Why software compliance is a finance issue, and what IT can learn
Section 404 of the 2002 Sarbanes-Oxley (SOX) Act pertains to the management assessment of internal controls. The U.S. Securities and Exchange Commission’s (SEC) rules developed in response to section 404 require companies around the globe to have a system of internal controls in place to provide reasonable assurance regarding the reliability of financial reporting. In short: to ensure that there are no unreported financial risks. Now, how does this relate to the huge financial and operational risk of ailing Software Asset & Compliance Management, even if your company is not subject to SOX?
Software license audits ahead
All large software publishers, such as IBM, Oracle, Microsoft, SAP etc. perform software license audits on their clients. Gartner warns that you are likely to be audited by at least one software publisher during the next 12 months. License audits are a significant revenue stream for software publishers as many companies are found to be out of compliance. In response, firms like us are there to help clients optimize the audit process and minimize risk. However, apart from the effectiveness of obtaining control in case of an audit, is it financially and operationally acceptable to leave these risks unaddressed until software compliance audit emergencies occur?
While physical assets dominated the 20st century, our 21st is all about virtual assets. In business operations, vital software systems rank among the most important and critical ones. Looking at the impact on your core business software, system failure will quickly alarm you about their relevance to your organization. But are these assets managed, and if they are, is this done properly – to ensure that any financial risk is known and acceptable? Proper research is lacking, but most CFO’s are not aware of the risks involved.
Know how high your risk profile is
Regardless of a software compliance audit, organizations should have sufficient controls in place to assess any risk. There is no risk free company, but risk should be taken seriously. Not all deployed software involves the same financial risk. Too often, we see that companies have no idea how high their risk profile is and rely on incomplete processes and toolsets, if any at all. The IT Department does their utmost but in a continuously expanding IT landscape and ever more integrated IT infrastructure the required overview increasingly becomes harder to ensure. Outsourcing, connectivity, cloud and remote working are making it ever more complex to assess where software is deployed and being used.
Calling Finance to the rescue
Interestingly though, the Finance Department rarely plays an active part, while Software Asset & Compliance Management should be a core task under the financial risk management umbrella. The Finance department has the skills and experience to benchmark controls and processes and set qualitative goals. With or without SOX, it is Finance that has to steer, guide and safeguard financial risk management. The task of IT is to ensure the set risk levels are honoured. Moreover, there is a lot to be learned from Finance as software compliance is just another core part of implementing and managing financial risk assessments and controls.
Administration is essential
It al starts with proper administration: setting up a solid Software License & Entitlement administration where all your rights are stored is the first essential step. This is not just a list of the products and licenses that have been procured. Knowing the restrictions, limitations, contractual conditions, exact definitions, related and included products is essential for securing the proper level of insight in your entitlement and the associated risks.
Important details can be extracted from your buying history, the type of software obtained and the restrictions that come with the procurement of software licenses. In doing this, the areas with a larger financial risk will quickly be uncovered. On top this, the buying behaviour and history is the primary source for vendors to select clients for audits.
Active sharing of all Software License & Entitlement knowledge internally will uncover awareness and responsibility issues throughout your organization. It will become clear whether the IT Department or Procurement Office have noticed anomalies and if they addressed them the right way.
Towards Continuous Software Compliance Reporting
Setting up a solid Software License & Entitlement administration can be done without any extraction of usage or other technical deployment data. Based on this first risk assessment a plan for further controls can be made. Is deployment discovery, usage measurement etc. required? If so, for what products and software publishers/vendors?
Software Asset Management (SAM) is the generic term for the tools, processes and people in the IT department to manage software assets in an effective auditable way with correct controls. Continuous Software Compliance Reporting is the dashboard for Finance to assess if the SAM process is effective and the IT department is addressing the financial risks properly.
So Finance, rise to the challenge and use your experience to open your organization’s eyes to the risk it is silently taking regarding software compliance issues. These issues will undoubtedly surface during any software license audit. Ensure that at minimum a solid Software License & Entitlement administration is set up and maintained in order to sustain the necessary compliance activities. As an added bonus, this will help you tremendously with your SOX compliance.
This article was published on 29-09-2015
Mark co-founded B-lay in 2008 and is the company’s managing director since then. Additionally, to his managerial role, Mark is using the extensive software compliance knowledge he gathered since 1997 to help organizations worldwide get insight into the risks associated with using and managing their software licenses, as well as preventing compliance issues and save costs. This is also strongly visible in the Zyncc product line of B-lay. Prior to founding B-lay, he was responsible for all compliance activities in Europe, Middle East and Africa at Oracle. This included building the foundation for what now is the global Oracle License Management Services (LMS) team and onboarding the many acquisitions Oracle made over the years into the compliance program of Oracle.
Mark holds a bachelor’s degree in Company Economics and IT from Hogeschool Enschede in the Netherlands.