Patrick,
I've attached a couple of items that I found recently on this subject. Maybe they'll
help a little.
Deborah Ray, CISA
AVP & Asst. Auditor
National Bank of Commerce
Starkville, MS
(662) 324-4262
[EMAIL PROTECTED]
>>> "Yager, Patrick" <[EMAIL PROTECTED]> 6/22/01 12:31:48 PM >>>
Does anyone have a software license audit program for a company with
multiple locations? I would also be interested in hearing your audit
experiences with this type of audit. Was it difficult to do? How many
labor hours were involved in determining licensing requirements? Was it
necessary for the auditor to visit each computer, or did you use a
representative sample? Did you use a software package to assist in
gathering the information? How much did you rely on your IT staff for help?
Patrick Yager, CIA
AVP/Director of Internal Audit
Tinker Federal Credit Union
Oklahoma City, OK
If your organization would like to sponsor this discussion list send an e-mail to
[EMAIL PROTECTED] for information.
To unsubscribe to the Audit-l list send an e-mail to [EMAIL PROTECTED] Leave
the subject line blank and include the following message in the body:
Unsubscribe audit-l (yourname)
Thanks,
Jim Kaplan
List Manager
Federal Election Commission
Office of Inspector General -- Audit Report
Audit of the Commission's Management of Computer Software: Executive
Summary
March 31, 1999
------------------------------------------------------------------------
------------------------------------------------------------------------
If you require the entire printed version of the audit report, contact the
Office of Inspector General, Federal Election Commission, 999 E Street, NW,
Washington, DC 20463 or call Dorothy Maddox-Holland, Special Assistant,
phone: (202) 694-1015, fax: (202) 501-8134, or e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------
Executive Summary
The primary objectives of our audit were to: (1) verify that Commission
computer software is in compliance with applicable copyright laws and
Commission policies and procedures; (2) determine that adequate policies
and procedures are in place to prevent unauthorized software use by
Commission employees; and (3) ensure that adequate controls are in place to
detect and prevent computer viruses.
The audit field work was conducted between September 1998 and January of
1999. We performed preliminary research, and conducted our unannounced
inspection of personal computers (PCs) prior to the start of our field
work. In order to achieve our stated objectives, we reviewed
documentation, conducted interviews with Commission staff, inspected
Commission computers, and contacted external organizations for information
related to the audit. Our audit was conducted in accordance with the
General Accounting Office's Government Auditing Standards.
Our audit examined the management of computer software programs installed
on Commission computers to ensure that software complies with applicable
copyright laws and Commission policies and procedures. We generally found
that the majority of the software installed on the Commission computers we
inspected was in compliance with applicable software copyright laws.
However, we did find that unlicensed software was installed on Commission
computers. We believe the primary reason the unlicensed software existed
is because the Data Systems Development Division (DSDD) does not have an
adequate record keeping system to ensure that computer software installed
on Commission computers complies with applicable copyright laws. We
suggest that DSDD develop an adequate record keeping system to ensure that
all software installed on Commission computers complies with copyright
laws. The suggestion is contained in the Audit Testing and Results section
of this report.
We also reviewed the Federal Election Commission�s (FEC) policies and
procedures related to computer software use by employees. The purpose of
the review was to determine whether adequate policies and procedures are in
place to prevent unauthorized software use by Commission employees. We
reviewed the FEC's Directive 58 which contains controls over computer
software, and inspected the Computer User Agreements to determine if all
employees have signed the agreement to abide by the Commission�s policy on
computer software use. We also conducted an unannounced inspection of a
sample of Commission computers to determine whether the computer software
installed on the PCs was authorized in accordance with Directive 58.
Overall, we believe adequate policies and procedures are in place to
prevent unauthorized software use by Commission employees. We provided
management with several suggestions for improvement. These are contained
in the Audit Testing and Results section of this report. In addition, we
intend to provide the results of our unannounced inspection of PCs to
employees and management. We will provide a listing to employees and
management which includes the unidentified software programs found on the
PCs, and request that employees remove any unauthorized software from their
computers.
Lastly, we reviewed the FEC's anti-virus software system. In general, the
purpose of the review was to verify that the current version of anti-virus
software is installed on Commission personal computers (PCs) and laptop
computers to prevent and detect computer viruses. We found that the
majority of the Commission�s personal computers and laptops have the
current version of anti-virus software installed. However, we concluded
that controls need to be strengthened to ensure the Commission computers
are adequately protected against computer viruses. We recommend that
anti-virus software and the current virus data files are installed on all
PCs and laptops, and that written procedures are issued which will provide
guidelines on ensuring that the Commission's computers are adequately
protected from computer viruses. [See the Audit Findings and
Recommendations section of this report for more detail]
------------------------------------------------------------------------
WariNet
Software License Compliance Audit Program
Objective: To evaluate the current practices on the installation or use of
commercial software packages, and determine whether employees are complying
with the provisions of software licenses.
1. Determine through inquiry and review of documentation what the
organization's policy is regarding software license compliance. If no
such policy exist, consider the need for an audit finding.
2. Assess, through inquiry and discussion with the appropriate
official(s), the degree of compliance expected to be found in the
organization, and determine what procedures are performed to ensure
compliance with software licenses.
3. Identify any multiple software copy or site licenses, which may exist
in a department, or the LAN environment.
4. On either a sample basis or a 100% basis, inventory the software,
which is installed on the computers attached to the LAN, or on
departmental computers. Using software such as SPAudit by Software
Publisher's Association can facilitate this process. If such tool is
not available, make obtain a current inventory of all installed
software packages.
5. Review supporting documents for the purchase of software packages
inventories in step 4 above, and for any installed packages which
cannot be supported by purchase documentation, determine if the copies
were obtained improperly.
6. Ensure that the users remove any installed software packages, which
are not in compliance with software license agreements.
Risks: Organizations face potentially significant exposures if employees do
not comply with the provisions of software licenses. Generally, unless
multiple use licenses or other site license arrangements are made with
software publishers, a software package may only be used on one computer.
The LAN environment has a tendency to amplify the problem of
non-compliance, because it becomes very easy to copy software or allow
multiple concurrent uses of a program.
