software or redeploy existing software without checking license entitlement.
5. IT Department install software, check license entitlement but then licence it incorrectly. This can be through;

  • Using licenses outside their original terms and conditions e.g. OEM Confusion, using academic licenses in a commercial environment
  • Using the wrong version or edition e.g. Professional rather than Standard
  • Failing to inform end users of the terms and conditions once it’s installed.

6. IT Department install software in Virtual Environments incorrectly;

  • Software is installed on a server which many people can access – exceeding the total number allowed to access that application.
  • Software in installed which is based on the hardware profile of the machine it is installed on or number of connections without understanding the consequences.

7. Losing track of physical copies of license agreements.

Supplier Leaks
8. Your hardware supplier ships hardware with inappropriate OEM software.
9. Your software supplier sells you fake software.
10. You are misold software from the vendor or reseller or they lose track of your purchase history.

Have I missed anything? How else do companies fall out of compliance?

About Martin Thompson

Martin is owner and founder of The ITAM Review, an online resource for worldwide ITAM professionals. The ITAM Review is best known for its weekly newsletter of all the latest industry updates, LISA training platform, Excellence Awards and conferences in UK, USA and Australia.

Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.

He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.

Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).

When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.

Connect with Martin on LinkedIn.


  1. Martin Bull says:

    End User Leaks
    4. End users buy legitimate software themselves and install it on multiple PC’s with out recognition

    of the license terms and conditions.

  2. James V. Melillo says:

    Having strong corporate backed procurement, change and problem management processes that incorporate asset management

    as a key component can go a long way to stopping some of these leaks.

  3. Tim Retford says:

    One area that hasn’t been touched on is Mergers, Acquisitions, and Divestitures: often SAM is only an afterthought

    during the course of these activities when the IT department is brought in to figure out how to integrate the new units or there’s tight

    time pressure to consider how the new organization will split licenses with the old.

    It’s no wonder that SW Publishers and Auditors

    pay attention to the financial pages for announcements of these events.

  4. Ilan Justh says:

    You might install software on a disc from a vendor that carries multiple programs that only has rights to one item you


  5. Craig Wilson says:

    A couple of thoughts to add…

    – Failing to uninstall at the end of a fixed term

    subscription based agreement or trial / evaluation period.
    – Deliberate abuse, some software vendors specifically look on all systems

    for key crackers during an audit which naturally significantly changes how they engage with the account.

  6. Peter Jones says:

    The end user installs the software THINKING they understand the license

    and reverse 2 – IT/Purchasing do not advise the end user of license terms

  7. Matt Marnell says:

    – Failure to retain physical copies of the EULA and Certificates of Authenticity provided with

    the software media, in addition to your POs and invoices.

    Publishers say to hold tightly to these additional bits of physical

    evidence – they don’t always keep complete/actionable records either!

  8. Matt Marnell says:

    – Failure to retain physical copies of the EULA and Certificates of Authenticity provided with the software media, in addition to your POs and invoices.

    Publishers say to hold tightly to these additional bits of physical evidence – they don’t always keep complete/actionable records either!

  9. A few thoughts of

    my own:

    – A physical server with a wide portfolio of applications installed is cloned and virtualised on a much more powerful

    machine. No consideration is given for the extra CPUs that require licensing or if any of the applications EULA’s permit or deny

    virtualisation rights.

    – A number of desktop applications are removed from PC’s and placed on a Citrix environment. No

    considerations is given as to who can access what and a shortfall of 2,000 licences is uncovered during an audit.

    – An application

    that is procured as boxed product is packaged for mass deployment and widely deployed.

  10. Troy Parker says:

    In my role as a software licence compliance auditor, it is very often identified that licence shortfalls are

    directly attributed to an insufficient knowledge and understanding of licence terms by those responsible for licence compliance.

    In particular, organisations who have deployed software in virtualised server environments are often identified as having insufficient

    licenses for the way in which those virtualised server environments have been configured (Using DRS for example). The licensing of

    virtualised environments can be very complex and with more and more organisations moving to the use of virtualised server technologies

    this appears to be an area where non-compliance is growing.

  11. Sandi Conrad says:

    Machines are redeployed without being cleared of the original image. A

    real life example of where it can get expensive: Old CAD system is moved into a general office role. CAD software, full Office Package,

    maybe some graphics software and MS Project Pro are all left on the system, when the new user only needs MS Word. Previous user gets a

    new system and reinstalls all the previous packages, perhaps upgraded and suddenly the company is out of compliance.

  12. Rory Canavan says:

    End User Leaks:

    Not educating your user-base to what they are and

    are not allowed to do with their IT equipment

    IT Department Leaks:

    No consideration being given to regular auditing and

    reconciliation of audit data against proof of entitlement.
    IT Departments not ensuring that the manner in which software is deployed

    matches the licence they have to use it.
    Insufficient knowledge transfer caused by a turnover of IT staff.

    Supplier Leaks:

    Trusting to your supplier that evaluation software hasn’t been bundled on to hardware you have installed.

  13. Ben McCullom says:

    Nice Job Martin, All true, but the thing I have seen most in the market is

    a lack of corporate committment to this discipline and lack of identified processes in place to track and confirm the current state.


  14. Thanks very much for all feedback for

    this article. I have taken the feedback on board and edited accordingly. I think the most important one mentioned was the loss of

    physical evidence to prove what you own.

    I’m sure from a legal standpoint the responsibility for lost licenses sits with end

    users but vendors are notorious for keeping poor purchase information and I think it should be a shared responsibility.

  15. Typically we see three major holes in companies when it comes to software


    1) Imaging – images are built or modified without review by the person/unit with licensing responsibility.
    2) Lack

    of product use rights knowledge particularly around servers and server access licenses (production, development, virtual, remote access,

    mobile device access, etc).
    3) Guesswork, you can’t manage what you don’t know.

    Many of the items listed fall into one of

    these three categories but I think it’s important to also acknowledge the root causes.

  16. Good point. Thanks Tim

Leave a Comment