La lecture en ligne est gratuite
Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres
Télécharger Lire

Audit Report

De
9 pages
SOFTWARE LICENSING AUDIT 07-15 SEPTEMBER 28, 2007 SOFTWARE LICENSING AUDIT AUDIT 07-15 INTRODUCTION The City of Tampa’s Computing Policies and Procedures places the responsibility for software licensing with the user. Department Liaisons (DLs) are responsible for maintaining a record of all licenses purchased and forwarding the information to the Technology & Innovation (T&I) department. The Security Office maintains a file of software for each department of the City. The last Software Licensing audit was done July 20, 2004. STATEMENT OF OBJECTIVES This audit was conducted in accordance with the Internal Audit Department's FY07 Audit Agenda. The objectives of this audit were to: 1. Ensure that the polices and procedures for obtaining, installing, recording, and reconciling of software licenses are adequate. 2. Determine if sufficient software license information is retained in T&I or the User Department to substantiate license compliance for the software installed on the City’s PC’s. STATEMENT OF SCOPE The audit testing focused on current status of licensing documentation as of the 2nd and 3rd quarter of the 2007 fiscal year. Source documentation was obtained from the various departments within the City and the Technology and Innovation Department (T&I). Original records as well as copies were used as evidence and verified through physical examination. STATEMENT OF ...
Voir plus Voir moins
SOFTWARE LICENSING
AUDIT 07-15
SEPTEMBER 28, 2007
SOFTWARE LICENSING AUDIT
AUDIT 07-15
INTRODUCTION
The City of Tampa’s Computing Policies and Procedures places the responsibility for
software licensing with the user.
Department Liaisons (DLs) are responsible for
maintaining a record of all licenses purchased and forwarding the information to the
Technology & Innovation (T&I) department.
The Security Office maintains a file of
software for each department of the City.
The last Software Licensing audit was done
July 20, 2004.
STATEMENT OF OBJECTIVES
This audit was conducted in accordance with the Internal Audit Department's FY07 Audit
Agenda.
The objectives of this audit were to:
1.
Ensure that the polices and procedures for obtaining, installing, recording, and
reconciling of software licenses are adequate.
2.
Determine if sufficient software license information is retained in T&I or the User
Department to substantiate license compliance for the software installed on the City’s
PC’s.
STATEMENT OF SCOPE
The audit testing focused on current status of licensing documentation as of the 2nd and 3rd
quarter of the 2007 fiscal year.
Source documentation was obtained from the various
departments within the City and the Technology and Innovation Department (T&I).
Original records as well as copies were used as evidence and verified through physical
examination.
STATEMENT OF METHODOLOGY
The sample size and selection were statistically generated using a desired confidence level
of 90 percent, expected error rate of 5 percent, and a desired precision rate of 5 percent.
Statistical sampling was used in order to infer the conclusions of test work performed on a
sample to the population from which it was drawn and to obtain estimated sampling error
involved.
Computer processed data was not used to arrive at our conclusions; therefore, we are not
required to assess or attest to the reliability of this type of data.
STATEMENT OF AUDITING STANDARDS
We conducted our audit in accordance with generally accepted government auditing
standards.
Those standards require that we plan and perform the audit to afford a
reasonable basis for our judgments and conclusions regarding the organization, program,
activity or function under audit.
An audit also includes assessments of applicable internal
controls and compliance with requirements of laws and regulations when necessary to
satisfy the audit objectives.
We believe that our audit provides a reasonable basis for our
conclusions.
AUDIT CONCLUSIONS
Based upon the test work performed and the audit findings noted below, we conclude that:
1.
Due to the lack of a system to sufficiently track software licenses and to ensure
compliance with software agreements, the City has a potential for risk of civil
penalties.
2.
The T&I Department Liaison Program is not as effective as it could be because there
are no clear polices and procedures regarding software management, resulting in
inconsistencies in managing department software licenses.
2
SOFTWARE LICENSE COMPLIANCE FOR OTHER SOFTWARE
The City of Tampa’s Computing Policies and Procedures (Section 10 – Licensing) places
the responsibility for software licensing with the user.
The Department Liaisons (D/Ls)
are responsible for keeping a record of all software licenses purchased for their
departments.
The license information for software purchased by the department should
be forwarded to the Technology and Innovation’s Security Office (T&I) to be added to
the master record for the City.
T&I maintains a separate file for each department.
