Implications of Open-Source Software on Auditors and Clients
By Yigal Rechtman, CPA
June 2003
Overview
Open-source
software products have gained ground in recognition of their value
in the past three years. First chided by software giants such as
Microsoft, operating systems and applications such as Sun’s
Office suite and Linux are no longer left to the obscurity of programmers’
newsgroups. According to Microsoft’s SEC 10-K filing for their
fiscal year ended June 30, 2002: “The Company continues to
face movement from proprietary software to open-source software
such as the Linux operating system. The Linux open-source operating
system has gained increasing acceptance as well. Several computer
manufacturers preinstall Linux on PC servers and many leading software
developers have written applications that run on Linux.” There
are several reasons for the prominence of this new paradigm in software
applications. As it emerges, auditors and their clients should know
the significance of the change. Increasing numbers of clients may
use the new technology and the auditor and accountant will have
to be familiar with it to continue to provide traditional services.
Part I: The Seller’s Side
What is “open-source” software?
In brief, an open-source software developer makes the source code available for all to see:
Source code refers to the "before" versions of a computer program that is compiled before it is ready to run in a computer. The source code consists of the programming statements that are created by a programmer with a text editor or a visual programming tool and then saved in a file. For example, a programmer using the C language types in a desired sequence of C language statements using a text editor and then saves them as a named file. This file is said to contain the source code. It is now ready to be compiled with a C compiler and the resulting output, the compiled file, is often referred to as object code. The object code file contains a sequence of instructions that the processor can understand but that is difficult for a human to read or modify. For this reason and because even debugged programs often need some later enhancement, the source code is the most permanent form of the program. 1
In the open-source paradigm there are two basic rules; one dictates what users are allowed to do and the other what users are not allowed to do:
(1) The software license allows users to view and modify the program as they see fit. Under this rule, software continues to be modified by people other than the original developer.
(2) The only thing a subsequent developer who modified the original code may not do is sell the software at a profit. In essence, the second rule guarantees that open-source software is sold at cost, or very close to it, i.e. it’s free.
Why is open-source software free?
Open-source applications such as Gnumeric—an Excel-like spreadsheet, or Ximian—a desktop organizer that combines features of Palm OS and Microsoft Outlook, cost nothing to install. In fact, they are freely available for download from the Internet. The developers and distributors (remember, there are no resellers) of the software hope that the users will buy other things when they actually start using the product, namely: consulting services. Although installation of open-source applications and systems is a mature process, and intermediate level users should be able to breeze through it, there still may be consulting work to be done when a system is installed.
The
developers of open-source software are many and varied. The original
developers were programmers who “tweaked” existing applications
in order to add features they wanted. Most of their work was done
on their own time, but often used corporate resources. Other programmers,
such as academics and students, added research-oriented features
or invented new ones to suite their needs. Today, open-source developers
continue to be these same programmers, but commercial developers
(consulting firms) augment them. This, by the way, is not a small
group. Developers of open-source software span the world and communicate
their code-changes through websites, newsgroups, and e-mail. Because
open-source code is free, the Internet’s one-to-many structure
made publishing it a natural growth sector in software development.
Why are they giving it away?
There are three factors that make open-source software free: First, as discussed above, the software developer or distributor hopes to open the door for consulting work. This may not be a perfect “business model,” but it actually works: RedHat software and IBM, two open-source software distributors, have done well selling consulting services related to the software that they are giving away. Interestingly, a player in the open-source market has also been Microsoft: its Windows CE software is fighting for recognition by wireless device makers. The common wisdom is that Microsoft is making its operating system available for modification in markets it does not dominate so it will be more attractive to telephone manufacturers with particular customization needs.
Second, open-source software developers hope for an “up-sale” of their products. For example, when a customer buys a home-office scanner, the scanning software often “included” in the package is the “light” or “limited edition” version of better commercial software. The up-sale of software products is a known technique that ensures consumer loyalty to that brand of software. Although software distributors cannot sell their existing product under the open-source license (rule number 2), up-sale of custom software sometimes follows the installation of a standard one.
