Internal Controls Critical to Optimize Software – Max Software Investment and Reduce Risk with Tracking

By Andy Rohrbough

Imagine you were the owner of a trucking company. Wouldn’t you know where your trucks are at any given time? Wouldn’t you know how much each truck cost to purchase and maintain? Your business success depends on the management of these assets that are essential to operations. Of course you would.

I would imagine that you would have a system in place, complete with policies and procedures, to ensure the maintenance was conducted efficiently to keep the trucks on the road rather than sitting idle. There would be a system that would provide visibility to the status of the trucks so management could make informed decisions.

Keeping track of physical assets, like trucks, is a difficult task. There are many things that need to be monitored, such as mileage, fuel efficiency, cargo load capacity, types of tires, etc. You would track this information because you would need to forecast costs for budgeting purposes and anticipate wear and tear on the vehicles. Then, you would develop a replacement schedule in concert with the demand for trucking services.

You would have satellite tracking in each of the trucks so that the location of each would be available at the click of a button. There would be an automated system to track the status of the maintenance and upkeep of the assets.

The drivers of the trucks would be another critical component of the success of your business. If you had a driver who quit or was unavailable for any reason, you would have an idle truck. Although the truck was idle, there would still be a cost to maintaining the vehicle.

There are many costs associated with business. Ideally, you’d have the ability to forecast costs and budget appropriately. Without reliable information about the costs of fuel, maintenance, parts and labor, the budgeting process would be a guessing game.

There would need to be a central place to input the information, and the information would need to be reliable. Once this data was in one place, it would be possible to analyze it to help you make informed decisions.

Licenses Are No Different

Licenses are not different because:

  • Licenses are assets
  • Internal controls can help keep track of these assets

The result of flexible licensing is confusion. The only way to manage this complexity is to have good internal controls that deliver visibility into the software assets in order to better measure the use and value of the investment in software.

Businesses spend millions of dollars on software each year. The global software industry totaled in excess of $300BN in 2012. Certainly, there is a reason for all of this investment. Software enables businesses to be more productive, efficient and competitive, so the investment is made. But, many businesses struggle to gain visibility into the entitlements that they have acquired which results in inefficiencies and waste.

Software publishers are not to blame. In fact, they would much prefer that their customers get maximum value from the investment that has been made in their technology. The last thing that a software publisher wants is for software that has been purchased to go unused. This dilutes their business case and can affect their future revenue from renewals and further commitments from customers. Over time, the complexity of software licensing has evolved due to market pressures. Publishers have tried to adapt the licensing to satisfy many different customers’ requirements while maintaining their intellectual property.

The recommendation is that businesses take these challenges seriously and strive to constantly get better control of their software entitlements.

Business Drivers

Why improve internal controls?

Unsustainable acquisition model: Traditional acquisition models will prove unsustainable. In the past, there may have been a tendency to purchase more software license coverage than was actually needed. There were many reasons for this over purchase. Software publishers typically provide pricing tiers based on the amount of software is being purchased. By buying slightly more, you might be able to get into the higher pricing tier and a save a few dollars. The trouble is that, as time goes by, you might renew software maintenance without actually knowing why so many licenses were purchased in the first place.

Another reason is that as IT budgets shrink, there is a pressure to purchase only what is needed. IT expenditures, more and more, need to be justified to satisfy whether or not there is a business need for the expense.

Redundancy in software acquisition: The potential for redundancy in software acquisition grows as more complex licensing models are released. For example, take the services that are available in the cloud. How does your traditional licensing provide for these cloud services? In many cases, publishers are promoting their cloud services by tapping their licensing customers and giving them benefits to move to the cloud, which is a subscription model. You might find that they’ll charge for the cloud services AND the maintenance on the licenses.

Inability to mitigate compliance risks: Without good internal controls of software licenses, you won’t have the ability to mitigate compliance risks. Due to increased efforts by software publishers to ensure that their customers are compliant, no organization can afford to be unaware of whether they have a compliance issue or to find out on the eve of an audit. At that point, it’s too late, and you will have a much harder time negotiating a reasonable settlement.

Inability to match policy to process: If you have good policies in place without the necessary controls, then the processes might not be optimized to enforce those policies. Imagine that you have great policies but no way to restrict access to software and to monitor that access. That means that there is potential for software to be distributed without following the policies that are in place.

