It looks like software audits are here to stay. FDs need to make sure licences are in place as the costs of non-compliance could be high.

Software asset management (SAM), not a sexy phrase, but one that FDs are increasingly having to concern themselves with. Smaller companies in particular, traditionally less wary of software auditors, are having to up their game as vendors such as Microsoft do the rounds extracting payment for the use of unlicensed software.

In many cases, worries over whether software is adequately licensed for all areas of the business are entirely justified. Recent statistics show software vendors reviewing users have found gaps in 90 per cent of companies audited.

Sarah Cole, senior solicitor at Mills & Reeve, says: “When you think of SAM, a lot of people think of high-tech companies, but this affects everyone.”

Vendors have become increasingly aware of the proliferation of unlicensed software and have increased their software audits accordingly. A major contributor to this new-found awareness is the Federation Against Software Theft, which acts for software licensors.

Cole explains: “They have a practice of sending a letter to companies that can be interpreted as aggressive and companies often read into them that they are obliged to let the auditors come in. One of the consequences of allowing them in is that they will almost inevitably find some discrepancy, which can result in heavy penalties from the licensors.”

To avoid this, companies are paying attention to a new standard designed to help decipher which licence covers which software. The SAM standard, ISO/IEC 19770-1, was designed to be a directive for best practice, which should help companies avoid unfavourable audits.

Shaun Fröhlich, director of Investors in Software (IiS), the not-for-profit group which designed the standard, says: “SAM is about identifying what software assets you’ve got and capitalising, maintaining and rectifying them where appropriate. The other side of the coin is there is a huge amount of money wasted where a need is assumed and there is no reason for it.”

The most important issue for many FDs Fröhlich has worked with is reputation, rather than cost. “Most firms I have spoken to are perfectly happy to spend the money, but are exceedingly worried about damaging their brand.”

The problem for FDs is that while physical IT assets are easy to count and track, software can be copied invisibly to many machines. “It is difficult for organisations to ensure employees aren’t using unauthorised software and there is definitely a lack of understanding of what licences are allowable,” Fröhlich says.

All software platforms should be tracked and records kept of individually licensed packages and updates. The days of just tracking hardware – when it represented the main outlay of a company’s IT assets – are long gone. It’s clear that some businesses are struggling to keep up with the new priorities.

Once software assets are being tracked, they need to be maintained, with regular inspections to highlight discrepancies between what is officially installed and what users actually have access to. According to the International Standards Organization, a network of national standards institutes, this should happen at least quarterly with platforms, while master copies and hardware should be checked every six months.
Internal controls swiftly become invalid if suppliers don’t head off licensing problems. Supplier management should be restricted to specific individuals and supplier reviews undertaken every six months.

“People need to find a reputable dealer, otherwise they might discover the software they have purchased is counterfeit,” Cole says. “It’s difficult to overcome that – the software vendor can come and sue you just as they can sue the company selling counterfeit software.”

In essence, the standard is common sense. It relies on businesses having policies covering who is responsible for SAM, restrictions on personal use of corporate software, and the legal requirements, including copyright and data protection. FDs should be aware of any approvals needed for software already owned by the company being installed. Disciplinary procedures for violation of these rules also need to be put in place.

Cole says: “Adhering to good practice in SAM should be seen as risk management. Any problems and you will have to show you have made a good effort to put it right.”
Maintaining an audit trail is of the utmost importance. Basically, if a company has 200 employees and only one copy of a certain software licensed to them, it doesn’t take a genius to see what’s going on there, Fröhlich says.

If any worrying figures do come out of the audit, FDs need to be aware that this is a tactic used by the licensors. “If they scare people at the outset, it makes them take software licensing seriously,” says Cole. “It is possible that companies might not have to allow Microsoft in to do the audit – although this depends on the terms of the licence and Microsoft is pretty good at writing this into their licences.”

IiS believes adhering to ISO/IEC 19770-1 should streamline the business by improving bulk-buying contracts and avoiding buying new licences when old ones can be redeployed. Efficiency can also be improved, lowering infrastructure and support costs. IiS says the standard helps decision making become quicker and more efficient, and means new systems can be put in place in less time.

“Good SAM is about getting the business in order and taking IT systems seriously,” Cole says. “People need to be switched on. It is vital to make sure you are thinking about it.”

Commercial property consultant Drivers Jonas had a full Microsoft audit from May to November 2005. FD Peter Shere says it was quite an experience. “We had a fairly extensive audit and we were initially told we were carrying a potential liability of £400,000. After the audit was completed, we settled at £83,000.

“We sorted it out in conjunction with IT consultancy Bytes Technology – the settlement had to pass through them and we had to agree a SAM system. The security program AppSense sits on our servers and provides an audit trail, validating paid licences and paying for the provision of the software. The monitoring software is Microsoft-approved so they can police licences.

“We also researched the details of our licences. What we learned was, if you’re buying equipment, keep all the cases and licensing documentation that comes with it. Or, if you upgrade, make sure you register it with Microsoft. Upgrading is clearly an issue for a business like ours as we aren’t using one standard software platform.

“We were caught off guard a bit with it, to be honest. I’m not directly involved but I sit on the IT management board. I wasn’t surprised that Microsoft does this, but I’m not sure if targeting a £65m company is the best use of its time. Obviously we had the false impression that Microsoft had bigger fish to fry.

“However, there was a clear mismatch between how Microsoft thought we were misusing the technology and what we actually had, which, if nothing else, showed us how easy it is to lose track of your software assets.

“Software audits are clearly here to stay. I’m not sure if they have a policy as to what kind of companies they visit and we have no idea if they will be coming back for another audit.”

Where next...

www.investorsinsoftware.co.uk Provides advice on software and IT asset management.
www.microsoft.com/licensing An overview of the company’s volume licensing agreements.
www.justasksam.co.uk Information on creating successful SAM strategies.
www.iso.org Details on the ISO, its standards and their importance.

Picture source

Related tags: federation against software theft, software licence, software asset management, software audits, sam,