Audit of. Software Inventory Procedures

(1)

Audit of

Software Inventory Procedures

April 22, 2003

(2)

MISSION STATEMENT

The School Board of Palm Beach County is committed to excellence in education and preparation of all our students with

the knowledge, skills, and ethics required for responsible citizenship and productive employment.

Arthur C. Johnson, Ph.D.

*

Superintendent of Schools

School Board Members

Tom Lynch, Chair

William C. Graham Vice Chair*

Paulette Burdick*

Monroe Benaim, M.D.

Mark Hansen

Sandra Richmond

Debra Robinson, M.D.

Audit Committee Members

Cindy Adair, Chair

Richard Roberts, Vice Chair

Georgette B. Carroll

Max Davis

Kevin James

Noah Silver

JulieAnn Rico Allison*

Shelley Vana *

Thais Villanueva*

(3)

Audit of Software Inventory Procedures

Executive Summary

The primary objectives of the audit were to determine the adequacy of District procedures in preventing the use of unlicensed software and protecting the District's computers against virus infection. As of January 2003, the District had approximately 60,000 personal computers (PC) as well as a considerable amount of computer software for both mainframe and microcomputers.

The use of computer software generally requires a license from the manufacturer authorizing a certain number of copies of the software to be used. However, unlicensed software can be easily installed onto the computers by current or previous users. Users may also unknowingly use demo versions of the software for daily operations. If the Business Software Alliance or Microsoft Corporation finds users violating the licensing requirements, they can levy fines in an amount allowed by law.

Due to the easy access to and popularity of PC software downloaded from the Internet or obtained from other sources, the risk of virus infection has exponentially increased. Virus infection can detrimentally destroy or corrupt valuable data and information stored on the computers.

The audit produced the following major conclusions:

1. School District Did Not Keep Software Inventory. The District did not maintain software inventory records in accordance with District Directive D-S.143 (5)(h). Without an accurate count of all licensed software used by the District, there is no assurance that unauthorized use and illegal duplication of software is detected and prevented.

2. No Asset Management System to Track Software Location(s) on Hardware Equipment. Without proper inventory, the District could have (1) installed

unlicensed software on hardware, or (2) under-licensed software programs due to the failure to purchase/renew the needed number of software licenses. Under-licensing of software could place the District at risk for liability and litigation from copyright owners.

Maintaining accurate PC and software inventories can provide reliable data to the District in prioritizing information technology resources. This can also help ensure efficient and accurate reporting in:

1. Software license compliance tests 2. Microsoft volume licensing

(4)

3. Disaster recovery planning

4. Financial planning and purchasing 5. Removal or reassignment of PC's 6. Help desk support

7. Windows 2000 or XP migrations

8. Software licensing and maintenance agreements renewals

3. Three Unauthorized and Unlicensed Software Found. Based on the review of computer software installed on 20 selected PC, we found three unauthorized and unlicensed software packages on three computers, at three different locations. Upon our notice, IT immediately removed these three unauthorized software. To ensure that all software installed is properly licensed and authorized, IT should conduct periodic inventory of software. Any unauthorized or unlicensed software found should be removed immediately.

4. Two PC Without Virus Protection. Our review of 20 selected PC also indicated that two of them were not installed with anti-virus program. To protect our computers from possible virus infection, all District's PC should be installed with the latest anti virus software. In response to our finding, IT has installed the needed anti-virus program onto the two PC as of Aprilll, 2003. A Virus Log Report generated by Network Services for July through December 2002, indicated that the number of viruses detected ranged from a low of 99 on December 22, 2002, to a high of 15,542 on November 17,2002.

(5)

Audit of

Software Inventory Procedures Table of Contents

= "..= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Page EXECUTIVE SUMMARY

PURPOSE AND AUTHORITY 1

SCOPE AND METHODOLOGY 1

BACKGROUND 2

CONCLUSIONS

1. School District Did Not Keep Software Inventory 2

2. No Asset Management System to Track Software Location(s)

on Hardware Equipment 3

3. Three Unauthorized and Unlicensed Software Found 4

4. Computer Virus 4

APPENDIX

(6)

THE SCHOOL DISTRICTOF PALM BEACH COUNTY. FLORIDA

LUNG CHIU, CPA

DISTRICT AUDITOR

ARTHUR C. JOHNSON, Ph.D.

SUPERINTENDENT

OFFICE OF DISTRICTAUDITOR

3346 FOREST HILL BOULEVARD, SUITE 8-302 WEST PALM BEACH, FL 33406

(561) 434-7335 FAX: (561) 434-8652

MEMORANDUM

TO:

FROM:

Honorable Chair and Members of the School Board Arthur C. Johnson, Ph.D., Superintendent of Schools Chair and Members of Audit Committee

-k"L<:-

Lung Chiu, CPA, District Auditor

DATE: April 22, 2003

SUBJECT: Audit of Software Inventory Procedures

PURPOSE AND AUTHORITY

Pursuant to the District's Audit Plan 0/2002-2003, we have audited the District's

Software Inventory Procedures. The primary objectives of the audit were to detennine the adequacy of District procedures in:

• Preventing the use of unlicensed software.

