everythingpossible - Fotolia

How to manage software auditor independence

A recent report has shown that the Big Four audit firms often work for the major software providers to conduct software licence audits

The fact that the Big Four audit firms are being used both for statutory and software licence audits should raise alarm bells in IT departments.

As Computer Weekly has previously reported, the Sleeping with the enemy report from Cerno Professional Services found that the so-called Big Four audit firms – Ernst & Young (EY), Deloitte, KPMG and PricewaterhouseCoopers (PwC) – maintain and actively promote specialist divisions to run software audits for software providers.

While auditors maintain there is a separation of duties between those responsible for statutory auditing and software licence auditors, the author of the report, Robin Fry, legal director of Cerno Professional Services, urged IT decision makers to understand the risks of a potential conflict of interest and act accordingly.

This could occur, according to the report, in the situation where a client of the audit firm does not settle a licence shortfall with the software provider. As a consequence, the software licence audit team from the audit firm could be asked to give evidence as to unlicensed usage, against the firm’s statutory audit client.

Even if there is no conflict of interest, the fact that the same firm is being employed both for a statutory audit and to conduct a software audit may complicate the relationship with the audit team, Fry wrote in the report.

He warned that an organisation undergoing a statutory audit may not challenge any findings or evidence obtained by the firm in the software audit since these will have been obtained by its own statutory auditor with whom the client has a high degree of trust.

Software audits account for a significant proportion of software sales, according to research from the Campaign for Clear Licensing, sponsored by Origina, a third party IBM support firm.

Income generated by audits

Tomás O’Leary, CEO at Origina, said: “Ex software sales managers of SAP, Oracle and IBM that I’ve met suggest almost a third of income is being generated by audits in some of the bigger countries like the UK, Germany and the US.” The Big Four are generally involved in many of these audits.

As a consequence, O’Leary said software audits can be big business for the audit firms, given the Big Four’s software audit practices work for major software firms like IBM, Microsoft, Oracle and SAP.

From an IT management perspective, many IT departments may be unaware they can decline an audit from a third party, according to Rory Canavan, author of SAM Charter Process Kit. This could occur if the IT department does not have faith in that third party’s ability or skill set.

“That’s not to say they can decline an audit outright, but they can redirect that request back to the software supplier to find another company to conduct the audit,” said Canavan. “If conflicts of interest are a genuine concern for an end user organisation, that is reason enough to insist on a change of auditors.”

Read more about managing software audits

  • We look at how software asset managers are coming up with new ways to give employees freedom and flexibility whilst keeping the ability to easily audit what is being used on-premise and in the cloud.
  • The recent publication of court filings from a licence dispute case shows a catalogue of “damaging” techniques Oracle used following an audit.

The Big Four audit firms would risk big fines and a huge damage to their reputations if they disclosed information learned in an audit to a third party.

“The most common complaint I get is that the audit team doesn’t know enough about the supplier’s technology and rules, takes too long to complete its work and requires too much hand holding by the internal team,” said Duncan Jones, a principal analyst at Forrester.

He said the most important criteria for an IT department is that the software auditor provides good quality people, who are experienced with auditing technology controls, and have built up familiarity with a specific software provider’s products and policies.

According to Jones, the big risk to the software auditor’s independence is that its revenue stream depends on helping the software provider generate compliance revenue. “If every customer is compliant, the supplier will scale back its auditing process, which will mean less revenue for the audit firm.”

“So a specialist firm that did no statutory audit work at all would be very bad for the customers, because that audit firm would only survive by identifying non-compliances, maybe even inventing them, like many of the Indirect Access claims,” he said.

He urged CIOs to recognise the potential lack of independence and manage the whole process accordingly. “That includes agreeing as much as possible before the audit team is allowed on-site, such as the current contract and how the auditors will interpret it,” concluded Jones.

Read more on IT governance