Draft Internal Audit Report Software Licensing Audit December 2009
Contents Page Executive Summary 3 Observations and Recommendations 6 Appendix 1 Audit Framework 9 Appendix 2 - Staff Interviewed 10 Statement of Responsibility 11 Software Licensing Audit 2009/2010 Audit Ref: TBC
Executive Summary Introduction & Background 1. This audit forms part of the 2009/10 Internal Audit Plan, which has been approved by the Mayor and the Audit Panel. The audit entails evaluation of the control environment established and applied to the Authority s compliance to statutory software copyright requirements. 2. The two primary risk issues in this audit area are that: i. Non compliance to statutory copyright requirements may result in financial and reputational damages. ii. Note Poor software record management can result in extra costs and waste of assets. Copyright infringement of software (often referred to as software piracy) refers to several practices which involve the unauthorised copying of computer software. The Federation Against Software Theft (FAST) www.fastiis.org advised in 2009 that one unnamed public sector borough was a staggering 600,000 overlicensed, after it failed to record what software it had on old hardware that had simply been ditched. 3. The Audit framework, set out in Appendix 1, shows that the audit examined the two primary risk issues highlighted above by evaluation of the controls that have been established and applied by management in the following five key areas. a) Policies, roles and responsibilities b) Procurement arrangements c) Inventory records d) Security of primary copyright software records and source material e) Software disposal arrangements Following review of the control evaluation results for each of the five areas that were assessed in this audit, see below, two priority 2 recommendations, which are detailed in section 1 of this report, were agreed to be addressed by local management. Audit Opinion Substantial Assurance Evaluation Opinion: While there is a basically sound system there are weaknesses, which may put some of the system objectives at risk. Testing Opinion: There is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. Page 3 of 11
a) Software Policies, Roles and Responsibilities 4. The GLA Code of Ethics and Standards for Staff covers the protocol on the Usage of ICT in the GLA. This includes the restrictions on duplicating software and also touches on the Computer Misuse and Data Protection Acts. The Technology Group have created a number of Assured Quality Action Procedures (AQAPs) for various IT processes and therefore these are used as a means of communicating approved protocol to staff. Staff are required to read and sign that they have read the Code of Ethics which covers all the IT processes that they are required adhere to. A presentation is also made during staff induction which covers the role of the Technology Group and the software procurement and asset management process. Senior management within the Technology Group are the prime authors of the AQAPs related to software licensing and therefore are aware of the importance of using licensed software. The procedures are required to be followed by all staff and as the desktops are locked, there is relatively low risk of staff installing unlicensed software on the GLA systems. Testing confirmed that users without appropriate administrator rights are unable to install software. Prime software licensing responsibility lies with the Assets and Procurement Officer who must approve all requests for software before being purchased/installed. b) Procurement Arrangements 5. Software purchase AQAPs have been created which provide staff with guidelines regarding the purchase of Microsoft, Acrobat, Apple and non standard software. As software can only be installed by users with administrator rights in the Technology Group, there is little risk of users purchasing their own software and installing it on the network as they will not be able to do so. The Technology Group budget includes a budget for IT Software Purchases, Licenses and Maintenance. Corporate IT software and standard software is purchased from the Technology Group Software Budget. Any specific departmental software is purchased from departmental budgets. All software purchases must be approved by the Assets and Procurement Officer and therefore relevant checks are undertaken to ensure the software is charged to the correct cost centre. An approved list of software is included in the technical standard which is used as a purchase guide for most software. The GLA are also part of the Government Select purchasing scheme which allows the GLA to obtain discount prices and buy software as and when business needs require. Software that is no longer required by individual officers or members is transferred to existing GLA users and licenses transferred across the GLA Group. All software upgrades are required to go through the Change Advisory Board. c) Inventory Records 6. A list of all software is maintained on the Track It database and records of the physical software media is recorded on a separate inventory. Software records were previously documented in a spreadsheet and some spreadsheets are still in use. However, all software is due to be transferred to the central database in the next few months. The software inventory is reviewed on a regular basis as software is evaluated by the Technical Design Board to determine if software is still required. Page 4 of 11
Reviews are also undertaken as software maintenance renewal periods occur and regular liaison with the business helps to establish whether software is still required. d) Security and Copyright of Software 7. Electronic software licenses are stored in folders accessed through the Microsoft Outlook file plan and access restricted to the IT management team. Physical licenses are kept in leaver arch files which are stored in a locked cupboard in the IT controlled area. Original software media is held in locked cupboards within the IT controlled area and the Assets and Procurement Officer is responsible for the keys. If members of staff require access to the software media they must obtain permission from the Assets and Procurement Officer and sign the keys and out. The Technology Group are also members of FAST (The Federation against Software Theft) and are working towards the FAST Standards for Software Compliance. A service desk call is raised for the software to be installed and the call will be assigned to a designated technician to install the software. Software installations procedures vary depending on the software, if procedures are included with the software then these are provided to the technician, however, some software specific procedures have also been documented. SMS reports are generated to identify all the software that has currently been installed on the GLA systems. The SMS report is then checked against the consumption reports that are provided from Adobe and Microsoft to ensure the software used matches the software installed. It was identified that software reconciliations are not documented. Discussion identified that consumption reports for other software are only obtained for software that is heavily used. Therefore software reconciliations are not undertaken for all software used by the GLA and a recommendation has been raised to address this. e) Software Disposal Arrangements 8. Software that is not required is removed from a users PC by an IT technician via a request from the service desk. Information regarding the software will be documented in the Track It database. If the whole PC is required to be wiped due to the PC being replaced by a new model, then the PC is sent to Maxitech who are the approved third party disposal provider for secure destruction. It was identified that software media held by the GLA has not yet been evaluated to determine whether it should be retained or destroyed. A Board meeting is to be arranged to discuss the matter in more detail before the software can be destroyed. Therefore potentially outdated software could be retained by the GLA. There are also no documented procedures regarding software disposal and a recommendation has been raised to address this. Page 5 of 11
