Jim Kaplan'saudnet.gif (4937 bytes)

AuditNet Resource List
Audit Programs
AuditNet Virtual Library
AuditNet Newsletter
 Ask the Auditor
AuditNet Mailing Lists
 Audit Jobs
Travel
Career Links
Partner Discounts
Search
Sign Guestbook
 AuditNet Sponsors
Advertising Opportunities
About AuditNet
About Jim Kaplan
AuditNet Seminars
AuditNet Home Page
 

This article written exclusively for AUDITNET.ORG by: PCProfile Rob Harmer Consulting Services Pty Ltd P.O. Box 196 Modbury North Sth Australia 5092 fax +61 8 8265 1961 email robharm@pcprofile.com web site http://www.pcprofile.com

Is Software Auditing a task for internal management or externally sourced advisers?


Software Auditing has been around for years, as a requirement for organizations that wish to reduce their own risk and establish a position which gives them a level of comfort as to their state of compliance. It has been found by many to be a useful technique, whilst others have found it a real burden. This article addresses some of the issues faced with conducting an audit.

Firstly, as auditors, many of you are already aware of the many tools on the market offering a wide range of services, reports, styles of auditing and so forth.

The aim of these tools has been to "assist you in minimizing your risk" of being caught with illegal software, to lower your total costs of ownership and to drive better value for money through licensing products at the right levels and volumes.

The other aim of course was these tools also became fashioned into "the audit industry" that has developed over the years and this has become a niche market for boutique and seriously large-sized vendors alike.

We know, as we are also a part of that very same industry having entered it in 1990 as a consultant and then in 1991 with our first audit tool, with continuous service and product development over the last 13 years.

This paper isn't about software audit tools, but about the basis and guidelines you need to establish within your organization about who is better qualified to minimize your risk when conducting a software compliance audit.
Consider the following issues that are relevant to Software Compliance Audits;

  • Do you know how many PCs you actually have deployed?
  • Do you know where they are located?
  • Do you know what applications are installed?
  • What certainty do you have that what you have installed can be rapidly verified as to ownership/proof of purchase?
  • When using audit tools, why do you have to pay annual maintenance fees for product recognition updates (to check for installed versions) for some products and not others?
  • Why do you have to pay consultants to come and audit your sites for an independent view?
  • Why do you need an internal team of software compliance auditors?
  • Have you noticed the trend to punish organizations in the press who are "caught" with illegal software?
  • Have you asked how were they caught, did they really know what they had installed or did they cough up and pay, just because their own systems were not up-to-date/couldn't tell what was installed?

The latest trend that you need to consider very carefully, is where Software Resellers enter or open up the market offering Software Asset Management and Auditing services. Previously this area was focused on by the larger accounting/auditing firms (The Big 5) however these auditing assignments seem to "come and go" depending on the level of risk (or threat) the client perceives or the degree of risk the partners see in conducting the task.

Is there risk in conducting an audit?

Surely its simply a task of;

  • locating the PC's,
  • conducting the audit,
  • analyzing the audit results,
  • summarizing the data, and then
  • comparing what is installed to what was paid for from asset/ledger records
  • presenting the report to management and then moving on to the next client audit?

If you are an auditor you need to consider the following issues.

