Software Audit Defense · BSA Investigations

BSA Audits: What Small and Mid-Size Companies Must Know

BSA | The Software Alliance investigates thousands of companies each year for software copyright infringement. For small and mid-size businesses, a BSA letter can be alarming — but it is manageable with the right response strategy. This is your complete guide to understanding, responding to, and resolving a BSA investigation.

Get BSA Defense Help → Software Audit Defense Guide
Editorial disclosure: Rankings and recommendations on this site are produced by independent industry practitioners. We do not accept payment for placement. Full disclaimer →
$150K
Statutory Max Per Work (Wilful Infringement)
80%
BSA Cases Triggered by Employee Tips
Settle
Vast Majority Resolve Without Litigation
30 days
Typical Initial Response Window

What is BSA and How Does It Operate?

BSA | The Software Alliance (commonly still referred to by its original name, the Business Software Alliance) is a non-profit trade association that advocates for the global software industry. Its member companies include Adobe, Autodesk, Bentley Systems, CNC/Mastercam, Microsoft, Salesforce, Siemens, Trimble, and numerous other major software publishers. BSA's enforcement programme investigates organisations suspected of using unlicensed or under-licensed software on behalf of these members.

BSA operates one of the largest software copyright enforcement programmes in the world, with offices and legal teams in over 60 countries. In the United States, BSA typically pursues claims under the Copyright Act, which provides for statutory damages of $750 to $30,000 per work infringed (or up to $150,000 per work for wilful infringement). This is separate from the vendor-initiated licence compliance audits covered in the broader software audit defense guide — BSA investigations carry specific legal dimensions that require immediate legal counsel involvement.

⚠ This Is a Legal Matter — Engage Counsel Immediately

Unlike a vendor-initiated licence true-up, a BSA investigation is a copyright enforcement action. The moment you receive a BSA letter, you should engage legal counsel with intellectual property experience before taking any other action. Do not respond directly to BSA, do not conduct internal software audits that could be used against you, and do not make any admissions in writing or verbally until your legal team is engaged.

What Triggers a BSA Investigation

Understanding why BSA targets specific organisations helps both in responding to a current investigation and in implementing preventive measures. The vast majority of BSA investigations are triggered by one of the following:

Trigger Details Prevalence
Employee / ex-employee tip BSA operates a confidential reporting programme (bsa.org) offering rewards for verified reports of unlicensed software. Disgruntled or departing employees are the primary source of reports. ~80% of cases
Partner / reseller referral Software resellers or channel partners occasionally report customers suspected of using unlicensed software, particularly when losing a deal to a competitor believed to have lower cost bases due to under-licensing. Moderate
Vendor telemetry Some BSA member software products include usage telemetry that can identify installations not linked to valid licence keys. This data is shared with BSA for enforcement purposes. Increasing
Online activity BSA monitors online marketplaces, job postings (which may reference specific software), and social media for evidence of unlicensed use at scale. Lower
Targeted campaigns BSA periodically conducts enforcement campaigns targeting specific industries (construction, architecture, engineering, manufacturing) where piracy rates are historically high. Periodic

How a BSA Investigation Unfolds

BSA investigations follow a relatively predictable pattern, giving you time to prepare and respond strategically at each stage.

Stage 01

Demand Letter

BSA sends an initial demand letter by post (sometimes accompanied by an email) asserting that the company may be using unlicensed software. The letter typically offers a "self-audit" option: conduct your own review, report the results, and BSA will offer a settlement. The letter usually sets a 30-day response deadline. Do not respond or conduct any self-audit without legal counsel.

Stage 02

Follow-Up and Escalation

If the initial letter goes unanswered, BSA sends escalating correspondence, sometimes invoking the prospect of litigation. A response through legal counsel acknowledging receipt and requesting additional time is appropriate at this stage. It demonstrates good faith and buys time to prepare a proper internal assessment under privilege.

Stage 03

Self-Audit or Negotiated Review

BSA will typically request a software audit — either a self-assessment using a BSA-provided template, or a third-party audit conducted by a BSA-approved auditor. Your legal counsel should negotiate the scope, methodology, and confidentiality terms of any review process before you participate. The scope should be limited to BSA member software, not all software on your systems.

Stage 04

Settlement Negotiation

Once the scope of any compliance gap is established, BSA presents a settlement demand. This typically includes the cost of licences for any unlicensed software (at retail pricing) plus a penalty multiplier. Settlement negotiations occur between your legal counsel and BSA's legal team. The multiplier is negotiable, particularly for companies that can demonstrate good-faith compliance efforts.

Understanding BSA Settlement Economics

The majority of BSA investigations settle before any court proceedings. Understanding the settlement economics helps you evaluate any offer from a position of knowledge rather than fear.

