Home page

Implications of Open-Source Software on Auditors and Clients

By Yigal Rechtman, CPA

June 2003

Overview

Open-source software products have gained ground in recognition of their value in the past three years. First chided by software giants such as Microsoft, operating systems and applications such as Sun’s Office suite and Linux are no longer left to the obscurity of programmers’ newsgroups. According to Microsoft’s SEC 10-K filing for their fiscal year ended June 30, 2002: “The Company continues to face movement from proprietary software to open-source software such as the Linux operating system. The Linux open-source operating system has gained increasing acceptance as well. Several computer manufacturers preinstall Linux on PC servers and many leading software developers have written applications that run on Linux.” There are several reasons for the prominence of this new paradigm in software applications. As it emerges, auditors and their clients should know the significance of the change. Increasing numbers of clients may use the new technology and the auditor and accountant will have to be familiar with it to continue to provide traditional services.

Part I: The Seller’s Side

What is “open-source” software?

In brief, an open-source software developer makes the source code available for all to see:

Source code refers to the "before" versions of a computer program that is compiled before it is ready to run in a computer. The source code consists of the programming statements that are created by a programmer with a text editor or a visual programming tool and then saved in a file. For example, a programmer using the C language types in a desired sequence of C language statements using a text editor and then saves them as a named file. This file is said to contain the source code. It is now ready to be compiled with a C compiler and the resulting output, the compiled file, is often referred to as object code. The object code file contains a sequence of instructions that the processor can understand but that is difficult for a human to read or modify. For this reason and because even debugged programs often need some later enhancement, the source code is the most permanent form of the program. 1

In the open-source paradigm there are two basic rules; one dictates what users are allowed to do and the other what users are not allowed to do:

(1) The software license allows users to view and modify the program as they see fit. Under this rule, software continues to be modified by people other than the original developer.
(2) The only thing a subsequent developer who modified the original code may not do is sell the software at a profit. In essence, the second rule guarantees that open-source software is sold at cost, or very close to it, i.e. it’s free.

Why is open-source software free?

Open-source applications such as Gnumeric—an Excel-like spreadsheet, or Ximian—a desktop organizer that combines features of Palm OS and Microsoft Outlook, cost nothing to install. In fact, they are freely available for download from the Internet. The developers and distributors (remember, there are no resellers) of the software hope that the users will buy other things when they actually start using the product, namely: consulting services. Although installation of open-source applications and systems is a mature process, and intermediate level users should be able to breeze through it, there still may be consulting work to be done when a system is installed.

The developers of open-source software are many and varied. The original developers were programmers who “tweaked” existing applications in order to add features they wanted. Most of their work was done on their own time, but often used corporate resources. Other programmers, such as academics and students, added research-oriented features or invented new ones to suite their needs. Today, open-source developers continue to be these same programmers, but commercial developers (consulting firms) augment them. This, by the way, is not a small group. Developers of open-source software span the world and communicate their code-changes through websites, newsgroups, and e-mail. Because open-source code is free, the Internet’s one-to-many structure made publishing it a natural growth sector in software development.

Why are they giving it away?

There are three factors that make open-source software free: First, as discussed above, the software developer or distributor hopes to open the door for consulting work. This may not be a perfect “business model,” but it actually works: RedHat software and IBM, two open-source software distributors, have done well selling consulting services related to the software that they are giving away. Interestingly, a player in the open-source market has also been Microsoft: its Windows CE software is fighting for recognition by wireless device makers. The common wisdom is that Microsoft is making its operating system available for modification in markets it does not dominate so it will be more attractive to telephone manufacturers with particular customization needs.

Second, open-source software developers hope for an “up-sale” of their products. For example, when a customer buys a home-office scanner, the scanning software often “included” in the package is the “light” or “limited edition” version of better commercial software. The up-sale of software products is a known technique that ensures consumer loyalty to that brand of software. Although software distributors cannot sell their existing product under the open-source license (rule number 2), up-sale of custom software sometimes follows the installation of a standard one.