  • Just locating the PCs can be a nightmare as most organizations manage this aspect (the hardware side) poorly and often don't know what they really have in terms of total hardware deployed. Sounds crazy, but in practice we have found this to be uncomfortably too often true.
  • Licensing is a nightmare, especially when the client often interprets the way licenses operate rather than how they are written and legally binding. After all, their view is they paid for the software, and therefore they will deploy the software as widely as they like, "it's their asset". They forget that software is NEVER an asset it only ever sold as "a license to use" under very strict terms and conditions.
  • Did you now that there are only three ways you can legally acquire full Microsoft® operating system licenses?
  1. With new PCs with an OEM license for the operating system preinstalled.
  2. As Full-Packaged Product (we know this as "shrink-wrapped") through a retailer.
  3. As an OEM license with non-peripheral hardware from a Microsoft System Builder.
  • Did you know that OEM licenses for Microsoft operating system software are not transferable from one machine to another, even if the PC on which it was originally installed is no longer in use? The OEM license is tied (under the terms and conditions of the software license or end user licensing agreement) to the original PC on which it was installed.
  • Did you know that every PC preinstalled with Microsoft operating system software must be accompanied by a genuine Microsoft OEM license. See http://www.microsoft.com/piracy/howtotell/ for more information on How To Tell if Your Microsoft licenses are legal.
  • In conducting an inventory of your software you need to gather the data electronically. This can be done by physically touching every PC using a floppy disk approach or by server/client auditing. What happens when the PCs are turned off or locked out under password control, or are performing backups or intensive application work when you are there for the audit.,
  • You need to revisit these later on as they will be missing the "audit count".
    When you have done the 100% inventory needed (80%, 90% or 95% won't be good enough to reduce your risk) you need to analyze which software titles are installed.
  • The audit tool used to gather this detail is vital as some tools use the registry as a means of identification, some use web based interrogation, others use inbuilt databases (that need updating to keep current). The key issue here is the number of false positives you derive by this approach and the questions you need to raise here relate to the validity and accuracy of the data gathered.
  • Then you have to generate software inventory reports.

Is that all? NO! You still need to;

locate and identify ORIGINAL software licenses, match the data gathered to PROOF of PURCHASE details derived from originals of supplier invoices, supplier reports, asset records, general ledger reports and systems.
Why?

So that you can PROVE beyond doubt that what you have installed is covered by legally acquired obtained through licensed VALID OEMs and Licensed RESELLERS who sold you original versions and not copies etc.

Risks transferred?

For all the above reasons many of the Big 5 Auditing/Accounting firms "tend to get cold feet" when it comes to software compliance audits as they are very involved, (can be very profitable in terms of fee generation), but they perceive that by conducting audits at your sites for a task that can really be quite daunting (even for them); they are running the possibility of risk transfer into their organization as they are acting as the advisers to the customer in this role.

So, what's wrong with Resellers / Consultants becoming involved in this task?

The idea of resellers becoming involved in this task, in theory widens the net of those who understand the issues, and hopefully can make your life easier. But will it? They still face the same risks as the Big 5 but they have an opportunity to grow their business if they discover you are caught short. Now, don't get me wrong here, if you have too few licenses for what you have installed then you need to pay up and legitimize your position and the reseller has done you a favor by assisting you to find this out.

But, when you consider the points above;

  • do you really want a reseller team accessing and auditing your PCs by floppy disk?
  • do you really want a reseller team accessing and auditing your PCs and servers by using the network?
  • do you really want them trampling all over your organization to search through records, licenses, ledger systems, invoices etc, and
  • then coming up with reports that tell you that you are short "xxxx" number of licenses and need to buy more?

How are you going to protect your organizations assets, IP, and other information as 3rd party personnel are "in-situ" examining electronically your structures etc? Can you afford to offer an escort or; buddy up with them with staff supervising their every movement and then verifying that what they take off-site is only audit data and nothing else?

We think not! The costs of doing this are really far more significant than what you may have been led to believe, and you have introduced risk by bringing in 3rd party personnel to look all over your systems etc

One of the key aims of a software compliance audit is to establish a position to enable you to reduce your risk. Introducing additional risks and cost during the audit cycle is not really a smart move.

IN-HOUSE AUDITING IS THE PREFERRED APPROACH

In reality, and in practice, the best personnel to do this task are YOUR OWN TEAM of staff INTERNALLY, once you know how to conduct the audit and the risks involved. Many of these risks can be managed far better internally as you can control them, as long as you take heed of any warning signs that emerge and act promptly.

However, even then, you may be surprised to hear that, in our view, (and in the eyes of many other organizations), software audits (apart from the initial audit) really are a waste of time, money and effort. The tragedy of software compliance auditing thus far is that the initial audit is repeated over and over and over again due to initial failure to complete, interruptions, incorrect data collected, false positive results misleading, lack of identification, failure to match to assets/proof of purchase records and so on.

Wasting money on auditing is no way to run your business entity, when the money for the cost of conducting software compliance audits (in the manner they are being conducted at present) could be far better spent on your core business activities BUT you probably already know this!

