Shadow IT: is your software out of control?

Amarish Thakur, Director, Risk Advisory
Amarish Thakur, Director, Risk Advisory
Software can tick along in the background, but misuse and ignoring license agreements can be a significant cost to business. Here’s why.

Software is vital to most businesses, and well-chosen and managed, it can lead to leaps in productivity and growth. For this reason it can be a key financial investment for a lot of customers. The combined software spend for an enterprise grade organisation such as a bank is literally in the hundreds of millions of dollars across all major software vendors such as Microsoft, Oracle, SAP, IBM, Adobe, Symantec, Dell, Vmware and others

However, few companies have software asset management (SAM) as a priority in their internal audit plans. This oversight can be a costly error and can put pressure on all levels of the business.

What’s the problem?

Software licencing and upgrades can be a minefield, particularly for businesses with multiple systems, staff and locations. Add to this the software purchasing and renewal system is set up so that company needs are not necessarily first priority for vendors.

If you have a $10million asset, such as a building or machinery, you would have all the controls in place to make sure it runs smoothly, that key elements are renewed, and the right people are looking after it. However, perhaps as software isn’t tangible, often businesses fail to put the necessary controls in place.

Software companies know this flaw. Most software licensing agreements these days will have audit clauses which gives the vendor a contractual right to audit the usage of their software and recover any lost revenue resulting from non-compliance.

What do you need to be aware of?

Software is an asset that requires maintenance and controls, and the best way to do that is to make it a part of your business audit plan. It may require a rethink of responsibilities within an organisation, better understanding of software contracts and being aware of the competing agendas of suppliers.

It’s important to check if staff are downloading software that should be paid for or using software without a license. “Shadow IT” is a term used to describe the use of software systems within an organisation without the approval or even the knowledge of corporate IT.

It’s also vital to be aware that license agreements are asymmetrical. The underlying intent of a licence agreement is to generate revenue for the software vendor, over the practical needs of an organisation. If your organisation doesn’t understand the nuances of license agreements, you are still legally liable for any over deployments that are caused inadvertently. Software vendors do not consider lack of internal controls or capability as an acceptable excuse for non-compliance.

What can be done?

An internal audit of software should look at process risks, software license baselines, roles and responsibilities and how software is deployed against the licenses owned. A software licensing risk assessment is key, and it’s also important to review if there is non-essential software that can be removed. Processes are also necessary for identifying Shadow IT and controls for managing it. Are there more suitable software types and licences for your needs? Can you put in place suitable licence management to avoid future risk?

Remember, software is at the core of your business, but just because it ticks along behind the scenes doesn’t mean it should be uncontrolled.

Add Comment