The final factor that makes open-source software free is copyright protection. Commercial software sellers find that their software is bootlegged very often, costing them lost revenues in the order of billions of dollars annually. Open-source software developers avoid this problem—their software is free anyway. The copyright non-issue has a small risk associated with it when old versions of software or operating systems are downloaded and have known deficiencies. Users are well advised to download open-source code only from known distributors’ websites.

Part II: The Buyer’s Side

Why bother to change anything?

As a business’ hardware ages, it requires replacement. Typically, a new license is purchased along with the new hardware. New hardware is often a required purchase because the old operating system and software are either too slow or lack necessary features to run properly. Recently, the dominant maker of operating systems and software, Microsoft, revised its “End User License Agreement.” Under the new terms, which have been effective since last fall, users “rent” a license rather than buying it. Whatever the phraseology used, CEOs and business owners have come to learn one thing: Microsoft wants more money for the goods. The response to Microsoft has been varied: some businesses (50%) simply delay additional purchasing, others do it grudgingly, and still others consider the alternatives (35%) 2. Enter: open-source operating systems.

But there is another compelling business reason to use open-source software: the cost of help desk calls (whether in-house or to an outside service) has risen from 1998 to 2002 from $12 to $22 per call. 3 In 2002, the average downtime of Microsoft servers (those licensed for more money) has been over 10 hours per year, while Linux servers (read: open-source servers) have averaged about 2.5 hours downtime per year.

What can I use it for?

From the author’s observations over the last four years, users are not sure what open-source is. The availability of open-source software has crystallized primarily around Linux. Although Linux is an operating system and not an application, most open-source applications run on it. The most common open-source applications used by general office workers are Star Office—a suite of desktop applications similar to Microsoft Office, Ximian—a desktop organizer, Gnumeric—a spreadsheet, AbiWord—a word processor, and Netscape—an internet browser, and e-mail software. Linux servers can be used as standard file-and-print servers, NT emulating servers, Novell emulating servers, and firewalls, to name a few usages. For those who wish to have their internet hosted in-house, Linux has several excellent Web, e-mail, and FTP server applications; in fact, the majority of web servers on the Internet run on Linux.

For typical users in small offices with general-purpose applications, or larger organizations with departmental needs, Linux servers and desktops are very reliable. In addition, because Microsoft’s products are ubiquitous, most Linux applications allow seamless interchanges among the various Word and Excel formats. The overall result is that these packages have been tested in the marketplace for three or more years now, and have proved to be serious alternatives to Microsoft products with significant cost advantages.

An interesting worldwide development has also given a boost to Linux’ function as an alternative server and desktop operating system: “Monopoly-fearing” governments have started to look for alternatives to Microsoft products. Linux is an attractive alternative because it is not the product of any single country, it comes without export restrictions, and it requires no hard currency to obtain. Domestic not-for-profit and government entities, such as schools, libraries, and agencies find Linux’ availability and low cost a viable option in times of reduced budgets and cutbacks.

Sounds good. What’s the tradeoff?

The tradeoff for free software is the cost of installation. Generally, a well-configured Linux server or workstation runs very smoothly. The stability of Linux and its mature applications provide minimal downtime or data loss. The cost associated with Linux is in the setup. If a company’s computer person knows Unix, Linux should be a easy to set up. A sophisticated desktop user may also be able to install it with little help. Most consultants, however, charge high fees for installation, and, although the software is free, the installation often is not. Most users’ needs are already packaged in a typical Linux CD, however, and the savings outweigh the costs of a default install. Savings are often achieved by high reliability and minimal downtime as compared to other types of systems.

