BSA Audit Timeline

One of the top ten questions asked by my clients is “How long does the BSA self-audit process take from start to finish?” Of course I give the standard lawyer answer: it depends. Here are the steps to a typical BSA audit.

Preparation of Audit Materials (3 to 6 months)

A BSA audit is a request, under threat of litigation, to compile a listing of all BSA member software products installed on the audited entity’s computer network as of the Audit Effective Date. The Audit Effective Date is the date on the BSA initial letter requesting an audit. The first step in preparing this information is conducting an automated inventory of the software products installed on all computers owned or leased by the target company. Once an accurate inventory of the BSA member software products is completed, the next step is to reconcile the software inventory information with proofs of purchase dated prior to the audit effective date. While there are various ways to prove ownership of a software license, typically an invoice is considered the best evidence of ownership in a BSA audit. In the typical case, the inventory and reconciliation process takes three to six months.

Secure a Confidentiality and Federal Rule of Evidence 408 Agreement (1 week)

With very limited exceptions, we advise the targets of BSA audits to cooperate with the self-audit process but to do so in a way that does not compromise their position in the event that an out of court settlement is not possible. We do not disclose any information to the BSA until it signs an agreement regarding the confidentiality of the information disclosed and specifically limiting the BSA’s ability to introduce the information as evidence in court. In the typical case, the BSA will sign our standard agreement within one week.

BSA Analyzes Self-Audit Materials and Makes a Settlement Demand (3 to 6 months)
After the self-audit materials are submitted by the target of a BSA audit, the Business Software Alliance typically takes three to six months to respond. The BSA’s response provides its interpretation of the self-audit materials and applies a formula for its initial settlement proposal. The BSA’s formula for calculating fines is generally three times the unbundled full retail price of the software products installed on the target’s computers plus $3,500 for BSA’s attorney’s fees. In many instances, the BSA’s settlement proposal is substantially more than the target may have expected due to differences of opinion regarding what constitutes valid proof of ownership. In our experience, the BSA usually takes three to six months to make substantive response following the submission of the self-audit materials.

Negotiation of Monetary and Non-Monetary Terms of Settlement (6 to 24 months)

After the BSA makes its initial settlement demand, there are various monetary and non-monetary terms that need to be negotiated. The obvious material term in every BSA audit negotiation is the amount of any monetary amount to be paid to the BSA for alleged past infringement. The most significant non-monetary issue is whether the BSA will agree to a confidentiality provision. Such provisions require the BSA to keep the existence and details of the audit confidential and precluded BSA from issuing a press release. Negotiations over confidentiality provisions can be extremely protracted as the BSA agrees to such provisions in only very limited circumstances. Other non-monetary provisions include future obligations such as certifications of compliance, adoption of a software code of ethics, and production of additional proofs of purchase to the BSA for purchases made after the audit effective date. The length of the negotiation process differs from case to case but generally lasts between six months and two years.