The Securities and Exchange Commission’s (“SEC”) rules developed in response to Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX”) require companies subject to SOX to maintain adequate internal controls over financial reporting and to prevent or detect unauthorized acquisition or use of assets. Most public companies treat SOX compliance and Software License Compliance as separate initiatives and rarely understand that compliance with SOX Section 404 is impossible without the tools, processes, and expertise necessary to achieve and maintain software compliance. The SEC rules related to Section 404 require companies subject to SOX to maintain adequate internal controls over financial reporting. According to the SEC, adequate internal controls must provide reasonable assurance regarding the reliability of financial reporting. As part of its definition, the SEC requires that the internal controls provide reasonable assurance regarding the prevention or timely detection of unauthorized acquisition or use of assets that may have a material effect on the financial statements. Stated alternatively, firms must have internal controls to prevent and detect the unauthorized acquisition and use of software assets.

The ability to compile complete hardware inventories, discover the software products that are installed on a network, and reconcile the installations against license entitlements and proofs of purchase are required to achieve and maintain software license compliance. Successfully implementing these internal controls to achieve software license compliance is the only way to provide reasonable assurances regarding the prevention and detection of the unauthorized use or acquisition of IT assets.

Lack of adequate internal controls to insure software license compliance constitutes a material weakness that must be disclosed under SEC rules. Furthermore, 15 USC § 78j-1(a) requires that all audits conducted by public accounting firms include procedures that are designed to detect illegal acts that have a direct and material effect on financial statements. Because unauthorized use of software products is illegal under applicable Copyright laws, public accounting firms are starting to pay much more attention to internal controls related to IT asset management in discharging their obligations under SOX.

The question of materiality to financial statements is one that will likely be resolved against the businesses that are found to be out of compliance. A company with 10,000 computers that is 20% out of compliance with its software licenses will have an average off-balance sheet liability of four million dollars. ($4,000,000). In addition to the purely SOX-related concerns, non-compliant public companies have to be concerned about undisclosed, off-balance sheet liabilities. Failure to disclose such liabilities sparked the Enron and MCI scandals that have resulted in numerous high-profile criminal prosecutions and convictions.