Part III: Auditing and Accounting Effects

Accounting Issues

Although there are no special accounting issues related to open-source systems, there is value to CPAs in understanding the open-source alternative. First, a client who may wish to explore this paradigm should probably have a consultant or specialist contracted to do the job, unless one is already on hand. Although most installations are done easily, it is a good idea to ensure its accuracy from the start, and learn by watching and discussing. Just like a first-year tax return, a CPA should have a second pair of professional eyes looking at the work. The professional, as discussed, will have a cost. However, the advantage is that other costs are generally low: recycled hardware is often used (especially for file-and-print servers), and, of course, the license itself is really just the cost of distribution (normally below $100). Troubleshooting, just like setup, can be high, too. Luckily, such occurrences are rare because of the high reliability of open-source software.

Operationally, the learning curve for operating open-source software is shallow. Linux desktops and servers have graphic user interfaces (GUI), so they are point-and-click, just like Microsoft Windows. Older CPUs can be used because Linux is efficient in memory and circuitry usage, resulting in a 1.5 factor in increased speed over Windows in workstation mode, and a 2.0 factor in server mode.

As discussed above, open-source software is mature and reliable and can read many file formats, including Word, Excel, Lotus, WordPerfect, and everything in between. General-purpose applications look, feel, and work just the same as Microsoft applications. Others are intuitively easy to use, such as Netscape Navigator and Composer as well as Ximian’s Palm-like software. In short, it is easy for typical computer users to move to open-source applications.

Audit Risk

As with any operating system and software, audit risks can be affected by the manner in which such systems are installed and used for accounting applications.

Viruses: Linux and open-source applications, in general, have very few viruses that affect them. In part, this is because, unlike Windows, there are no “auto-run” macros in Linux. If a virus is included in an e-mail or a file, it has to be manually extracted from the file and run by the user. This is a security advantage over Word and Excel that allow macros to run when the file is opened.

System-Administrator: In Linux, as in Unix, the super-user is called “root.” If the root password is known to many users, or if there are root-like users, the system is completely open to them. A prudent auditor should at least understand who uses the root privileged account and how.

Monitoring: Internal monitoring and logging is an embedded feature of Linux. Logs for almost every activity from startup to shutdown are created, which can be reviewed by auditors or specialists hired by the auditor. In itself, the logging feature in Linux helps reduce the audit risk. It can further help in searching for suspicious activity by using Computer Aided Auditing Techniques (CAAT), if so desired.

Emulator and Telnet: Linux can emulate Windows NT and Novell servers. This ability, however, should be taken under consideration because sometimes, in order to simplify the setup of such emulations, password policy is not always enforced. This, of course, should increase the assessed audit risk. Similarly, a remote-access service such as Telnet should be disabled if it is not needed. A Telnet-enabled Linux server increases the assessed risk to the audit because internal or external users may gain access to the financial records.

Reliability: Overall, Linux is a reliable operating system. It has good defense mechanisms against intruders, and its hardware compatibility is impressive. The high reliability of this system—especially when used in server mode—helps to reduce further the assessment of audit risk. However, an auditor should be inquisitive about the source of the software: an operating system downloaded from the Internet may be an old or incomplete version, which may pose problems. The best option is to obtain the software from a known commercial software developer or established non-profit organization.

Summary

Open-source software is available at no cost for users and developers to use or modify as they see fit. In the last three years these systems have become mature alternatives to commercially-developed software and systems. Users should expect high installation costs and reduced maintenance costs, along with high reliability and inter-operability with existing systems and file formats. Linux is the often-cited operating system for open-source software. By using Linux, productivity generally rises, and computing costs are generally reduced. Audit risk for clients may be reduced due to increased reliability, reduced exposure to viruses, and robust logging features.

© Yigal Rechtman 2003. All rights reserved.

About the author

Yigal Rechtman, CPA is an auditor and information systems’ specialist at Person & Company, CPAs in New York. He holds a Bachelors degree in Computer Science from New York University – College of Arts and Sciences and a Masters Degree in accounting from Pace University – Lubin School of Business. Rechtman, served in the Israeli communication corps.


Notes:
1http://whatis.techtarget.com/definition/0,289893,sid9_gci213030,00.html

2The Yankee Group. These are partial results.
3Compass Group.


© 2003 Yigal Rechtman
Published in the New York State Society of CPAs