Observations and Recommendations In order to assist management in using our reports: We categorise our opinions according to our assessment of the controls in place and the level of compliance with these controls Full Assurance Substantial Assurance Limited Assurance No Assurance There is a sound system of control designed to achieve the system objectives and the controls are being consistently applied. While there is a basically sound system, there are areas of weakness which put some of the system objectives at risk, and/or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. Weaknesses in the system of controls are such as to put the system objectives at risk, and/or the level of non-compliance puts the system objectives at risk. Control is generally weak, leaving the system open to significant error or abuse, and/or significant non-compliance with basic controls leaves the system open to error or abuse. b) We categorise our recommendations according to their level of priority. Priority 1 Priority 2 Priority 3 Major issues for the attention of senior management. Other recommendations for local management action. Minor matters. Page 6 of 11
Security and Copyright of Software 1. Software Audits (Priority 2) Recommendation Management should ensure regular software audits are undertaken to match all software installed on the GLA systems against all the licences that have been purchased. Evidence and sign off of the reconciliations should be retained for future reference. Rationale Performing regular software audits helps to ensure the software that has been installed on the GLA systems has been licensed. Audit was informed that Microsoft Systems Management Server (SMS) reports are generated to identify all the software that has currently been installed on the GLA systems. The SMS report is checked against the consumption reports that are provided from Adobe and Microsoft to ensure the software used matches the software that has been installed. Consumption reports are also obtained for heavily used software and necessary checks are carried out. However, this is not performed for all software installed on GLA systems and evidence of the checks/reconciliation is not documented. Unless comprehensive software audits are carried out, there is an increased risk of legislative action where the instances of software installed exceed the number of licenses held. There is also an increased risk of unauthorised or illegal software remaining undetected on the GLA network. Management response with the responsibility and due date. Agreed: regular software audits will be undertaken and documented. Different categories of software may be checked at different times of the year. Responsible Officer: Sylvia Glenn (Assets and Procurement Officer ) Deadline : Nov 2010 Page 7 of 11
Software Disposal Arrangements 2. Software Disposal (Priority 2) Recommendation Management should ensure software disposal procedures are documented and disseminated to staff. In addition, an exercise to identify software media that is no longer required should be undertaken and identified redundant software should be securely transferred or disposed of. Rationale Documenting software disposal procedures helps to ensure software is disposed of securely. Evaluating software for disposal purposes helps to ensure old or unlicensed software is identified and disposed off securely. It was identified that software media has not been evaluated to determine whether it is required for business purposes or whether it can be destroyed securely. Software disposal procedures have also not been created. Where software disposal procedures are not created, there is an increased risk that software is disposed of in an ad hoc manner leading to unauthorised users accessing the software. Where software is not identified for disposal, there is an increased risk that old software is re used without a valid license or expired versions of software are installed on the network causing compatibility issues with the current IT environment. Management response with the responsibility and due date. Agreed : all software media will be reviewed and redundant software will be disposed Responsible Officer : Sylvia Glenn (Assets and Procurement Officer ) Deadline: March 2010 Page 8 of 11
Appendix 1 Audit Framework Audit Objectives The primary objective of the audit is to provide an independent assurance assessment on the adequacy of the control environment established for software licensing. Audit Approach and Methodology The audit approach was developed with reference to an assessment of risks and management controls operating within each area of the scope. The following procedures were adopted: identification of the role and objectives of each area; identification of risks within the systems, and controls in existence to allow the control objectives to be achieved; and evaluation and testing of controls within the systems. From these procedures we have identified weaknesses in the systems of control, produced specific proposals to improve the control environment. Areas Covered Audit work was undertaken to cover controls in the following areas: a) Policies, roles and responsibilities b) Procurement arrangements c) Inventory records d) Security of primary copy write software records and source material e) Software disposal arrangements. Page 9 of 11
Appendix 2 - Staff Interviewed We would like to thank all staff that provided assistance during the course of this audit, and in particular the following: Graham Lane IT Licensing Manager (definitive software licence system manager) Sylvia Glenn Assets and Procurement Officer Chris IImthurn Business Manager. Page 10 of 11
Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited St Albans December 2009 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, which is the United Kingdom member firm of Deloitte Touche Tohmatsu. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of it member firms has any liability for each other s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. 2009 Deloitte & Touche Public Sector Internal Audit Limited. All rights reserved. Deloitte & Touche Public Sector Internal Audit Limited is registered in England and Wales with registered number 4585162. Registered office: Hill House, 1 Little New Street, London, EC4A 3TR, United Kingdom. Page 11 of 11