Help Source Q&A 

Download Article Article in Digital Form

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

Q I am planning to audit one of our subsidiaries, a company that develops software and sells packaged applications. Our organisation also buys certain software that we use as tools/platforms for development.

I would like to know the key clauses in licensing agreements that ought to be in place when licensing software to buyers. I am also keen to know the software licensing terms that we must have in place with our software providers.

A Ideally, you should consult a legal expert regarding this question. However, I am responding to this from an auditor’s point of view. As always, this is an indicative list:

  • Many contracts have key preambles called ‘recitals’. Recitals outline the reasons behind the signing of the contract. On many occasions, recitals explain the background and expertise of the parties involved. For example, a recital may state: ‘The licensor has expertise and experience in providing software solutions for the health care industry’. This clause is advantageous from a buyer point of view. The buyer can sue the seller should something go wrong, as the buyer can claim that he placed reliance on the expertise claimed in the recital section of the contract. It is important that recitals be clear and concise.
  • The granting of the licence for use is one of the fundamental clauses in any licencing agreement. The grant-related clause describes the terms of use or the rights of the buyer with respect to the software licensed. This section must also outline the restrictions placed on the licensee in terms of the licensed software use. Rights or privileges not granted expressly must not be assumed as available. Any rights granted must be explicitly stated, for example:
    • The license should explicitly prohibit any attempts to reproduce or make or distribute by sales, lease, loan, rental, gift or sublicence by the buyer to any other third party. Users can, however, make one copy for backup purposes.
    • There can be geographical limitations. For example, the licence terms can dictate that the software be used in one particular site only.
    • The duration of the license is the next most important provision. The duration can be for a set period (post which it will be renewed at a cost), can be perpetual or can be unspecified.
    • The number of copies licensed is very important. However, the number of copies is irrelevant if the software is licensed for unlimited use.
    • The user should have no right to further modify the licensed software unless granted so.
    • The licensor should have a responsibility to release patches and fixes on a periodic basis.
    • If the licensor has hot-site or cold-site arrangements for disaster recovery purposes, the license must permit usage of such sites.
  • Cost or price of the software and the terms of payment must be in the licensing agreement.
  • Escrow arrangement is one of the key clauses in any software licensing arrangement. Escrow relates to the voluntary retention of a copy of the software with a mutually agreeable third party. The buyer can invoke the escrow clauses and gain access to the software source code if the seller were to go bust or shut down business operations.

The next two important clauses relate to warranty and any potential liability that may arise.

  • The software must perform and meet the objectives for which it has been purchased. The buyer will obviously seek a warranty on the product. No software provider can guarantee that a product will be free of bugs or glitches. At the same time, from a buyer’s point of view, who would want to buy software that malfunctions repeatedly?
  • Liability relates to the compensation due to the buyer from the seller in the event of any major incident or damage caused due to the software. The buyer usually insists on unlimited liability, but the seller must be prudent enough to limit or cap the liability to an acceptable and reasonable fixed amount. The seller must be careful in ensuring that he does not agree to recompense any consequential loss incurred by the buyer. For example, if an airline, suffers operational loss because the ticketing software malfunctions, it would be unwise on the part of the buyer to recompense such loss. Consequential loss also includes the software company recompensing the passengers of the airline, with whom it does not have a relationship.

Again, this is just an auditor’s indicative checklist. An intellectual property (IP) lawyer would be able to advise better on the terms and conditions for an ideal licensing arrangement. There have been multiple cases in various international courts, and judgements have appeared in favour of both software sellers and buyers.

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP, is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.