Internal Audit contacted the Software & Information Industry Association (SIIA) which
is one of the agencies that reviews software license compliance asking what
documentation they require during their reviews.
They responded – “the original
purchase documents typically list the software that comes OEM.
This may be in the form
of an invoice, packing list, or receipt”. Our testwork revealed that this documentation was
not available for every software instance requiring a license.
In some cases, purchase
orders with multiple copies of software were provided but it could not be determined
what PC the software was installed on.
For other software, only the installation CDs
could be located or the Department Liaisons stated that T&I had the documentation.
The lack of a system to track software license documentation and/or to ensure
compliance with software agreements could put the City at risk for potential civil
penalties and substantial fines.
In the SIIA Anti-Piracy 2006 Year in Review report, 49
companies settled copyright infringement claims with SIIA.
The SIIA audit of the Los
Angeles Sheriff’s Department determined that they were liable for a $210,000 penalty for
installing and using copies of a software product in excess of the number permitted by the
licensing agreement.
In addition to the penalty, the court also required the Sheriff’s
Office to pay more than $516,000 to the attorney of the software company that was
pirated and $38,000 in court cost – bringing the total amount paid to over $750,000.
We also noted that some PCs had games that were downloaded or other software where
license information could not be shown.
Most of this software was deleted by the D/L.
RECOMMENDATION
1
T&I should develop polices and procedures to centralize the acquisition and tracking of all
software utilized by the City.
3
AUDITEE RESPONSE
T&I concurs and has joined with Purchasing to develop a process to implement a new
Magic Self Service request form for software procurement.
Purchasing is also changing
their policy to require T&I approval on all software acquisitions.
In order to fully manage
the new process, T&I will purchase and implement additional tools to remotely identify
software installed on computer systems and to improve existing policy management
software to automatically prevent and or back-out unauthorized installs.
4
SOFTWARE LICENSE COMPLIANCE FOR OFFICE SOFTWARE
T&I maintains a database of all “reported” software by department.
“Reported” refers to
software that T&I has knowledge of such as MS Office, Visio, Crystal Reports, Novell and
GroupWise.
T&I reconciles the licenses for Novell and GroupWise on a yearly basis.
In
the past, T&I had the capability to remotely inventory MS Office software as well.
The
last reconciliation of MS Office software was conducted approximately 2 years ago.
During our testwork on the selected sample of PCs, it could not be determined if there were
sufficient licenses for each installation of MS Office.
The Department Liaisons provided
purchase orders for MS Office software.
However, the purchase orders listing multiple
copies of MS Office could not be traced to the PC where the software was installed.
As a
result, we could not determine if the MS Office installed on a particular PC was license
compliant.
RECOMMENDATION 2
T&I should resume their reconciliation of MS Office software. This should be done at least
once a year.
After completing the reconciliation of MS Office, other Citywide software
(i.e. MapInfo, Visio, and Crystal Reports) should be reconciled as well.
AUDITEE RESPONSE
T&I concurs and will prioritize a project to install Zenworks Middle Tier which provides
software reconciliation for all network attached PCs.
Furthermore, T&I will develop a
process to use the tool to assist in reconciliation of installed products on all network
attached PCs.
5
DEPARTMENT LIAISON PROGRAM
Internal Audit distributed a questionnaire to all Department Liaisons (D/Ls) requesting
responses on various aspects of software management.
The questions included:
how and what software is tracked;
if a software inventory is maintained;
what documentation is used to support authentication of software licenses;
if the D/Ls perform audits of the software in their department.
The responses varied greatly as to how software licenses information is maintained.
RECOMMENDATION
3
Until T&I centralizes the acquisition and tracking of software, T&I should develop
comprehensive polices and procedures for the D/Ls so that they can effectively manage the
software and PCs in their departments and help T&I ensure software license compliance.
T&I should periodically monitor the D/Ls to verify compliance with the policies and
procedures.
AUDITEE RESPONSE
T&I concurs and is currently involved in an Efficiency and Effectiveness Task Force
committee that is charged with developing plans to centralize technology software and
hardware procurement.
Similar to Recommendation 1, special software will be installed to
remotely reconcile and report all installed software and security measures will be
developed to better manage and back-out unauthorized software installs.
In the meantime,
T&I will educated D/Ls in all departments to adhere to software compliance policies and
will periodically follow up to ensure compliance.
6
Un pour Un
Permettre à tous d'accéder à la lecture
Pour chaque accès à la bibliothèque, YouScribe donne un accès à une personne dans le besoin