BSA's initial demand is typically calculated as the retail purchase price of all identified unlicensed copies, multiplied by a factor of 2–5× to account for the copyright infringement element. This initial demand is a negotiating position, not a fixed liability. Key factors that affect the final settlement include:

  • Good faith efforts: Companies that can demonstrate an existing software asset management programme, licence tracking processes, or a history of purchasing software legitimately typically achieve better settlements than those who appear to have had no compliance controls at all.
  • Voluntary disclosure and cooperation: Companies that proactively cooperate with the review process (through properly structured legal counsel) typically achieve better outcomes than those who are combative or non-cooperative.
  • Future compliance commitment: Agreeing to implement an SAM programme, employee training, and periodic licence audits as part of the settlement can reduce the penalty component of the settlement demand.
  • Scale of infringement: A company with 50 unlicensed copies of design software will face different economics than one with 500. The penalty multiplier tends to decrease as companies demonstrate the infringement was inadvertent rather than wilful.
  • Company size and ability to pay: BSA is pragmatic — a settlement that bankrupts a company serves no one's interests. For genuine SMBs with limited resources, financial hardship is a relevant factor in settlement discussions.
What BSA Cannot Force You to Do

BSA cannot search your premises, access your systems, or compel a self-audit without your consent or a court order. The demand letter creates a legal threat, not an immediate legal obligation to open your doors. Your obligation is to respond through counsel. A structured, good-faith response buys time to prepare and typically resolves the matter more favourably than either ignoring BSA or immediately providing full access to your systems.

Response Strategy for Small and Mid-Size Businesses

The following response strategy is appropriate for most SMBs receiving an initial BSA demand letter. Note that this is general guidance — your specific situation should be reviewed by qualified legal counsel with IP enforcement experience.

  1. Engage legal counsel immediately. Do not respond to BSA directly. Find an attorney with copyright or intellectual property experience, specifically one who has handled BSA matters before. Many IP attorneys offer initial consultations at modest cost.
  2. Do not conduct an unstructured internal audit. An informal internal survey of your software — emails asking "who has what software" — can create discoverable evidence that works against you. Any internal review should be conducted under the direction of legal counsel as privileged work product.
  3. Acknowledge receipt through counsel. Your attorney should respond to BSA acknowledging the letter, identifying themselves as your counsel, and requesting a 30–60 day extension to prepare a substantive response. BSA routinely grants these extensions.
  4. Conduct a privileged internal licence position review. Under your attorney's direction, conduct a structured internal assessment of all BSA member software on your systems, mapped against your purchase records. The goal is to understand your actual position before any third party sees your data. Guidance on conducting this review is covered in our licence position preparation guide.
  5. Remediate before reporting. If the internal review identifies clearly unlicensed software, purchasing the required licences before any settlement discussion demonstrates good faith and reduces the claim period. This must be done carefully and with legal advice — it is not always strategically optimal to purchase licences immediately.
  6. Negotiate a structured settlement. Through your legal counsel, negotiate a settlement that includes purchasing any required licences at commercial (not penalty) pricing, a reduced penalty multiplier reflecting good faith, a release of all claims for the review period, and no admission of wilful infringement.

Prevention: Building a BSA-Proof Software Asset Management Programme

The most effective response to BSA risk is not receiving a letter in the first place. A basic software asset management (SAM) programme protects you from BSA investigations and from vendor-initiated audits simultaneously. Key elements include maintaining a software inventory in a centralised asset register, requiring purchase authorisation for all software installations, conducting annual licence reconciliations, and implementing technical controls (such as software deployment tools) that prevent unauthorised software installation on company devices.

For most SMBs, a lightweight SAM programme using tools like Microsoft's Intune (for Windows estates), JAMF (for Mac estates), or a dedicated SAM tool can provide adequate visibility at modest cost. The investment is trivially small compared to any BSA settlement. The software audit defense buyer's guide covers SAM programme design in the broader context of audit risk management.

Frequently Asked Questions About BSA Audits

  • What is BSA | The Software Alliance?
    BSA | The Software Alliance (formerly the Business Software Alliance) is a trade organisation representing major software publishers including Adobe, Autodesk, Microsoft, Salesforce, Siemens, and others. It investigates and pursues claims of software copyright infringement on behalf of its member companies.
  • How does BSA find out about unlicensed software at my company?
    The majority of BSA investigations originate from employee or ex-employee tips via BSA's confidential reporting programme. Other sources include BSA's own web monitoring, referrals from resellers, and automated detection of unlicensed software through vendor telemetry.
  • What are the penalties for BSA non-compliance?
    Under US copyright law, statutory damages for wilful infringement can reach $150,000 per work infringed. In practice, most BSA settlements are negotiated well below statutory maximums, but can still reach hundreds of thousands of dollars for mid-size companies with significant unlicensed software. The actual settlement figure depends heavily on the scale of infringement, the company's cooperation, and evidence of good-faith compliance efforts.
  • Can I ignore a BSA demand letter?
    No. Ignoring a BSA demand letter is the worst response. It signals bad faith, eliminates negotiating leverage, and can lead to escalation to litigation. Every BSA communication should receive a timely, measured response from legal counsel.
  • Can BSA force me to let them audit my systems?
    BSA cannot compel access to your systems without either your consent or a court order. The demand letter is a formal notice of a potential copyright claim. You are not legally required to grant access, but you are required to respond through appropriate legal channels. Refusing to cooperate entirely typically leads to escalation toward litigation.
  • How long do BSA investigations typically take to resolve?
    Most BSA investigations that are handled proactively through legal counsel resolve within 3–6 months. Cases that escalate due to non-cooperation can extend significantly longer. The critical factor is engaging counsel immediately and establishing a constructive dialogue with BSA's legal team.

Received a BSA Letter?

Don't respond alone. Our network of audit defense specialists includes firms with specific BSA investigation experience who can guide your response, protect your interests, and negotiate a favourable resolution.

Get Matched With a Specialist → View All Rankings

Stay Informed on Software Audit Defense

Get practical guidance on audit defense, licence compliance, and vendor negotiations delivered to your inbox.

Related Audit Defense Resources