Custom Search

Software compliance auditing

Software compliance auditing
Kaplan, James M. The Internal Auditor. Altamonte Springs: Dec 1994. Vol. 51, Iss. 6; pg. 18, 2 pgs

Abstract (Summary)
Most organizations rely on 2 approaches to software audit compliance, regular audits by the audit department and self-audits. Both approaches involve identification of the software installed on the PCs, and choosing the right tools for this task is critical. Fortunately, a program that relies on a new recognition engine and provides more comprehensive identification of installed software is now available. The Barefoot Auditor searches for installed software by probing within the applications on the user's hard disk. It retrieves information such as product name, license, version, and serial number directly from the programs themselves and therefore has the capability to recognize even the most current software as soon as it is released from the publisher.

While both managers and auditors acknowledge that compliance with software license agreements is the right thing to do, auditors are constantly confronted with situations where managers either knowingly or unknowingly allow staff to use unauthorized software in order to get the job done. As a result, auditing for compliance with software licensing agreements seems to be an unending task in current PC environments.

Software compliance audits must take into account both ethics and risk exposures. Most organizations have relied on two audit approaches: regular audits by the audit department, which are usually labor intensive and require specialized technical audit expertise, and/or self-audits, which require management to conduct a self-audit and report the results of that review to the audit department. The auditors can then monitor the results of the self-audits by conducting random spot audits of individual organizational units.

Both approaches involve identification of the software installed on the PCs, and choosing the right tools for this task is critical. Some software recognition programs carry out their mission by checking installed software against a database included in the program. These programs, such as SPAudit from the Software Publishers Association, search for file names and compare them to the database. A software scan using this type of product results in a less than complete listing of installed software, as the program identifies only the applications included in the database.

Even if the database is complete when purchased, the rapidly changing software environment renders the program obsolete as soon as it hits the store shelf. Auditors must supplement use of the software recognition program with a review of the executable files loaded onto the computers' hard disk, a task which takes 30 to 60 minutes per computer.

Another type of program combines a database with a recognition methodology that lists all installed executable programs, whether or not they are included in the database. These programs, while more effective in collecting installed software, require a significant initial expenditure of time and money. Licenses for purchasing these programs are based on the number of PCs owned by the organization; and at a cost of $10-$15 per computer, organizations with 2,000 computers would pay between $20,000 and $30,000. In addition, extra audit procedures, such as a hardware inventory, could mean that an audit department in an organization with 2,000 computers could spend from 1,000 to 2,000 hours performing a software compliance audit.

Fortunately, a program that relies on a new recognition engine and provides more comprehensive identification of installed software is now available. The Barefoot Auditor (BFA), a software program produced by the UK company Pathfinder and distributed in the U.S. by Qualitran, searches for installed software by probing within the applications on the user's hard disk. BFA retrieves information such as product name, license, version, and serial number directly from the programs themselves and, therefore, has the capability to recognize even the most current software as soon as it is released from the publisher.

The technology combines a sophisticated analysis technique with an expert system methodology. BFA starts off with no knowledge base and builds an index as the program runs. Subsequent PCs take less time to review since the software recognizes programs already identified on other PCs within the organization.

The program operates from a DOS platform of 2.1 or higher and also recognizes DOS compatible LANs. It will run on IBM compatible PCs and requires only 256K RAM. The software processes information quickly, thereby reducing the time it takes to conduct the information gathering phase of a software compliance audit. In a recent review of the software, an audit of twelve PCs took less than 30 minutes to complete, approximately the same amount of time it took to conduct an audit of one PC using other software. The program is also cost effective, as a one-time payment of L377 (plus VAT), or $577 U.S., allows the organization to audit any number of PCs.

The BFA User Guide is straightforward and easy to read and understand. The User Guide also provides specific guidance on how to conduct a software compliance audit, including information on software copyright, software license statements, and the follow-up required. Product support is available primarily through CompuServe and the Internet, although Qualitran (705-722-8550) provides U.S. sales and support as well. The Barefoot Auditor can make it much easier for internal auditors to help defend the organization against software piracy.

1 comment:

Dean Reese said...

I had no idea that a new software was now available. I would love to look more into it and see how I can get it. Do you know of any places that offer it? I would love to try it! http://www.steton.com/how-we-do-it/

Custom Search