Draft Internal Audit Report Software Licensing Audit. December 2009



Similar documents
Dacorum Borough Council Final Internal Audit Report

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Report 6c. Final Internal Audit Report Network and Communications. April 2008

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June Report 6c Page 1 of 15

SOUTH NORTHAMPTONSHIRE COUNCIL. 11/31 ICT Capacity Management FINAL REPORT. June 2011

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

Business Planning & Budgetary Control 2012/13

Internal Audit at the University of Cambridge.

How To Audit A Windows Active Directory System

Aberdeen City Council IT Asset Management

Internal Audit Report 2010/11 North Norfolk District Council. February 2011

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll

Appendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management

REVIEW OF THE FIREWALL ARRANGEMENTS

University of South Wales Software Policies

Avon & Somerset Police Authority

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

ITEM NO: 4. Date: 23 March Pam Williams Borough Treasurer Wendy Poole Head of Risk Management Audit Services. Reporting Officers:

Governance and Audit Committee 23 November 2015

Corporate ICT Asset Management

Comhairle nan Eilean Siar Internal Audit Follow Up Review Document Management. Final Report FU01 14/15

Aberdeen City Council. Fleet Management Final Report

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

IT06 - Information Technology (IT) Hardware and Software Policy

University of Liverpool

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion

APPENDIX 4 GREATER LONDON AUTHORITY SUN ACCOUNTS UNIX REVIEW FINAL AUDIT REPORT. Auditor: Chris Power & Michael Lacey Date: April 2003 Reference: 320

Customer Retention Management

Information & ICT Security Policy Framework

Date 23 November Version Information Security & Strategy Group. Authorising Body. Chris Drake Julia Harris. Contact

Information Governance Policy (incorporating IM&T Security)

HSCIC Audit of Data Sharing Activities:

Aberdeen City Council

How To Improve Mainframe Software Asset Management

Purchasing and Managing Software Licences

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA

University of Hartford. Software Management and Compliance Guidelines

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Information and Compliance Management Information Management Policy

Charity Audit Committee performance evaluation Self assessment checklist. October 2014

Aberdeen City Council IT Security (Network and perimeter)

Software License and Hardware Use October 3, 2011

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

APPENDIX 23 ATTACHMENT 1. City of Joondalup Review of Financial Management Systems and Procedures. March 2015

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Software Licenses Managing the Asset and Related Risks

Comhairle nan Eilean Siar Internal Audit Follow Up Review Licensing. Final Report FU16 12/13

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

An Approach to Records Management Audit

Audit of IT Asset Management Report

How To Protect Decd Information From Harm

HSCIC Audit of Data Sharing Activities:

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

BIG LOTTERY FUND Document archive and retention policy

How To Audit Health And Care Professions Council Security Arrangements

APPENDIX 2 GENERIC OPERATIONAL RISKS RISK TABLES & ADDITIONAL ACTION PLANS MONITORING REPORT MARCH 2006

Introduction and Purpose... 2 Scope... 2 Auxiliary units Part-Time, Temporary faculty/staff, Volunteer, Contractor and Student Assistants...

Protection of Computer Data and Software

HSCIC Audit of Data Sharing Activities:

Data Security Policy

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Internal Audit Monitoring Report. Audit Report status Assurance. Payroll Final Limited

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

How To Get A License From A Business To A Computer (For A Business)

Office of the City Auditor. Audit Report. AUDIT OF SOFTWARE LICENSE COMPLIANCE (Report No. A14-010) April 11, City Auditor. Craig D.

Essex Fire Authority

BULLETIN. The Senior Statutory Auditor under the United Kingdom Companies Act April /6

Information Management Policy

Governance of Controlled Drugs using Automated Cabinet-based Stock-control Systems

Northumberland National Park Authority Report on the audit for the year ended 31 March 2012

Software compliance policy

Caedmon College Whitby

REMOTE WORKING POLICY

University of Liverpool

INSPECTION CLOUD COMPUTING SECURITY DOCUMENTATION IN THE CYBER SECURITY ASSESSMENT MANAGEMENT SOLUTION

Business Continuity Business Impact Analysis arrangements

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Cambridgeshire and Peterborough Fire Authority. Internal Audit Progress Report Overview & Scrutiny Committee meeting 16 October 2014

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & POLICY AND CODE

Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY ARRANGEMENTS Information Technology. Final Report 2014/15-06

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Software Asset Management High Risk, High Reward

Subject: Remote Working

SOFTWARE MANAGEMENT EXECUTIVE SUMMARY

Software Licence Compliance. A guide to Software Asset Management in the Enterprise

How To Manage A University Computer System

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Audit, Risk and Compliance Committee Charter

Coleg Gwent. Business Continuity Plan Test - Post Implementation Review (PIR) Internal Audit Report (12.09/10)

Mapping the Technical Dependencies of Information Assets

Transcription:

Draft Internal Audit Report Software Licensing Audit December 2009

Contents Page Executive Summary 3 Observations and Recommendations 6 Appendix 1 Audit Framework 9 Appendix 2 - Staff Interviewed 10 Statement of Responsibility 11 Software Licensing Audit 2009/2010 Audit Ref: TBC

