The high cost of software piracy: organizations that implement an asset-management process can curb the risks associated with an adverse software audit - Risk Watch

Internal Auditor, June, 2003 by Mark Bigler

UNLICENSED SOFTWARE USAGE poses a significant risk to organizations in terms of potential fines, audit and legal fees, additional software licenses and maintenance fees, business disruption, and reputational damage. The risk of being audited by a software vendor has risen greatly in recent years, and the consequences can be substantial. Losses to software companies due to piracy amounted to just under six billion dollars worldwide in 2001, according to the Business Software Alliance (BSA), a software trade group.

Although software management can be complex, resource consuming, and frustrating, the software purchaser is responsible for complying with the software license agreement. Internal auditors can help reduce the risk of adverse software audits by ensuring that an asset-management process has been implemented and that the company is prepared for a possible audit. As part of the software asset-management plan, the organization should review all software license agreements, perform a self-audit, and correct identified licensing deficiencies.

REVIEWING LICENSE AGREEMENTS

The first step of the software asset-management plan should be to assign someone to review all software license agreements for key clauses, including:

* Audit clauses. If there is an audit clause, determine exactly what rights the software vendor has in performing an audit. Typically, the audit clause gives the vendor -- or assigned third-party -- the right to perform one software audit annually. The audit clause may also give the software vendor the right to charge audit fees, penalties, and frill retail prices for licenses deemed required if the company is found not to be in compliance. Depending on the type of audit software, audit fees can range from a few thousand to several hundred thousand dollars.

* License scheme. The type of contract will determine the audit procedures the software vendor auditors use. Many companies think they have one license type -- for example, a concurrent users license -- when they actually have a different type -- such as a named or per--seat license. Many times, this misinterpretation leads to the audited company owing hundreds of thousands of dollars for additional licenses.

* Affiliate use. If the software contract does not specifically grant the company the right for its affiliates -- sister companies and subsidiaries -- to use the software, the company may be out of compliance if it is allowing such usage.

* Third-party access rights. Vendors, customers, business partners, or other nonemployees can only use a company's software if it is allowable under the license agreement. Third-party access rights may arise when a company gives access, for example, to a population of unlicensed users via an Internet storefront or "bolt-on" application.

* Software modules purchased versus modules installed. Some software vendors distribute software on CDs or DVDs that contain their entire suite of offerings, regardless of what modules the customer actually purchased. If the customer is using modules not previously purchased, he or she may not be in compliance with the agreement.

* User license types. Determine exactly what type of user license was purchased. For example, if "inquiry-only" licenses were purchased, users shouldn't be performing sales-order transactions in a financial application or enterprise resource planning software module. In this example, a user performing transactions would typically require a more expensive full-use license such as a "concurrent" or "named" license.

* Global versus domestic use. Some software license agreements stipulate that the software may only be used in the country where the contract is signed (i.e., domestic use only). If a company has international offices using the software, or even just connecting to the domestically located server, the company may be out of compliance.

PERFORMING A SELF-AUDIT

The second step of the software asset-management process is to perform a self-audit to determine if the company is complying with its software license. Some software packages may have built-in license-use monitoring and reporting features to help with the self-audit. The BSA and the Software and Information Industry Association offer free self-audit kits on their Web sites, although mainly for shrink-wrapped software.

If no built-in feature exists, the internal auditor will have to develop a means to monitor software usage. It's helpful to create an asset register beforehand to track all software, contract provisions, and associated licensing. The register is also a good mechanism for tracking and documenting self-audit tests and other compliance procedures. This documentation could be invaluable in proving intent to remain compliant if legal action is taken as a result of a software vendor audit.

CORRECTING LICENSE VIOLATIONS

The final step is to immediately correct any licensing deficiencies that are found. Generally, this means uninstalling software that doesn't have a corresponding license and removing users who have never used the software or who no longer need access from the profile table. If more licenses are needed, they should be purchased in a timely manner to avoid the risk of an audit. It's also helpful to document all compliance procedures for internal control purposes and to defend against potential legal actions.