We know that software compliance is NOT the core business activity of your organization and the money spent on traditional auditing techniques is MOSTLY WASTED and could be better deployed and utilized elsewhere.

"To combat and overcome both illegal and unauthorized software usage in organizations you need a robust technology asset management solution to force a shift in attitude to what is really a PEOPLE based problem!"

The most common observation in press releases about Anti-Piracy actions taken, is that the organization
" ......... had inadequate procedures in place to prevent the use and installation of unlicensed software......... and
" .........should have had preventative measures in place............... ".
DON'T LET YOUR ORGANIZATION BE QUOTED IN THIS MANNER!

Software Clearance Sales

As I am writing this article I am receiving from UK, US, NZ, Aust, China and so on "hawkers" who are sending out e-mails with messages as shown below;


If you think these deals look too good to be true, you are correct!

Imagine what will happen when some cost conscious manager/s in your organization decide to go out and buy 50 licenses at the prices above (as they are under cost pressures to keep to budget). They think they have struck a good deal and saved money.

BUT NOW your organization is faced with having illegal software "inside its boundaries" and you are significantly at risk!

Major software vendors have become fed up with the piracy of software by organizations and individuals and have started to aggressively seek out those who steal their software. If you have been reading the press recently you will have seen many cases of organizations being fined 5 to 6 figure sums as court costs which is conservatively around 1/4th to 1/5th of the total costs involved! The resultant press tends to focus on the guilty party flaunting the announcements of court fines and penalties, which is not helpful to your organization!

A ball park summation of the acquisition cost of the above "offer too good to be true" is if you purchased 1 of each then the total is less than $US 500, if you bought 50 less than $US25,000. Comparative Retail Prices of legally acquired versions would be of the order of magnitude of $US 5,000 to $US 250,000.
.............and when (not if) you get caught and charged under a piracy complaint/prosecution, the fines, penalties and recovery costs including paying full fare prices for the licenses in addition to what you initially outlaid is of the order for 5 to 6 times the values at retail level. i.e.; $US 250,000 to $US 1.5M!

Can you afford this, not to mention the bad publicity and disruption you face during the period of investigation, accusation and settlement? Followed by a period of internal scrutiny and punishment when you seek out the perpetrators who caused this issue in the first place!

How do you Protect from this happening to your organization?

To protect yourself and your organization what is needed to START with is, a robust software compliance policy coupled with a management strategy to get the message to the desktop. Organizations can significantly reduce their exposure to software piracy liability if they have a robust and proven software compliance policy which is adopted and enforced throughout the organization!

Why?

Despite the growing attention to corporate governance and ethics, many organizations pay little attention to software compliance and consider it to be an inconvenience. That is, until the software police come knocking on the door with a court order in their hand to seek out illegal software. Think it won't happen to you? Check these articles out for more details Anton Pillar raid details and Check Your Post Box and "One in 3" - Software Management Issues.

A key issue that organizations face is that software compliance is not a core business activity. Software Compliance is often seen as more of a burden that consumes money and wastes time that is better spent on other core business activities.

For management, there are some key issues regarding software compliance phrased in the following questions:

  • What can software compliance policy achieve for the organization?
  • Does having a software compliance policy really make a difference?
  • Will a software compliance policy provide protection if the organization is caught with illegal software by anti-piracy organizations?
     

Software Compliance Policy

All organizations need a robust software compliance policy that allows them the freedom to operate legally and responsibly under corporate governance rules. This policy, which should have senior management champion and mandate, should ensure that employees share the penalties the organization may suffer if they are caught by one of the many anti-piracy organizations. Sound harsh? Not really.

Organizations must commit themselves to enforcing their software compliance policy. It is no good if it is a "paper tiger"! The software compliance policy should have rules of conduct for installing and using software outlined for both existing and new employees. It should also detail the penalties that will apply if employees are caught using illegal or unauthorized software. "Unauthorized software" covers freeware, shareware, abandonware, demoware, games and other file downloads that are NOT a part of your core business activity! Illegal software covers software that is NOT covered by authorized purchase order for which there is a valid certificate of authenticity AND proof of purchase records that are verifiable and traceable through your accounting system.

