Management, at all levels of an organization eg; all auditors, accountants, management and company directors as well as computer managers need to ensure they have the information needed to control software piracy, and minimize the risk of lawsuits and adverse publicity towards their organization. Management, at all levels of an organization need to ensure that staff under their control use PC based systems in a software compliant manner so as to minimise the risk on the organization for being landed a very hefty fine and legal fees when they get caught with illegal software.

Besides, the MOST significant issue (and the most common reason for treating software compliance as a low priority activity) is that software compliance is NOT the core business activity of the entity and the money spent (as an overhead cost) on traditional auditing techniques is ALMOST TOTALLY WASTED.

This is no way to run your business entity, when the money for the cost of conducting software compliance audits (in the manner they are being conducted at present) could be far better spent on core business activities.

Now, let's have a look at the key offenders!

Directors have an implicit and direct corporate governance responsibility to ensure that the practices adopted within their organization are conducted according to the memorandum and articles of association of the organization in an ethical, legal and professional manner, and all affairs are conducted with social responsibility and equity. Who says so? It’s in their charter and in the code of ethics they are supposed to operate to! This is in conjunction with their objective and duty to aim for maximum investor return for stakeholders and ensure the survivability and continuance of the organization. To achieve this, directors discharge their duties by appointing managerial staff to carry out, perform and transact the day to day business affairs of the organization, often to Quality Standards such as IS 9000, and other regulatory standards of key professional bodies such as the accounting and auditing profession, legal, engineering and medical professions etc

Why are Directors responsible? In many instances they just aren’t aware (and they should be) of the risks and implications and don’t instruct managers, through their appointment, of the issues. Now, this is only one aspect of corporate governance (amongst a myriad of other legal issues directors need worry about) but when you see the risk that an organization is placed under due to managers and their staff NOT following ethical, legal, professional, socially responsible and equitable practices. This is one of the key issues that should be high on their agenda of risk items being constantly tested and checked for risk mitigation. The bottom-line is "the buck stops at the top" and the directors end up wearing the cost for failing to excuse due diligence and due care when it comes to the spread of software piracy in their organizations!

Managerial staff are appointed as officers of the organization or company to carry out, perform and transact the day to day business affairs of the organization, often to Quality Standards such as IS 9000 etc and many of these managers are members of key professional bodies such as the accounting and auditing profession, legal, engineering and medical professions etc

Again, in many instances they just aren’t aware (and they should be) of the risks and implications and don’t instruct and manage their line staff of the issues. As a result managerial staff, by failing to advise and instruct staff to carry out their duties in a compliant manner places the organization at risk of being caught with illegal software. The manager has failed in this instance in the initial advisory and has also failed in follow-up and monitoring.  Managerial polices need to be written to outline software compliance issues, policies and procedures need to be written, employment contracts need to have software compliance included as one of the clauses to keep in focus. 

Managers should also be alert to the common trap of "failing to budget for software"  and challenge budgets submitted to ensure that the organization is always buying, at all times, the right volumes of software licenses for the staff counts and installations made. It’s really pretty simple, yet we know many managers totally ignore software compliance and turn a blind eye to the practices in place within their area. The bottom-line is "the buck stops at the top" and the managers also end up wearing the cost for failing to excuse due diligence and due care!

Managers "who turn a blind eye" as mentioned above need to check the code of ethics by which they operate under when they belong to a professional body as they deserve to lose their membership status when the code is violated!

Why pick on accountants? Many of these adopt the same practises as the managers above, and also fail to budget the cost of software for the right number of staff in an organization. As a result staff are forced to cut corners and then install software illegally! Accountants should, when preparing budgets ensure that all budgets submitted include the costs for the right volumes of software licenses for the staff counts and installations made across the company for the current period and the future.

Some accountants also have a bad habit of copying software to ‘give" to their clients to "do some basic bookkeeping stuff" eg; MYOB, Quickbooks etc and this is clearly illegal! Accountants "who turn a blind eye" as mentioned above need to check the code of ethics by which they operate under when they belong to a professional body as they deserve to lose their membership status when the code is violated in this manner!