The
final factor that makes open-source software free is copyright protection.
Commercial software sellers find that their software is bootlegged
very often, costing them lost revenues in the order of billions
of dollars annually. Open-source software developers avoid this
problem—their software is free anyway. The copyright non-issue
has a small risk associated with it when old versions of software
or operating systems are downloaded and have known deficiencies.
Users are well advised to download open-source code only from known
distributors’ websites.
Part II: The Buyer’s Side
Why bother to change anything?
As a business’ hardware ages, it requires replacement. Typically, a new license is purchased along with the new hardware. New hardware is often a required purchase because the old operating system and software are either too slow or lack necessary features to run properly. Recently, the dominant maker of operating systems and software, Microsoft, revised its “End User License Agreement.” Under the new terms, which have been effective since last fall, users “rent” a license rather than buying it. Whatever the phraseology used, CEOs and business owners have come to learn one thing: Microsoft wants more money for the goods. The response to Microsoft has been varied: some businesses (50%) simply delay additional purchasing, others do it grudgingly, and still others consider the alternatives (35%) 2. Enter: open-source operating systems.
But
there is another compelling business reason to use open-source software:
the cost of help desk calls (whether in-house or to an outside service)
has risen from 1998 to 2002 from $12 to $22 per call. 3 In 2002, the
average downtime of Microsoft servers (those licensed for more money)
has been over 10 hours per year, while Linux servers (read: open-source
servers) have averaged about 2.5 hours downtime per year.
What can I use it for?
From the author’s observations over the last four years, users are not sure what open-source is. The availability of open-source software has crystallized primarily around Linux. Although Linux is an operating system and not an application, most open-source applications run on it. The most common open-source applications used by general office workers are Star Office—a suite of desktop applications similar to Microsoft Office, Ximian—a desktop organizer, Gnumeric—a spreadsheet, AbiWord—a word processor, and Netscape—an internet browser, and e-mail software. Linux servers can be used as standard file-and-print servers, NT emulating servers, Novell emulating servers, and firewalls, to name a few usages. For those who wish to have their internet hosted in-house, Linux has several excellent Web, e-mail, and FTP server applications; in fact, the majority of web servers on the Internet run on Linux.
For typical users in small offices with general-purpose applications, or larger organizations with departmental needs, Linux servers and desktops are very reliable. In addition, because Microsoft’s products are ubiquitous, most Linux applications allow seamless interchanges among the various Word and Excel formats. The overall result is that these packages have been tested in the marketplace for three or more years now, and have proved to be serious alternatives to Microsoft products with significant cost advantages.
An
interesting worldwide development has also given a boost to Linux’
function as an alternative server and desktop operating system:
“Monopoly-fearing” governments have started to look
for alternatives to Microsoft products. Linux is an attractive alternative
because it is not the product of any single country, it comes without
export restrictions, and it requires no hard currency to obtain.
Domestic not-for-profit and government entities, such as schools,
libraries, and agencies find Linux’ availability and low cost
a viable option in times of reduced budgets and cutbacks.
Sounds good. What’s the tradeoff?
The
tradeoff for free software is the cost of installation. Generally,
a well-configured Linux server or workstation runs very smoothly.
The stability of Linux and its mature applications provide minimal
downtime or data loss. The cost associated with Linux is in the
setup. If a company’s computer person knows Unix, Linux should
be a easy to set up. A sophisticated desktop user may also be able
to install it with little help. Most consultants, however, charge
high fees for installation, and, although the software is free,
the installation often is not. Most users’ needs are already
packaged in a typical Linux CD, however, and the savings outweigh
the costs of a default install. Savings are often achieved by high
reliability and minimal downtime as compared to other types of systems.