Employment agreements, contracts, and letters should include a clause detailing the organization’s software compliance rules and how they will be enforced. Without a clear and enforced software compliance policy, employees may think they can install whatever software they like on their PCs. If you are lax in your approach to this then you deserve to feel the brunt of the impact that can follow. See Busted - Anti_Piracy news you need to hear! and Getting caught with illegal software will cost you!

While other IT tasks may have a higher priority, software compliance will jump to the forefront if the organization is caught with illegal software. Should that happen, organizations have no option but to defend themselves from a piracy investigation. Many organizations have no idea how to do this and then panic. In many instances, organizations wind up paying large sums of money due to ignorance of their rights, copyright laws and the full extent of the unauthorized software installed (eg; piracy as well as shareware, freeware. spyware) involved in their organization. For that reason, organization's need effective risk-mitigation strategies to minimize the cost of any investigation by police, vendors, or anti-piracy organizations.

Having a software compliance policy is an EFFECTIVE start to the risk mitigation process for your organization!

Management Must Lead with Software Compliance Policies

Software piracy is a people-based problem, so software compliance must combine technology with a management mandate and attention.

Management must change end-user attitudes about the use of illegal and unauthorized software and manage compliance by keeping it focused on the end-user level and holding users accountable.

Moreover, software compliance management should be done in a way that allows the organization and its employees to quickly get on with its core business activities.

Having a robust Software Compliance Policy backed by management mandate can make a difference!

Key Software Compliance Management Tips for Auditors

For effective Software Compliance Management, keep the following tips in mind:

  • Make sure there is a Software Compliance Policy in view at each desktop, on the Intranet, and on the Noticeboard. Add reminders in newsletters from time to time!
  • Build software compliance polices into user employment agreements
  • Make local management accountable
  • Make end users responsible for compliance
  • Reinforce desktop compliance policies to limit and minimize software downloading.
  • Stamp out the usage of unauthorized/illegal software.
  • Send a clear message to desktop users about your software compliance policies and the penalties for violating them.
  • Review your policies and procedures Does your company have existing policies outlining software use and acquisition procedures? If so, review them to assure they are still applicable, or, if you have no current policies, now is a good time to write them.
  • Implement a software asset management plan
  • Once you've worked out the appropriate number of licenses for your software, put a plan in place buy these to make yourself compliant
  • Put in a plan to maintain complaint position you have now attained so that the information can be always updated rapidly to reduce your risk.

and finally,

WHEN (Note; not IF, BUT WHEN) you find out you have illegal software installed;

  • If they have been caught using unauthorized software, ensure staff who are identified as the offenders are given appropriate warnings and/or dismissal if they are known repeat offenders
  • Don’t be frightened to pass on legal costs to clearly identified culprits if the anti-piracy police lay charges and are successful. Share the costs across all offenders!
     

Will software compliance policy alone provide protection if the organization is caught with illegal software?

The bottom line answer is a resounding NO or more accurately, only partly, but it will still cost you significant amounts of fines unless you take additional steps!

Some more questions to ponder -

  • Do you need an anti-piracy technique that satisfies your need to control the software in your organization? That reduces your risk? That increases your capability to identify what has been added between audits? That enables your business to reduce its audit team and dependency? That allows you to get back to core values and increase productivity? Then see http://www.pcprofile.com for more details.

This article written exclusively for AUDITNET.ORG by: PCProfile and published in December 2002 by Rob Harmer Consulting Services Pty Ltd P.O. Box 196 Modbury North Sth Australia 5092 fax +61 8 8265 1961

PC Profile is Australia's ONLY anti-piracy (self-help / non-policing) advisory service and solutions provider based in Adelaide, Sth Australia email: robharm@pcprofile.com http://www.pcprofile.com

This article and contents is Copyright © 2003-2004 Rob Harmer Consulting Services Pty

Copyright © Jim Kaplan
AuditNet® is a registered trademark of Jim Kaplan

Copyright and Disclaimer

All rights reserved. No part of this Website may be reproduced in any form, by copying from the Internet, photostat, microfilm, xerography, or any other means, or incorporated into any information retrieval system, electronic or mechanical, without the written permission of the copyright owner.

Contact Us


Revised: January 31, 2010

Address of this Page is http://www.auditnet.org/