These personnel are often qualified legal counsel in some cases or have gone through very onerous legal/para legal training and obtain membership of their profession after significant levels of examination and interview for the role. They are unique in so far as they KNOW the law and the penalties that apply when breaking the laws of copyright amongst a whole range of other statutes. They have a duty of care "to advise and be heard" and yet in many instances they don't follow through with the executive committee to ensure that the organization they work for is adequately protected by strong policy and procedures. They should also be ensuring that software compliance is "written into" employment contracts as a punishable action should the staff member be caught committing software piracy or copyright infringement when using the assets of the organization.

The Internet and rapid advances in "software" copying capability via a wide range of media devices (USB card readers, zip drives CD-ROM burners/cable DSL and Peer2Peer File sharing etc) have generated a whole new category of audit-related issues that have an impact on workload, level of effort and have an impact on corporate and self governance.

Intellectual property and software copyright have up into now not really been significant areas of concern for auditors, BUT they should be, when you consider the impact and issues in the article "Why Bother About Proof Of Purchase" now contained in the Software Compliance Toolbox  located at http://www.pcprofile.com/Software_Compliance_Toolbox_Intro.htm

Most auditors start out with good intentions but find that they become frustrated and impeded in the task due to staff not being available, PC's being locked out by password controls, reluctance of users to make the PC available and other operational imperatives that limit access etc they soon give up and attempt piece-meal audits that are ineffective. Many audits need to be re-started again due to disruption!  The key issue auditors face is the large amount of data they end up gathering and due to lack of resources, both labour and budget to analyse the result and make their findings, the audit is rendered ineffective or incomplete. The other key issue is that auditors often find that the audit results they collect at audit discovery are ineffective depending on the tool they use due to issues such as false positives, too much data, inaccurate matching of results, changes in status during the audit cycle and a host of other issues too numerous to mention.

Auditors who only focus on the data gathering aspect of a software compliance audit often miss the physical matching to proof of purchase records (invoices) and original media.

They end up giving up on the audit and the end result is the auditor has failed in its duty of care role to the organization to minimise the risks involved due to failure to manage and monitor software compliance.

Auditing for software compliance with software-license agreements right down to proving that what you have installed is "legally acquired, the license is  owned and in your name, and you have the right number of licenses for what is installed" is now a critical part of audit plans due to potential legal liability that can be caused as a result of software copyright violations.

Any organization that has any intention of complying with ISO 17799 and BS7799 (Code of Practice for Information Security Management) requires that auditors need to be far more attentive in software compliance and licensing issues.

There are a number of Internet based web site locations, some of which are readily accessible, others are "underground",  that can offer free (or some even charge a small fee) access to "hackz," "warez", "crackz" and "serialz" -- codes that allow unauthorized access and allow you to operate and run illegally obtained programs. Some of these "workarounds" can turn a time-limited demo version into live functioning software. Others remove checks for hardware keys or provide elaborate installations designed to circumvent activation codes. Some just offer a whole pile of serial numbers and CD keys that are freely available (and some are being sold as well) for you to use in your organization. Then there are the "grey marketers" that offer a complete suite of software (and many others as well) on  CDROM for $US25 and you get the access and registration keys emailed to your separately once you have paid "their fee". These group of persons are the grey marketers and profiteers stealing software from the vendors and causing it to be available freely to all and sundry or are profiteering when they charge fees for software licenses they don’t even own or have created.

INTERNET SERVICE PROVIDERS (ISPs)

Internet Service Providers have a big case to answer for allowing (they’ll claim this is a censorship violation etc) illegal activities to be saved, stored, download, uploaded, performed and promoted on their servers and networks. They are in effect "sponsoring the piracy industry" not only with software piracy but also with music and video piracy. There have been some very interesting legal developments in the last 2 to 3 months whereby significant raids have taken place both in US and AUS whereby raids have taken place of records of ISPs and person are being charged with piracy of music and software. This activity by legal authorities is likely increase to embrace videos and DVD’s as the industry players are targeting the soft targets to identify the illegal copyright infringement practitioners. Court action so far has caused minimal damage to the persons charged, however you can expect the music and video  industry "to target the soft targets", ie; the organizations where these staff work and go after them for they have the financial backing "to pay the pipers tune". (fines and fees).