Ineffective capital planning, budget planning and cost allocation: Planning capital expenses and operational expenses is difficult, especially if the information needed to do so is scattered or unavailable. Budgeting IT expenses for the next year can be made more difficult for the same reason.

Ineffective technology project planning and implementation: If the costs associated with software are not fully understood, it can lead to disruptions in project planning and implementation.

To optimize software investments, IT business managers must implement a comprehensive internal control structure that facilitates efficient resource utilization, visibility and control of license management.

Benefits of Managing Licenses

Software licenses are not physical assets. They can be difficult to track and easy to lose. This leads to inventory management methodologies that are not consistent throughout an organization. The result is the long-term inability to consolidate a knowledge base of that inventory. Manual processes can drain an organization’s resources, increase the risk of errors and make it difficult to quantify whether or not operational procedures are successful or wasteful.
With good internal controls, you gain:

  1. Visibility of spending and anticipated costs
  2. The ability to empower the IT administrators to install software that has well documented licensing
  3. A central repository of knowledge about software license entitlements and their histories
  4. An audit trail of when a license was purchased, whether there is active maintenance, and to whom or what device that license has been assigned
  5. The ability to identify license compliance risks before they become a problem
Evaluate Current Practices

What are your internal controls currently? Identify what controls are in place and evaluate them to determine whether or not they need to be improved. We recommend that you start with what is already in place, map your processes and identify where improvements can be made.

Do you have the necessary resources dedicated to software license management to achieve proactive management? Once you have determined what controls are in place, you need to evaluate whether or not there are sufficient resources to support the tasks of monitoring and managing the software. It’s recommended that there be a software asset manager role defined within the organization. This responsibility often falls on an IT manager or systems administrator. It’s not their primary job, but it has become part of their roles due to the importance of managing software.

Are the policies documented? Software asset management (SAM) needs to be understood throughout an organization. There are always exceptions to rules, and with software, it’s no different. Even if an organization requires strict control over what software is installed on devices’ standard build, there’s always a non-standard build. In most cases, that strict control doesn’t exist, which means that employees need to understand that their actions can have an impact on the organization, from a compliance standpoint, should they load software on their computers.

Do you have C-Level buy-in? Executive level sponsorship is essential for successful programs. It’s important for these executives to understand that software asset management can have an impact on the bottom line of the company, but they also need to understand that a software compliance issue could materially affect the accuracy of financial statements to shareholders. These executives are legally responsible for the accuracy of those financial statements, so they should be motivated to sponsor software asset management.

What tools have been invested in to support software management? Evaluate what tools the company may have already invested in. Are those tools sufficient? Is there a reason they are not being used for software asset management? You should do some market research to find a solution that can bridge the gap in functionality, augment current tools or replace them at a lower cost. There are many SAM tools on the market. In the past, patch management solutions have been used to fill this need, and while some are quite good, others fall short in keeping up with licensing complexities.

Do you have people on the staff knowledgeable about software licensing and with time to focus on your entitlements? Is there a “go to” licensing expert on staff? Do they know everything about one publisher, but only a little about others? Evaluate the internal knowledgebase of software licensing, identify deficiencies and do some market research to fill the gaps.

Recommendations

Accountability: Software License Management responsibilities need to be well defined. There should be a sufficient number of people whose primary function is to monitor and control the software investment. These people’s sole job function is to communicate internally about the importance of software license management and take a hands-on approach to keeping track of those assets.

Software agreements: Evaluate and understand software license agreements. If possible, standardize these licensing agreements to maximize efficiencies. It is typical for companies to grow at unexpected rates. Many grow, contract, then grow again with the ebb and flow of the markets in which they operate. Their software consumption will depend on whether or not the software helps the company achieve its goals.

In a perfect world, business managers would have sufficient time to evaluate technology and the methods that they use to acquire it. In reality, there are too many variables and too high a pressure to deliver on a deadline. They seldom have either the resources or time needed to find the perfect solution.

A recommended best practice is to periodically evaluate the agreements that are in place, consolidate them if possible, and mandate the use of agreements that bring the most value to the organization, while discouraging other ways of acquiring software.

For example, if there are IT managers in a hurry to get software to achieve a particular business goal, there is a potential for them to take the path of least resistance. What if they use the company credit card and purchase retail software? It can cause problems when it’s time to evaluate compliance since the purchase might not have been documented.

