Tips for Software Audit and Agreements
Steps to complete Software Audit
- Collect and review all software acquisition records.
- Collect and review all software license agreements.
- Select a process or tool for the internal software review.
- Decide whether employees will be notified in advance. If employees are to be notified in advance, send an explanatory memorandum. If employees are not notified in advance, be respectful of employee property. It is always possible that you may find a program that does not belong to the company, but is an employee's legitimate property. Do not erase any software without first consulting the employee on whose PC the program is found.
- Determine who should be involved in the review. Suggestions: MIS Director, Senior Management/Staff Legal Counsel, Department Heads, Outside Legal Counsel/Auditor.
- Conduct the review. If using a software discovery tool, skip to step 8
- If physically checking machines follow these procedures: Locate all personal computers, including portable computers. If the facility is large, mark locations on a floor plan. When a PC is not accessible, make a note to search the hard disk at a later time. Print a list of directories for each hard disk, determining if and how software are can be downloaded onto a hard disk from your local area networks. It may be necessary to search several drives, i.e., C, D, E, and F and subdirectories of each drive. Searching the directory on a Macintosh system may involve opening folders within other folders to find all applications. Programs will generally be identified using abbreviations like WP for WordPerfect, 123 for Lotus 1-2-3, SK for Sidekick, WS for WordStar, etc. Take an inventory of floppy disks and available documentation if software is not stored on hard disks.
- Compare software found on hard disks with acquisition records. Alternatively locate authorized disks and/or documentation for each software program listed on a hard disk.
- Review organizational policies on the use of software on home computers.
- Consult employees who are using software programs where there are no records or disks. (An employee may be using his or her own purchased software on the office computer. If so, the employee should be required to demonstrate that the software is legitimate and not pirated. Ideally this software should be removed or purchased by your organization)
- Destroy any unauthorized copies of software and record work. List personnel who need to be supplied with genuine software.
- Publish corporate policy of software use, and request employee sign off.
- Document list of standardized software based on evaluation of software installed and communicate required software to be supported to helpdesk personnel.
- Document processes for storage of media, documentation and proof of license.
- Document products and processes for data storage, disaster recovery planning and testing, security against hackers, viruses, spam and spyware.
- Ensure you have the software installed on all your platforms (UNIX, Linux, MAC, etc) since some of the big ticket items are sitting on those.
Note: It is very essential to remember and set aside the time for "normalizing" the data collected by any discovery tool to ensure accuracy and account for applications not recognized by the tool. This can be a very time consuming task and seeking expert assistance might make sense.
Get your Software Agreements Done This Way --->
Following are the steps to be taken before purchasing commercial software
Gap Analaysis
To start with perform a Gap Analysis. Take a detailed look at your licensing status for various Software you use. This requires some form of software inventory tool to find out what is installed and usually involves some level of data cleansing to in order to build a clean inventory of installed assets. Collect anywhere up to six years worth of historical license records from the Sysadmin team and vendor, their contracts, purchase history and build a statement of entitlement. Subsequently provide a licensing status report.
Fiscal Analysis
Check your pockets. Use data from the Gap Analysis and look at what the IT team is planning 3 to 6 years from now. Look at what projects you have on the horizon, the strategic plans and compare and contrast this to the vendors roadmap and upgrade plans. Ensure the relevant agreements are in place and look at the various options available to the IT admin. Finally look at the ramifications 3 to 6 years down the line for each agreement option. How it works out in terms of their projects, financials and their agreements.
Plan the Negotiation
Finally begin to plan for the negotiation. This part is rarely performed before a negotiation - even when millions of dollars are at stake. There is no negotiation strategy. Work with the team to define the goals of the negotiation of the new contract. How much are you going to spend? What is your budget? Set out the differences between maintenance payments and new licenses and agree soft objectives such as support benefits, training vouchers and training.