Objective: To evaluate the current practices on the installation or use of commercial software packages, and determine whether employees are complying with the provisions of software licenses.

1. Determine through inquiry and review of documentation what the organization’s policy is regarding software license compliance. If no such policy exist, consider the need for an audit finding.

2. Assess, through inquiry and discussion with the appropriate official(s), the degree of compliance expected to be found in the organization, and determine what procedures are performed to ensure compliance with software licenses.

3. Identify any multiple software copy or site licenses, which may exist in a department, or the LAN environment.

4. On either a sample basis or a 100% basis, inventory the software, which is installed on the computers attached to the LAN, or on departmental computers. Using software such as SPAudit by Software Publisher’s Association can facilitate this process. If such tool is not available, make obtain a current inventory of all installed software packages.

5. Review supporting documents for the purchase of software packages inventories in step 4 above, and for any installed packages which cannot be supported by purchase documentation, determine if the copies were obtained improperly.

6. Ensure that the users remove any installed software packages, which are not in compliance with software license agreements.

Risks: Organizations face potentially significant exposures if employees do not comply with the provisions of software licenses. Generally, unless multiple use licenses or other site license arrangements are made with software publishers, a software package may only be used on one computer. The LAN environment has a tendency to amplify the problem of non-compliance, because it becomes very easy to copy software or allow multiple concurrent uses of a program.