DS9.5: Unauthorized Software 1263



  • Hi,
    I wondered what risk is taking an internationnal american compagny to have a French filliale that is using about 20.000 of unlicenced softawe?
    This situtation has been going on for cuple of years now.
    The compagny has been officially informed a year ago but the situation reminds the same.
    Thanks for responding … Regine



  • This seems to be more of a compliance control than a financial reporting control. The only impact on the financial statements would be underreported software expense. 20.000 would be immaterial to most companies’ financial statements. Any fines associated with this could be material, but do not impact the financial statements until they are actually levied.



  • Would it be churlish to suggest that there might also be a perceived ‘tone-at-the-top’ issue arising from ongoing use of unlicenced software…? :roll:



  • Thanks for your anwser.
    I still wonder, regarding SOXwhat risk the compagny is take to keep working with unlicenced soft?



  • I don;t feel that there is any specific SOX risk with continuing to operate with unlicensed software as SOX is totally about internal controls over financial reporting (ICOFR). Unless there is direct financial reporting risk, this is not really a SOX issue.
    If the argument is that it negatively impacts ‘tone at the top’, then that will need to be considered when setting the scope of management testing of ICOFR.



  • What kind of software is this?
    If the software is used somewhere during the financial reporting process, it should be captured during the documentation of the application.



  • All kind of software :
    Microsoft (OS, Office…), macromedia (website), lexibase (dictionary)…
    ‘If the software is used somewhere during the financial reporting process, it should be captured during the documentation of the application.’
    What if this is not the case? What could happen to the compagny?
    Thanks a lot for your prevouis anwsers.



  • The company could be fined a lot of money for running unlicensed software (being out of compliance) and put in the hall of shame (negative press) thus impacting their reputation with customers and investors. Those are risks to be considered.
    For more info, this website may be helpful
    bsa.org
    article that discusses an approach that may be helpful is
    cio-today.com/story.xhtml?story_id=39382
    This is a gamble for them and they should run the risks through their risk management process. Often the cost of buying the software to be compliant is much less than any large fine or damage done to a company’s reputation.
    Most offenders are unaware of being out of compliance. However, this company has known about the issue and has taken no steps to be fully compliant. How will that play out in the papers?



  • While possibly not a SOX issue impacting financial reporting controls, this could be much bigger and more damaging to the company that not being sox-sompliant. I did not mean to imply in my previous comments that this is not an important issue, its just that it is not necessarily a sox compliance issue.



  • Unlicensed software is unsupported software. There are many risks associated with this scenario. To the extent that any of this software is used or may be used for the accumulation, aggregration and reporting of financial information a SOX condition may exist, and is directly related to assessment of the General IT Controls.



  • I might be thinking outside the box, but there might be indirect and intangible implications even for SOX compliancy.
    For example, Trust is one of the most important aspects of SOX compliancy to ensure the ultimate goal of ‘not cooking the books’ does not take place. Without this principle in place, the other aspects of dotting the 'i’s on SOX detailed requirements are meaningless.
    If I were an SEC regulator and found violations like this, it might raise a red flag to dig deeper than usual. A finding on this USD20,000 ‘savings’ the company is trying to get by with, could end up costing the company in negative PR, time, and otherwise.
    Thus, I’d recommend the IT department address these issues, so that they would not possibly be a factor for SOX, BSA, or otherwise 🙂


Log in to reply