Executive Summary Introduction & Background 1. This audit forms part of the 2009/10 Internal Audit Plan, which has been approved by the Mayor and the Audit Panel. The audit entails evaluation of the control environment established and applied to the Authority s compliance to statutory software copyright requirements. 2. The two primary risk issues in this audit area are that: i. Non compliance to statutory copyright requirements may result in financial and reputational damages. ii. Note Poor software record management can result in extra costs and waste of assets. Copyright infringement of software (often referred to as software piracy) refers to several practices which involve the unauthorised copying of computer software. The Federation Against Software Theft (FAST) www.fastiis.org advised in 2009 that one unnamed public sector borough was a staggering 600,000 overlicensed, after it failed to record what software it had on old hardware that had simply been ditched. 3. The Audit framework, set out in Appendix 1, shows that the audit examined the two primary risk issues highlighted above by evaluation of the controls that have been established and applied by management in the following five key areas. a) Policies, roles and responsibilities b) Procurement arrangements c) Inventory records d) Security of primary copyright software records and source material e) Software disposal arrangements Following review of the control evaluation results for each of the five areas that were assessed in this audit, see below, two priority 2 recommendations, which are detailed in section 1 of this report, were agreed to be addressed by local management. Audit Opinion Substantial Assurance Evaluation Opinion: While there is a basically sound system there are weaknesses, which may put some of the system objectives at risk. Testing Opinion: There is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. Page 3 of 11

a) Software Policies, Roles and Responsibilities 4. The GLA Code of Ethics and Standards for Staff covers the protocol on the Usage of ICT in the GLA. This includes the restrictions on duplicating software and also touches on the Computer Misuse and Data Protection Acts. The Technology Group have created a number of Assured Quality Action Procedures (AQAPs) for various IT processes and therefore these are used as a means of communicating approved protocol to staff. Staff are required to read and sign that they have read the Code of Ethics which covers all the IT processes that they are required adhere to. A presentation is also made during staff induction which covers the role of the Technology Group and the software procurement and asset management process. Senior management within the Technology Group are the prime authors of the AQAPs related to software licensing and therefore are aware of the importance of using licensed software. The procedures are required to be followed by all staff and as the desktops are locked, there is relatively low risk of staff installing unlicensed software on the GLA systems. Testing confirmed that users without appropriate administrator rights are unable to install software. Prime software licensing responsibility lies with the Assets and Procurement Officer who must approve all requests for software before being purchased/installed. b) Procurement Arrangements 5. Software purchase AQAPs have been created which provide staff with guidelines regarding the purchase of Microsoft, Acrobat, Apple and non standard software. As software can only be installed by users with administrator rights in the Technology Group, there is little risk of users purchasing their own software and installing it on the network as they will not be able to do so. The Technology Group budget includes a budget for IT Software Purchases, Licenses and Maintenance. Corporate IT software and standard software is purchased from the Technology Group Software Budget. Any specific departmental software is purchased from departmental budgets. All software purchases must be approved by the Assets and Procurement Officer and therefore relevant checks are undertaken to ensure the software is charged to the correct cost centre. An approved list of software is included in the technical standard which is used as a purchase guide for most software. The GLA are also part of the Government Select purchasing scheme which allows the GLA to obtain discount prices and buy software as and when business needs require. Software that is no longer required by individual officers or members is transferred to existing GLA users and licenses transferred across the GLA Group. All software upgrades are required to go through the Change Advisory Board. c) Inventory Records 6. A list of all software is maintained on the Track It database and records of the physical software media is recorded on a separate inventory. Software records were previously documented in a spreadsheet and some spreadsheets are still in use. However, all software is due to be transferred to the central database in the next few months. The software inventory is reviewed on a regular basis as software is evaluated by the Technical Design Board to determine if software is still required. Page 4 of 11

Reviews are also undertaken as software maintenance renewal periods occur and regular liaison with the business helps to establish whether software is still required. d) Security and Copyright of Software 7. Electronic software licenses are stored in folders accessed through the Microsoft Outlook file plan and access restricted to the IT management team. Physical licenses are kept in leaver arch files which are stored in a locked cupboard in the IT controlled area. Original software media is held in locked cupboards within the IT controlled area and the Assets and Procurement Officer is responsible for the keys. If members of staff require access to the software media they must obtain permission from the Assets and Procurement Officer and sign the keys and out. The Technology Group are also members of FAST (The Federation against Software Theft) and are working towards the FAST Standards for Software Compliance. A service desk call is raised for the software to be installed and the call will be assigned to a designated technician to install the software. Software installations procedures vary depending on the software, if procedures are included with the software then these are provided to the technician, however, some software specific procedures have also been documented. SMS reports are generated to identify all the software that has currently been installed on the GLA systems. The SMS report is then checked against the consumption reports that are provided from Adobe and Microsoft to ensure the software used matches the software installed. It was identified that software reconciliations are not documented. Discussion identified that consumption reports for other software are only obtained for software that is heavily used. Therefore software reconciliations are not undertaken for all software used by the GLA and a recommendation has been raised to address this. e) Software Disposal Arrangements 8. Software that is not required is removed from a users PC by an IT technician via a request from the service desk. Information regarding the software will be documented in the Track It database. If the whole PC is required to be wiped due to the PC being replaced by a new model, then the PC is sent to Maxitech who are the approved third party disposal provider for secure destruction. It was identified that software media held by the GLA has not yet been evaluated to determine whether it should be retained or destroyed. A Board meeting is to be arranged to discuss the matter in more detail before the software can be destroyed. Therefore potentially outdated software could be retained by the GLA. There are also no documented procedures regarding software disposal and a recommendation has been raised to address this. Page 5 of 11