Part III: Auditing and Accounting Effects
Accounting Issues
Although there are no special accounting issues related to open-source systems, there is value to CPAs in understanding the open-source alternative. First, a client who may wish to explore this paradigm should probably have a consultant or specialist contracted to do the job, unless one is already on hand. Although most installations are done easily, it is a good idea to ensure its accuracy from the start, and learn by watching and discussing. Just like a first-year tax return, a CPA should have a second pair of professional eyes looking at the work. The professional, as discussed, will have a cost. However, the advantage is that other costs are generally low: recycled hardware is often used (especially for file-and-print servers), and, of course, the license itself is really just the cost of distribution (normally below $100). Troubleshooting, just like setup, can be high, too. Luckily, such occurrences are rare because of the high reliability of open-source software.
Operationally, the learning curve for operating open-source software is shallow. Linux desktops and servers have graphic user interfaces (GUI), so they are point-and-click, just like Microsoft Windows. Older CPUs can be used because Linux is efficient in memory and circuitry usage, resulting in a 1.5 factor in increased speed over Windows in workstation mode, and a 2.0 factor in server mode.
As
discussed above, open-source software is mature and reliable and
can read many file formats, including Word, Excel, Lotus, WordPerfect,
and everything in between. General-purpose applications look, feel,
and work just the same as Microsoft applications. Others are intuitively
easy to use, such as Netscape Navigator and Composer as well as
Ximian’s Palm-like software. In short, it is easy for typical
computer users to move to open-source applications.
Audit Risk
As with any operating system and software, audit risks can be affected by the manner in which such systems are installed and used for accounting applications.
Viruses: Linux and open-source applications, in general, have very few viruses that affect them. In part, this is because, unlike Windows, there are no “auto-run” macros in Linux. If a virus is included in an e-mail or a file, it has to be manually extracted from the file and run by the user. This is a security advantage over Word and Excel that allow macros to run when the file is opened.
System-Administrator: In Linux, as in Unix, the super-user is called “root.” If the root password is known to many users, or if there are root-like users, the system is completely open to them. A prudent auditor should at least understand who uses the root privileged account and how.
Monitoring: Internal monitoring and logging is an embedded feature of Linux. Logs for almost every activity from startup to shutdown are created, which can be reviewed by auditors or specialists hired by the auditor. In itself, the logging feature in Linux helps reduce the audit risk. It can further help in searching for suspicious activity by using Computer Aided Auditing Techniques (CAAT), if so desired.
Emulator and Telnet: Linux can emulate Windows NT and Novell servers. This ability, however, should be taken under consideration because sometimes, in order to simplify the setup of such emulations, password policy is not always enforced. This, of course, should increase the assessed audit risk. Similarly, a remote-access service such as Telnet should be disabled if it is not needed. A Telnet-enabled Linux server increases the assessed risk to the audit because internal or external users may gain access to the financial records.
Reliability:
Overall, Linux is a reliable operating system. It has good defense
mechanisms against intruders, and its hardware compatibility is
impressive. The high reliability of this system—especially
when used in server mode—helps to reduce further the assessment
of audit risk. However, an auditor should be inquisitive about the
source of the software: an operating system downloaded from the
Internet may be an old or incomplete version, which may pose problems.
The best option is to obtain the software from a known commercial
software developer or established non-profit organization.
Summary
Open-source
software is available at no cost for users and developers to use
or modify as they see fit. In the last three years these systems
have become mature alternatives to commercially-developed software
and systems. Users should expect high installation costs and reduced
maintenance costs, along with high reliability and inter-operability
with existing systems and file formats. Linux is the often-cited
operating system for open-source software. By using Linux, productivity
generally rises, and computing costs are generally reduced. Audit
risk for clients may be reduced due to increased reliability, reduced
exposure to viruses, and robust logging features.
© Yigal Rechtman 2003. All rights reserved.
About the author
Yigal Rechtman, CPA is an auditor and information systems’ specialist at Person & Company, CPAs in New York. He holds a Bachelors degree in Computer Science from New York University – College of Arts and Sciences and a Masters Degree in accounting from Pace University – Lubin School of Business. Rechtman, served in the Israeli communication corps.
Notes:
1http://whatis.techtarget.com/definition/0,289893,sid9_gci213030,00.html
2The Yankee Group.
These are partial results.
3Compass Group.
© 2003 Yigal Rechtman
Published in the New York State Society of CPAs