• Protecting the District's computers against virus infection.

SCOPE AND METHODOLOGY

The audit was perfonned in accordance with Government Auditing Standards by Randy

Law, CISA, and Ellen Steinhoff, CISA, during October 21,2002, through January 17,2003. This audit included:

• Reviewing applicable School Board Policies.

• Interviewing staff of District departments, and selected elementary, middle, and high schools.

• Reviewing 20 sampled personal computers at three departments and three schools, for unlicensed software and anti-virus software.

Draft findings were sent to the Division of Infonnation Technology for review and comments, and management response is included in the Appendix. We appreciate the

(7)

courtesy and cooperation extended to us by staff during the audit. The final draft report was presented to the Audit Committee at its TBD meeting.

BACKGROUND

The District has approximately 60,000 personal computers (PC) as well as a considerable amount of computer software for both mainframe and microcomputers. In general, the use of computer software requires a license from the manufacturer authorizing a certain number of copies of the software to be used. To ensure users have the legitimate right to use the software, manufactures contract with special groups to verify the legitimacy of software users. Business Software Alliance (BSA), for example, is a computer industry organization that acts on behalf of software manufacturers against unauthorized use and copying of member company's software. IfBSA or Microsoft Corporation, through its own efforts, finds users not compliant, they will be subject to heavy fines and penalties allowed by law.

Unlicensed software can be installed by previous or current users of the equipment. Employees may also unknowingly use demo versions of the software for daily operations. Microcomputers are at risk for virus infection, which can detrimentally destroy or corrupt valuable data and information stored on the computers. Due to the easy access to and popular use of PC software, the risk of infection from computer viruses has exponentially increased while downloading of computer programs from the Internet and other sources become part of our daily activities.

CONCLUSIONS

1. School District Did Not Keep Software Inventory. We reviewed the legitimacy of software installed on 20 selected PC at three departments and three schools. Our review indicated that the District did not maintain software inventory records for all the six locations. District Directive D-S.143 (5)(h) states" ... The software property designee shall maintain ajile ofall software licenses and locations. Form PBSD 1555, Software Inventory, the school's media center "Unicorn" system, or purchase orders may be used to record the following informationfor all software, regardless value: 1. date and source ofthe software acquisition; 2. location ofeach installation as well as property record number ofthe computer on which each copy ofthe

software has been installed; 3. location oforiginal installation disks and existence,

if

any, ofbackup copies and their location(s); and 4. software product's serial and/or license number. "

Without an accurate accounting of all licensed software used by the District, there is no assurance that unauthorized use and illegal duplication of software is detected and prevented. The Software Inventory Form (PBSD 1555) should be filled out and utilized properly. Based on information contained in the Inventory Form, the School

(8)

District should consider creating a database of such inventory record for future reference and prudent management decisions.

Management's Response: Concurs. Safeguarding ofassets, including software,

regardless ofvalue, is the responsibility ofthe custodian charged with their care. This is usually a Principal or Department head. This is consistent with Florida Statute 274.03. Inventories ofsoftware should be kept at a local level. Records of software items with an acquisition value of$750 or greater are also maintained in the District'sfixed asset tracking system, FASgov. Information Technology will continue to provide education ofcopyright issues and tracking ofsoftware issues at school technical support training sessions. A bulletin from IT and Capital Assets will be sent to schools and departments reaffirming the importance ofmaintaining records of software transactions and outlining the requirements and procedures to maintain a site (school/department) based software inventory. (Please see page 7)

2. No Asset Management System to Track Software Location(s) on Hardware Equipment. We were unable to track software to hardware systems. The District has no records of which software is assigned to what and which machine. Without proper inventories, the District could have (1) software licenses that should not have been installed on certain hardware, or (2) under-licensing of software programs due to the failure to purchase/renew the needed number of software licenses.

Under-licensing of software could place the District at risk for liability and litigation from copyright owners.

Maintaining accurate PC and software inventories can also provide reliable data to the District in prioritizing information technology resources. This can also help ensure efficient and accurate reporting in:

• Software license compliance tests

• Reporting for BSA (Business Software Alliance) or Microsoft audits • Microsoft Volume Licensing

• Disaster recovery plan

• Financial planning and purchasing • Removal or reassignment of PC's • Help desk support

• Windows 2000 or XP migrations

• Software licensing and maintenance agreements renewals

Management's Response: Concurs. A bulletin from IT and Capital Assets will be

sent to schools and departments emphasizing the importance ofmaintaining records ofsoftware transactions and outlining the requirements and procedures to maintain a site (school/department) based software inventory. Inventory ofsoftware items with a value of$750 or greater is kept in the FASgov system with a location listed. (Please see page 7)

(9)

3. Three Unauthorized and Unlicensed Software Found. Our review of computer software installed on 20 selected PC found three unauthorized and unlicensed software packages on three computers at three different locations. We have referred our concern to Information Technology (IT) for immediate corrective actions.