You need to make your agreements accessible and easy to use for your stakeholders to acquire software when needed. Internal controls in the form of a well-defined process can greatly improve your ability to do this. Make it easier to use established software agreements than buying retail.

License entitlement baseline: Do a thorough inventory of the software licenses that have been purchased and the entitlements those licenses deliver. Don’t make assumptions that you have the entitlement to upgrade to a newer version. Do your homework, and be sure of what you’ve bought and what it delivers.
Keep in mind that this inventory is a “point in time” exercise. Once you have your software licensing baseline, you need to find a way to keep the inventory records up to date in real time through the internal controls you place on software licensing.

Discovery: Use software and hardware discovery tools. Having the information about licensing entitlements is important, but if you don’t also have the information about what software is ACTUALLY installed in the real world, you won’t be able to determine whether or not it’s being used effectively. You also won’t be able to determine whether or not there is any compliance or security issues. A periodic network scan will expose unauthorized software installs and give IT managers time to take corrective measures.

Compliance Analysis: Integrate the software license management system with the data gathered from the discovery tool(s). Comparing the inventory of software entitlements with the software that is actually installed is what SIMITAR thinks of as Software Asset Management (SAM). Once you have the information, it must be scrutinized to find any discrepancies. It is critical to have good resources for licensing knowledge in this phase because of the complex licensing rules. You need to understand downgrade rights, license conversions, virtualization and many types of licensing to be able to accurately assess your licensing posture.

If you are not sure whether or not you have this knowledgebase in-house, find a way to augment your understanding. We’d recommend out-sourcing to an unbiased third party that evaluates licensing professionally and not relying upon the software publishers to provide this for you.

Purchasing: Include procurement in the workflow to connect the organization from user to acquisition. It is recommended to include the purchasing department in the process of distributing software licensing. Purchasing has a unique perspective into the requirements of an organization. You will be able to help eliminate duplicate purchasing of software. It will also allow you to identify trends that can be used to determine purchasing consolidation, thus allowing the organization to maximize its buying power.

Policies: Identify policies and processes that can be enforced across the enterprise to drive software license efficiencies. Does your employee handbook include guidelines for installing software? It should so that there is a general understanding of the responsibilities employees have when using the company’s resources. At home, most people have the freedom to load any software they wish, and increasingly, people are savvy technology users. This mentality can cross over to their business machine, so it is important to let them know what the rules are.

We recommend that you determine who is authorized to install software, and document that authority. Also, develop an approval workflow that includes all of the stakeholders so that you enforce the accountability your software managers are evangelizing.

IT Resources: Include network and systems services in the workflow to ensure proper IT policy enforcement. At the end of the day, it’s the IT folks who will make sure software is installed and running properly. By including them in the processes for acquiring and distributing software licenses, they can play a major role in ensuring software is distributed accurately.

Internal control of software licensing provides support for the IT people by delivering checks and balances. The internal policy might require that a software license be procured and documented before the software is installed, or it might take advantage of deferred payment terms in software agreements. In either case, IT will need to be sure that licensing is provisioned to avoid compliance issues.

Automation: Empower end-user requests and automate approval/validation workflow. Remove the guessing game surrounding software licensing, and automate the processes users go through to request software and the processes by which software managers approve the use of software. This will allow your organization to have visibility into the software investment, control the expenditures on software, distribute software where it delivers the most value for the organization and reduce the risk of non-compliance by having a proactive method of managing the licensing.

This is also a platform to bring the IT department, purchasing department, SAM professionals, management and users together on software management while enforcing policies and procedures.

Conclusion

The important points to conclude with are:

  • Software is an investment
  • Licenses are assets
  • Internal controls can help keep track of these assets
  • Automate these controls to maximize your control over these essential assets

If you ran a trucking company, you would know exactly where each of your trucks was at any given time. The success of your business would depend on it. Software licenses are no different. Fiscally responsible companies must have the ability to get information about these assets in a moment’s notice.
Software is an investment, and the assets that come from this investment enable businesses to be more productive. There are steps you can take to evaluate whether your organization has the necessary internal controls in place to maximize that investment.

With increasing pressures to deliver ever more functionality through software and with greater access to services through the cloud, it is imperative to have efficient, accurate, and practical internal control of your software licensing.

About the Author

Andrew Rohrbough is the VP of License Management for SIMITAR.