|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Continuous Auditing
Understanding The Connection Between Software Compliance
By
Robert Scott
|
|
Robert Scott
Partner
Scott and Scott
|
The Securities and Exchange Commission?s (?SEC?) rules developed in response to Section 404 of the Sarbanes-Oxley Act of 2002 (?SOX?) require companies subject to SOX to maintain adequate internal controls over financial reporting and to prevent or detect unauthorized acquisition or use of assets.
Most public companies treat SOX compliance and Software License Compliance as separate initiatives and rarely understand that compliance with SOX Section 404 is impossible without the tools, processes, and expertise necessary to achieve and maintain software compliance.
The SEC rules related to Section 404 require companies subject to SOX to maintain adequate internal controls over financial reporting. According to the SEC, adequate internal controls must provide reasonable assurance regarding the reliability of financial reporting.
As part of its definition, the SEC requires that the internal controls provide reasonable assurance regarding the prevention or timely detection of unauthorized acquisition or use of assets that may have a material effect on the financial statements. Stated alternatively, firms must have internal controls to prevent and detect the unauthorized acquisition and use of software assets.
The ability to compile complete hardware inventories, discover the software products that are installed on a network, and reconcile the installations against license entitlements and proofs of purchase are required to achieve and maintain software license compliance.
Successfully implementing these internal controls to achieve software license compliance is the only way to provide reasonable assurances regarding the prevention and detection of the unauthorized use or acquisition of IT assets.
Lack of adequate internal controls to insure software license compliance constitutes a material weakness that must be disclosed under SEC rules. Furthermore, 15 USC 78j-1(a) requires that all audits conducted by public accounting firms include procedures that are designed to detect illegal acts that have a direct and material effect on financial statements.
Because unauthorized use of software products is illegal under applicable Copyright laws, public accounting firms are starting to pay much more attention to internal controls related to IT asset management in discharging their obligations under SOX.
The question of materiality to financial statements is one that will likely be resolved against the businesses that are found to be out of compliance. A company with 10,000 computers that is 20% out of compliance with its software licenses will have an average off-balance sheet liability of four million dollars. ($4,000,000).
In addition to the purely SOX-related concerns, non-compliant public companies have to be concerned about undisclosed, off-balance sheet liabilities. Failure to disclose such liabilities sparked the Enron and MCI scandals that have resulted in numerous high-profile criminal prosecutions and convictions.
Robert Scott
Partner
Scott and Scott
Robert graduated summa cum laude from Austin College in Sherman, Texas with a B.A. in business and economics. He earned his law degree from Hofstra University School of Law in New York.
Robert and his team of associates represent a wide variety of clients on technology issues. Robert leads the Software Compliance practice group and works with legal and technology professionals on a daily basis to solve complex compliance questions.
Robert is regularly called upon by his peers to speak about software compliance, asset management, and defending software audits. Robert?s speaking engagements have included ECP?s Software Asset Management Summit, as well as numerous web seminars, continuing legal education seminars, and media appearances.
Robert is a member of the State Bar of Texas, and he is admitted to practice before the United States Court of Appeals for the 5th Circuit, the United States District Court in the Northern and Eastern Districts of Texas, and the District of Colorado. He is a member of the Information Systems Audit and Control Association, the Managed Services Providers Alliance, the IT Compliance Institute, and the Metropolitan Technology Council.
|
|
|
|
|