District Directive D-S.143 (5)(1) states "District personnel may conduct audits of

microcomputers to ensure compliance with all software licenses. Unscheduled audits may be conducted ... During the audit, district staffwill also search for computer viruses and eliminate any that are found" However, according to IT, software inventory audits were not performed.

To ensure all software installed is properly licensed and authorized, IT should

conduct periodic software inventory. Any unauthorized or unlicensed software found should be removed from the District's computers immediately.

The District currently has approximately 60,000 PC, and about 30,000 of them are connected to the District's computer network. As a result, software inventory and tracking for these 30,000 PC could be performed through the existing network with enhanced automation system.

According to the Gartner Group, Inc., an internationally recognized technology consulting firm, there are a number of best practices that can help organizations prevent the use of unlicensed software and protect against computer viruses. For example, organizations can monitor employees' use of computer applications, periodically inventory the applications, conduct surprise audits of the software installed on microcomputers, use virus detection software, maintain a log of virus infections, and educate employees about the dangers of computer viruses and the need to avoid the use of unlicensed software.

As of April 11, 2003, staffhad corrected the problem and immediately removed the unlicensed and unauthorized software on all three Pc.

Management's Response: Concurs. IT will continue to provide information in

workshops and documentation. IT will provide procedures and technical assistance to schools and departments to perform audits and remove unauthorized software.

(Please see page 7.)

4. Computer Virus. The District has not developed comprehensive procedures to educate and train employees regarding the use of licensed software and protection against computer viruses. A McAfee Virus Log Report generated by Network Services for July through December 2002, indicated that the number of viruses detected ranged from a low of 99 on December 22,2002, to 15,542 on November 17, 2002. Our review of computer software installed on 20 selected PC found that two

(10)

PC did not have the computer virus protection software. To protect our computers from possible virus infection, all District's PC should be installed with the latest anti virus software. As of April 11, 2003, the IT staffhad corrected the problem and promptly installed virus protection on both PC.

Management's Response: Concurs. IT staffwill continue to train school and

department technical contacts on the use oflicensed software and virus protection via workshops and documentation. (Please see page

7.)

- End of Report

(11)

Appendix

Management's Response

THE SCHOOl DISTRICT JIM SHEEHAN ARTHUR C. JOHNSON, Ph.D. OF PAlM BEACH COUNTY. FLORIDA CHIEF INFORMATION OFFICER SUPERINTENDENT

INFORMATION TECHNOLOGY

334S FOREST HILL BOULEVARD WEST PAlM BEACH. FL 33406-5869

(561) 434-8830

April 16, 2003 MEMORANDUM

TO: Lung Chiu, District Auditor

FROM: John Inglis, Manager Network Services

tJ~

SUBJECT: Draft Audit of Software Inventory proUures

After reviewing your draft of the Software Inventory Procedures, Network Services is providing you with a written response to your concerns. Per your request, we will indicate whether we concur with your conclusions, corrective actions to be taken, if necessary, and targeted completion dates.

Please review this document prior to the April 22, 2003 Audit Committee meeting, so that our information can be incorporated.

Please contact me if you have any other questions.

C: Joe Moore, Chief Financial Officer Jim Sheehan, Chief Infonnation Officer

Larry Padgett, Director Network Services Greg Ostaffe, Manager-Capital Assets

Attachment

DISTRICT AUDITOR

F:lNelwork Services Admin OrouplAudits\Software audit 1I.doc 411612003

(12)

Appendix

Management's Response

Management Responses

1. School District Did Not Keep Software Inventory

Concur: Safeguarding of assets, including software, regardless of value, is the responsibility of the custodian charged with their care. This is usually a Principal or Department head. This is consistent with Florida Statute 274.03. Inventories of software should be kept at a local level. Records ofsoftware items with an acquisition value of $750 or greater are also maintained in the District's fixed asset tracking system, FASgov. Information Technology will continue to provide education of copyright issues and tracking of software issues at school technical support training sessions. Abulletin from IT and Capital Assets will be sent to schools and departments reaffirming the importance of maintaining records of software transactions and outlining the requirements and procedures to maintain a site (school/department) based software inventory.

2. Asset Management System to Track Software Location(s) on Hardware Equipment Concur: A bulletin from IT and Capital Assets will be sent to schools and departments emphasizing the importance of maintaining records of software transactions and outlining the requirements and procedures to maintain a site (school/department) based software inventory. Inventory of software items with a value of $750 or greater is kept in the F ASgov system with a location listed.

3. Three Unauthorized and Unlicensed Software Found

Concur: IT will continue to provide information in workshops and documentation. IT will provide procedures and technical assistance to schools and departments to perform audits and remove unauthorized software.

4. Computer Virus

Concur: IT staff will continue to train school and department technical contacts on the use oflicensed software and virus protection via workshops and documentlttion.