Observations and Recommendations In order to assist management in using our reports: We categorise our opinions according to our assessment of the controls in place and the level of compliance with these controls Full Assurance Substantial Assurance Limited Assurance No Assurance There is a sound system of control designed to achieve the system objectives and the controls are being consistently applied. While there is a basically sound system, there are areas of weakness which put some of the system objectives at risk, and/or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. Weaknesses in the system of controls are such as to put the system objectives at risk, and/or the level of non-compliance puts the system objectives at risk. Control is generally weak, leaving the system open to significant error or abuse, and/or significant non-compliance with basic controls leaves the system open to error or abuse. b) We categorise our recommendations according to their level of priority. Priority 1 Priority 2 Priority 3 Major issues for the attention of senior management. Other recommendations for local management action. Minor matters. Page 6 of 11

Security and Copyright of Software 1. Software Audits (Priority 2) Recommendation Management should ensure regular software audits are undertaken to match all software installed on the GLA systems against all the licences that have been purchased. Evidence and sign off of the reconciliations should be retained for future reference. Rationale Performing regular software audits helps to ensure the software that has been installed on the GLA systems has been licensed. Audit was informed that Microsoft Systems Management Server (SMS) reports are generated to identify all the software that has currently been installed on the GLA systems. The SMS report is checked against the consumption reports that are provided from Adobe and Microsoft to ensure the software used matches the software that has been installed. Consumption reports are also obtained for heavily used software and necessary checks are carried out. However, this is not performed for all software installed on GLA systems and evidence of the checks/reconciliation is not documented. Unless comprehensive software audits are carried out, there is an increased risk of legislative action where the instances of software installed exceed the number of licenses held. There is also an increased risk of unauthorised or illegal software remaining undetected on the GLA network. Management response with the responsibility and due date. Agreed: regular software audits will be undertaken and documented. Different categories of software may be checked at different times of the year. Responsible Officer: Sylvia Glenn (Assets and Procurement Officer ) Deadline : Nov 2010 Page 7 of 11

Software Disposal Arrangements 2. Software Disposal (Priority 2) Recommendation Management should ensure software disposal procedures are documented and disseminated to staff. In addition, an exercise to identify software media that is no longer required should be undertaken and identified redundant software should be securely transferred or disposed of. Rationale Documenting software disposal procedures helps to ensure software is disposed of securely. Evaluating software for disposal purposes helps to ensure old or unlicensed software is identified and disposed off securely. It was identified that software media has not been evaluated to determine whether it is required for business purposes or whether it can be destroyed securely. Software disposal procedures have also not been created. Where software disposal procedures are not created, there is an increased risk that software is disposed of in an ad hoc manner leading to unauthorised users accessing the software. Where software is not identified for disposal, there is an increased risk that old software is re used without a valid license or expired versions of software are installed on the network causing compatibility issues with the current IT environment. Management response with the responsibility and due date. Agreed : all software media will be reviewed and redundant software will be disposed Responsible Officer : Sylvia Glenn (Assets and Procurement Officer ) Deadline: March 2010 Page 8 of 11

Appendix 1 Audit Framework Audit Objectives The primary objective of the audit is to provide an independent assurance assessment on the adequacy of the control environment established for software licensing. Audit Approach and Methodology The audit approach was developed with reference to an assessment of risks and management controls operating within each area of the scope. The following procedures were adopted: identification of the role and objectives of each area; identification of risks within the systems, and controls in existence to allow the control objectives to be achieved; and evaluation and testing of controls within the systems. From these procedures we have identified weaknesses in the systems of control, produced specific proposals to improve the control environment. Areas Covered Audit work was undertaken to cover controls in the following areas: a) Policies, roles and responsibilities b) Procurement arrangements c) Inventory records d) Security of primary copy write software records and source material e) Software disposal arrangements. Page 9 of 11

Appendix 2 - Staff Interviewed We would like to thank all staff that provided assistance during the course of this audit, and in particular the following: Graham Lane IT Licensing Manager (definitive software licence system manager) Sylvia Glenn Assets and Procurement Officer Chris IImthurn Business Manager. Page 10 of 11

Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited St Albans December 2009 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, which is the United Kingdom member firm of Deloitte Touche Tohmatsu. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of it member firms has any liability for each other s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. 2009 Deloitte & Touche Public Sector Internal Audit Limited. All rights reserved. Deloitte & Touche Public Sector Internal Audit Limited is registered in England and Wales with registered number 4585162. Registered office: Hill House, 1 Little New Street, London, EC4A 3TR, United Kingdom. Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information