ARTICLE: 15 Steps To Completing A Software Audit
Sandi Conrad of Conrad and Associates in SouthWestern Ontario shares her 15 stage process for completing an internal software audit.
Sandi recommends you take these 15 steps in turn or consult the skills of a qualified SAM consultant to help you.
1. Collect and review all software acquisition records.
2. Collect and review all software license agreements.
3. Select a process or tool for the internal software review.
4. Decide whether employees will be notified in advance. If employees are to be notified in advance, send an explanatory memorandum. If employees are not notified in advance, be respectful of employee property. It is always possible that you may find a program that does not belong to the company, but is an employee’s legitimate property. Do not erase any software without first consulting the employee on whose PC the program is found.
5. Determine who should be involved in the review. Suggestions: MIS Director, Senior Management/Staff Legal Counsel, Department Heads, Outside Legal Counsel/Auditor.
6. Conduct the review. If using a software discovery tool, skip to step 8
7. If manually checking machines follow these procedures: Locate all personal computers, including portable computers. If the facility is large, mark locations on a floor plan. When a PC is not accessible, make a note to search the hard disk at a later time. Print a list of directories for each hard disk, determining if and how software are can be downloaded onto a hard disk from your local area networks. It may be necessary to search several drives, i.e., C, D, E, and F and subdirectories of each drive. Searching the directory on a Macintosh system may involve opening folders within other folders to find all applications. Programs will generally be identified using abbreviations like WP for WordPerfect, 123 for Lotus 1-2-3, SK for Sidekick, WS for WordStar, etc. Take an inventory of floppy disks and available documentation if software is not stored on hard disks.
8. Compare software found on hard disks with acquisition records. Alternatively locate authorized disks and/or documentation for each software program listed on a hard disk.
9. Review organizational policies on the use of software on home computers.
10. Consult employees who are using software programs where there are no records or disks. (An employee may be using his or her own purchased software on the office computer. If so, the employee should be required to demonstrate that the software is legitimate and not pirated. Ideally this software should be removed or purchased by your organization)
11. Destroy any unauthorized copies of software and record work. List personnel who need to be supplied with legitimate software.
12. Publish corporate policy of software use, and request employee sign off.
13. Document list of standardized software based on evaluation of software installed and communicate required software to be supported to helpdesk personnel.
14. Document processes for storage of media, documentation and proof of license.
15. Document products and processes for data storage, disaster recovery planning and testing, security against hackers, viruses, spam and spyware.
Has Sandi missed any points? what else would you recommend? Please use our comments facility below to add your feedback.
Related articles:
- Tags: Sandi Conrad · Software Audits
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
It is important to remember that after you have done all of this hard
work that it isn’t over.
We you need a non-intrusive solution to completely monitor any software changes in your environment.
And
don’t forget, you need to insure you have the software installed on all your platforms (UNIX, Linux, MAC, etc) since some of the big
ticket items are sitting on those.
If going through a vendor triggered software audit, be sure that all the hard work is future proofed through, as
Gary suggests, maintenance of the data but also be sure to negotiate a date before which the vendor is not allowed to audit again.
It is very important to remember and leave time for “normalizing” the data collected by any
discovery tool to insure accuracy and account for applications not recognized by the tool. This can be a very time consuming task and
seeking outside assistance might make sense.
It is very important to remember and leave time for “normalizing” the data collected by any discovery tool to insure accuracy and account for applications not recognized by the tool. This can be a very time consuming task and seeking outside assistance might make sense.
If you are manually managing software licensing, you really need to remember that this is a daily process. All
year long there should be a process for recording software licenses purchased, logging them in some sort of database, and checking
installs against this. Without a system of checks and balances, you are still just playing a guessing game. Also, when time comes to
TrueUp your software, is not the time to start thinking about self-auditing your software licenses. At that point you should have
accurate information to reference, that already has been validated and checked. Perhaps you are only checking deltas and making
strategic decisions at this point. A month before your TrueUp is not the time to start tracking your licenses….