Despite the educational institution having rules against the practise some lecturers openly encourage and even hand around pirated copies of software for students to use.  All in the name of educational ethics to promote free software on the basis that these are only students who can't afford it. The end result is that some of this software ends up on corporate systems and this is totally illegal as the terms of the software license are restricted to use within an educational institution.

A common view within the educational sector and across many organizations is, "It's OK to have free software, everyone else is doing it, and besides Micro$oft is wealthy and they won't even know......... and how will they find out......" (The underground and some often refer to Microsoft Corporation by insertion of a "$" for the "s" to signify them.)

Illegal software is freely available and readily accessible in many forms: on CDs, both home-recorded and mass-produced, and across the Internet and most recently from being snaffled through Grokster, Snagster (came after Napster), Gnutella etc and other Peer-To-Peer (P2P) systems that utilise open shares on PC based systems. Port scanners have long been the source of intrusion and it is now possible to lift off files from your PC from under your nose and also extract data from your systems whilst ports are open and connections are not being monitored.

Students are experts at using the file sharing capabilities of peer-to-peer systems and can tell you how to download any piece of software that you want and some of them they learnt this as the "passage of rites"  within the educational environment often by direct contact via lecturers who "showed them the ropes".

COMPUTER RESELLERS

How many times have you seen in the press that some resellers, due to very tight margins on PC sales are "caught out and fined" for using "hard disk loading" as a means to get the edge on another reseller for the sale of a PC? Hard disk loading is the practise of supplying software (no disk or manuals or licenses) with the PC as a competitive edge for a "price point" and yet the software is illegally supplied as you didn't pay for it. 

This often occurs when you ask the vendor "what software can I have with that" as an "under the counter" transaction. Think it doesn't happen? Check the number of reseller sites that are listed as "pirates on parade" at your favourite "software piracy policeman" organization (BSA, BSAA, FAST, CAAST, SIIA etc) 

Lastly, it’s down to you and me.

Hands up if you have NEVER copied a piece of software from a friends PC to your own or offered some software from your own PC to your friends? Although I can't see you, I suspect that there are not too many hands waving in the breeze!

It starts with each and every single one of us.

We all need to be more mindful of the issues and the risk and NOT copy software across systems.

When we go to a supermarket or a chain store do we all decide to walk out with 1/3 of the stores inventory because we feel its OK to do so? Most of us don't, only a few hardened desperate individuals do. By copying software we fall to the ranks of the criminal world by aiding and abetting software piracy.

This is moral high ground stuff but then reality is, its true.

By the way, the "atypical types of frequent copiers" of software (copyright violators) are; accountants, lawyers, students, lecturers, architects, doctors, managers, directors, teachers, ............ie; right across all professions and walks of life!

So what you say, we are still going to copy the software anyway!

One of the most painful aspects of all is the requirement after the order is served, usually within 14 days, to provide documentary evidence to the court, which PROVES that you own the software that is the subject of the court order (and may extend to PROVING that ALL software is legally acquired), by showing software compliance registers (an inventory approach), licence numbers, discs and manuals, AND originals of all invoices from the SUPPLIERS of the software that you own!

Imagine what you need to do to backtrack and reconstruct accounting records etc to PROVE and this INCLUDES copies of invoices etc that you have paid "fair market value" (ie; legally acquired licences) for what you have installed

Software Compliance Audits for many businesses and organisations are so low down the priority chain (despite the knowledge of the impact of the Anti-Piracy Police agencies [BSA,SIIA,CAST, FAST, BSAA etc]  that the software audit is continually put off,  thus increasing the risk to senior management and stakeholders.

The MOST significant issue (and the most common reason for the low priority activity) is that software compliance is NOT the core business activity of the entity and the money spent (as an overhead cost) on traditional auditing techniques is ALMOST TOTALLY WASTED.

This is no way to run your business entity, when the money for the cost of conducting software compliance audits (in the manner they are being conducted at present) could be far better spent on core business activities such as;