Audit Software: Beware of Trojan Horses
Software licenses frequently contain language allowing the licensor to install, “audit software” within the licensee’s production environments Audit software can take many forms, from a simple command to report the configuration of the operating system to a very sophisticated application to interrogate the complex security and access control systems associated with multiple SAP applications or similar systems. While audit software provides an effective tool from the perspective of the auditing party, the audited party must give serious consideration to the level of intrusion it allows to its systems as a whole, data privacy concerns, and the possibility for systems complications resulting from the audit software.
Most requests to insert audit software are resolved without implementing the licensor’s audit software. And are ceded during the negotiation process. Many licensees have been successful in negotiating away this requirement by demonstrating the comprehensive nature of the licensee’s software asset management program, or by agreeing to a less intrusive alternative, such as having the licensee periodically provide reports from the licensee’s internal audit software.
Prudent licensees should resist installing the licensor’s audit software within their production environments, primarily due to the nature of audit software design and operation, particularly the high level of access authority associated with executing the software. To operate effectively, audit software is designed to bypass/circumvent security and access control mechanisms. To assist with this objective, the level of system access granted to the application when it runs would typically be considered to be the highest level available. As the audit software is usually installed in the production environment behind the licensee’s firewalls and behind the intrusion detection systems, the licensor may potentially have access into many areas of the licensee’s IT environment. This could extend well beyond the information that would actually be required to audit the licensee’s usage by more traditional means.
Acceding to the licensor’s request to install audit software implies the licensee’s permission for the licensor to execute the software, generally at its sole discretion. While a licensee can partition a licensor within its respective environments, in a worst case scenario the licensor could gain access to the licensee’s entire environment. In addition, audit software may also contribute to reduced system performance or other forms of interference with proper system functions.
Audit software may also contribute to reduced system performance or cause other forms of interference with proper system functions. These risks would be considered somewhat secondary to the risks described above.
Required Use of Audit Software
Interestingly, some licensees seek to require the licensor to install software in the licensee’s environment to track the licensee’s usage of the licensor’s software automatically. They do so under the belief that as long as the licensee purchases the same number of licenses as identified by the licensor’s audit software, it will never exceed the number of licenses purchased. Some licensees seek to include language to the effect that they may not be held accountable for exceeding the scope of the license grant until the licensor’s audit software is operational. Use of Audit Software to Self-Audit
A number of independent vendors license software that allows licensees to audit their compliance with the use limitations set forth in their license. These audits provide two benefits: to the extent the licensee’s use exceeds the number of licenses purchased, the licensee can reduce its usage or purchase additional licenses before the licensor potentially becomes aware of such overages. To the extent the audit reveals that the licensee is not utilizing all of the licenses it has purchased, the licensee can terminate the unused licenses and maintenance to reduce its costs.