Is SAM among the top 10 risks that an organization faces?

Organizations spend considerable time, effort and cost in identifying, assessing and controlling risks to their business and earnings. Risks could stem from several sources — both internal and external — and include natural disasters, socio-political environment, or business strategy, people, processes and information security. The range is wide.

Corporate risk and internal audit functions play the unenviable role of identifying, prioritizing and help in mitigating critical business risks of organizations. However, these functions seldom operate in isolation and need to work together with their business counterparts. Among the various types of risks that impact business operations are technology risks. A key technology risk that has a significant impact on business operations pertains to the use of software assets. However, contrary to common perception, the procurement and use of software is not a “technology only” issue – it impacts business, its people and operations.

Software Asset Management (SAM) involves reviewing software licenses of organizations to ensure compliance with intellectual property of the software vendors, and the information security policies of the organization with regard to the use of the said software. It helps optimize software spend and evaluate the use of newer technologies. So, why is the risk related to the use of software significant, and why should the risk and internal audit functions be concerned? The use of software opens up an organization to several additional risks, which can be mitigated only by effective and efficient SAM processes.

Contractual and regulatory risks

While organizations create a complete structure to manage legal, regulatory and compliance risks, they do not necessarily focus on software vendor contracts and the associated licensing terms and conditions. The Copyright Law of the US states that copyright infringement, if proven, can result in a penalty of up to US$150,000 [1]. Similarly, The Sarbanes–Oxley Act of 2002 includes possible prison time for officers of a company found guilty of copyright violation [2]. Besides this, software vendors also conduct licensing reviews to enforce compliance with licensing terms and conditions. Any adverse findings from such reviews could result in penalties being imposed as well as possible legal implications. In spite of such regulations in force, internal functions do not even identify the use of software as a critical risk, and often SAM audits finds no mention in the internal audit charter or plan of organizations.

Information security risks

In the last few years, as the world has exponentially increased its use of data, it has become extremely important to secure data and the supporting infrastructure where the data resides. External attacks are on the rise, and employees routinely violate security policies unknowingly. Unscrupulous downloading and use of software put organizations at risk and make them vulnerable to attacks through spyware, malware among others..

In a survey conducted by BSA — The Software Alliance, 49% of the CIOs surveyed identified security threats from malware as a major threat posed by unlicensed software [3]. Additionally, 26% of the employees surveyed admitted to installing outside software on work computers. Of these, 84% acknowledged installing two or more unauthorized programs [3]. SAM audits help identify and address cyber security risks emanating from inappropriate use of software.

Reputational risks

Regulatory action resulting from adverse findings during a software vendor audit results in a significant reputation risk which can damage relations with large software product companies. According to BSA, it receives approximately 1,200 calls reporting non-compliance each year [4]. The presence of SAM at an organization ensures compliance with the terms and conditions in software licenses and contracts. This, in turn, ensures that vendor audits are not a threat to the organization’s reputation but an opportunity to improve relations with the vendor conducting the audit.

Financial risks

There is significant financial risk associated with inefficient and ineffective SAM processes as well, due to unbudgeted financial outflows resulting from a vendor audit. SAM helps organizations optimize software spend through better negotiations with software vendors. It makes the implementation of new technologies far easier and hassle-free, while saving on licensing costs.

The use of software and its associated implications is not just a core IT issue but impacts the business as a whole. It is extremely important that risks associated with the use of software are identified, addressed and reviewed periodically by the internal audit function.

[1] Copyright Law of the United States and Related Laws Contained in Title 17 of the United States
Code
[2] Sarbanes Oxley Law of 2002 – Security and Exchange Commission –
https://www.sec.gov/about/laws/soa2002.pdf
[3] Seizing Opportunity Through License Compliance – BSA Global Software Survey May 2016 –
http://globalstudy.bsa.org/2016/downloads/studies/BSA_GSS_US.pdf
[4] BSA | The Software Alliance – http://www.bsa.org/

Follow us on Twitter @EY_India and subscribe to the Advisory India blog.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s