IT Essentials — Computer Operations

            Software Licensing Management

            Every piece of software used by an organization is accompanied by a license. Let’s explore the most
            common types of software licenses.

            Freeware/Shareware: Some licenses are what is known as freeware or shareware, meaning that
            simply agreeing to the conditions of use allows the use of the software free of charge.

            Conditional: Other licenses are free of charge for a period of time (e.g., 30 days) or based on specific
            conditions, including number of employees or number of devices, etc. This software may be
            provided on the honor system but auditors should be aware that fines and penalties are possible if
            the contract is violated.

            Personal: Software can also be purchased by personal license. A home computer will generally have
            a license for an operating system and each software application.

            Concurrent: Software, such as Microsoft 365 typically provide what is called, concurrent licensing —
            for up to five devices. Concurrent licenses must be tracked to ensure licensing is not violated. Some
            vendors have beacons that automatically report the number of concurrent sessions in use, which
            make it easy for the vendors to spot violators.

            Enterprise: An enterprise license is used when the organization states annually how many licenses
            they have and what is their expected growth rate over the next 12 months. The software vendor then
            sets fees based on the forecast. Variations between actual and forecasted license counts are
            reconciled during the annual billing process with each vendor.

            Asset Management

            “You cannot protect what you do not know you have.” This is a common statement when describing
            the importance of a complete and accurate asset inventory.

            Assets include data and information, technology (hardware and software), processes (policies and
            procedures), people, and intangible assets (patents, trademarks, and goodwill).

            Having a complete and accurate inventory of hardware and software is the only way to ensure there
            are no unauthorized devices or software licenses in your environment.

            Mapping the data and information assets to their associated hardware and software components (as
            well as the high-level business process and enterprise objective) is the best way to ensure that the
            suite of controls protecting the data or information asset will be sufficiently protected against the
            most probable (known) vulnerabilities, threats, and risks.





            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.