Over the past few years, there has been a large increase in the number of publisher-initiated software audits. The authority for these audits is often a provision in the end user license agreement which entitles the publisher to audit companies’ installations of the software. Audited companies often spend tens of thousands of dollars responding to the audits. With such costly (and often un-accrued for) liabilities a distinct possibility, the question that is begged to be asked is where does it make sense to apportion this responsibility. In other words, whose job is it to manage audit risk?
Depending on the type of software used, even the smallest company with 5-25 users can be subjected to extremely large costs resulting from an audit (or legal fees under a copyright action). In this size company, there is often a lack of qualified staff in-house to manage the situation, or companies this size may outsource their IT role altogether. In medium and much larger sized organizations, you often have qualified IT staff in place but confusion as to whose functional responsibility it is. In these organizations, there may be procurement, legal, and financial stakeholders that could conceivably carry some of the responsibility. One thing is almost certain though–as the size of the organization increases, so does the possible financial exposure from a software audit.
I recently posed the question on a professional networking web site asking for opinions as to whose job it is to manage software licensing. The responses were interesting because most of the contributors had different answers. Responses to the question ranged from the CFO to the IT staff, to various other titles throughout an organization. In some ways, everyone had it right, and in some ways, no-one did. My opinion and what these varied responses indicate, is that it is everyone’s job.
Compliance in any sized organization is certainly not easy. Constantly changing environments, technologies, and complex licensing agreements across platforms and business models all contribute to what has become a significant liability for many companies. One would be well advised to answer the posed question for their particular environment long before receiving an audit letter.