Software Audit-Implementation guidelines

Software Audit-Implementation guidelines

In order to implement the Software Licence Management Policy, each department is expected to establish and maintain records linking the software on its computers to the licences it holds, or to site licences held by the university.

In a steady state, we would expect records to be created and updated as systems are initially configured, and updated as additional software is acquired and installed. However, because of the devolved control of systems, this process can break down; therefore all systems should be audited from time to time.

This overall activity can be broken down into 3 processes

  • Auditing of software on each machine
  • Reconciliation of audit records with licences held
  • Action to resolve any discrepancies between these two processes

A list of software signed by the user of the machine is not sufficient on its own for software auditing purposes.

The Policy Implementation Workgroup recommended that where a Faculty has the resources to put in place these procedures at once then it should do so. It recognized, however, that not all Faculties would be able to do this immediately, and in this case recommended a tiered approach in which initially procedures are established to audit all new machines as they arrive. Thereafter a program of auditing older machines should be put in place.

The following points should be keep in mind when setting up an auditing program.

  • Audits cover ALL machines with any software on them at all, including the operating system, not just desktop machines that are in active use. This therefore includes PCs supplied by manufacturers of external equipment and PCs not currently in use sitting under desks or in cupboards.
  • The University has a Computer Equipment Disposal Policy. When PCs are disposed this will most likely also affect the Software Asset Register which should be updated to reflect the disposal.

Where a product is covered by a University site license this should be noted.  IT services maintains a web page with current site licences. This covers licences administered by Information Services on behalf of the university as a whole, but it is hoped that over time faculties will also contribute information about any licensing agreements which they hold locally that might be of benefit to the greater university community.

During auditing it is recommended that advantage be taken of "bundles" of software such as Standard Staff Desktop (SSD) or Common Student Computing Environment (CSCE). The components of these bundles are known (if the version number is specified) and are all either site licensed or free. It is therefore legitimate to audit a PC which has been set up as a Standard Staff Desktop as just that and then provide audit information on any additional packages which have been added over and above the basic SSD. It is hoped that in due course it will be possible to create filter files for the recommended audit tool that will automatically recognise the commonly occurring bundles on campus.