Sarbanes-Oxley and Open Source

Sox and Open Source:
How They're Related

Although many people likely would not use SOX and open source in the same sentence, two significant events affecting these issues occurred in 2007 less than 48 hours apart:

• On June 27, the Securities and Exchange Commission ('SEC') issued guidance on SOX and internal controls; and
• On June 29, the open-source license known as the GNU General Public License (or 'GPL') Version 3 was released.

You might also recall the headlines in September and November about lawsuits being brought against four companies for allegedly violating the GPL by not making the source code to an open-source software component of their products available. Although none of the lawsuits led any of the affected parties to file an 8-K with the SEC, the use of some open source can raise issues under SOX.

Background

What is Open Source?

Open-source software has source code (the human-readable part of the computer code) that is available to everyone, to use or to modify. The software is commonly free. Open-source software is subject to a license agreement that describes how you can use the code, along with various disclaimers and ' sometimes ' additional restrictions. There are a large number of open-source licenses, ranging from simple half-page 'as is'-type licenses to multiple-page licenses governing how to use the code and the effects on intellectual property that changing the source code can have.

Why would anyone use open source software? Any IT person will tell you that the ideal IT project has the following characteristics:

• Unlimited funding;
• No time deadline;
• An unlimited number of programmers available;
• Availability of commercial software that perfectly fits the project's needs; and
• Instant procurement of that software.

Reality, however, tends to fall short on most of those characteristics, making open source an attractive option because it frequently:

• Is free;
• Is available right now (upon downloading);
• Includes code that has probably been reviewed by other people who have located and fixed any bugs; and
• Can be modified to meet any unique needs.

Unfortunately, the downside is that open source software also:

• Is not very user-friendly;
• Needs to be maintained just like any other software ' which expert or company gets a call if a problem occurs?;
• Could create security holes;
• Is typically licensed on an as-is basis, leaving certain legal risks; and
• Can result in a company's losing the value of its own intellectual property.

These characteristics ' especially open source's frequent user-unfriendliness ' can raise SOX concerns for publicly traded companies using open source. Despite the risks, open source is likely to become more prevalent in the next few years. Research firm Gartner Inc., for instance, estimates that by 2011 at least 80% of commercial software will contain significant amounts of open source code.

Background

SOX

Enacted to address the accounting scandals of Enron and other ethical and legal lapses in the business world, the law formally named the Public Company Accounting Reform and Investor Protection Act of 2002 is more commonly referred to by an abbreviated combination of the names of its sponsors, former U.S. Sen. Paul Sarbanes (D-MD) and former Rep. Michael Oxley (R-OH) ' SOX.

Among the many provisions of SOX, two provisions focus on publicly traded companies maintaining the internal controls necessary for integrity of financial-statement information: Section 302 and Section 404.

Section 302 requires publicly traded companies to have internal procedures designed to provide accurate financial statements, and requires officers to certify their internal controls to that effect.

Section 404 requires publicly traded companies to provide a report containing an assessment of the 'effectiveness of the internal-control structure and procedures of the issuer for 'financial reporting' in accordance with SEC rules.

The SEC rules define 'internal control over financial reporting' to include 'reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.'

The SEC's June 2007 guidance focused on Section 404, and is based on two general principles:

1.'[M]anagement should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner' and

2.'[M]anagement's evaluation of evidence about the operation of its controls should be based on its assessment of risk.'

Publicly traded companies cannot simply delegate these obligations by outsourcing significant processes to third parties. In addition, if a publicly traded company outsources a significant process that relates to controls affecting its financial statements, management is required to obtain assurances about the controls in place for that service organization. The SEC's June 2007 guidance states that if management is unable to determine the effectiveness of the service organization's controls, then 'management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR [internal control over financial reporting] is not effective.' Consequently, SOX can affect even companies that are not publicly traded, if they work with publicly traded companies.

Violations of SOX are deemed by statute to be violations of the 1934 Securities Exchange Act, and can bring a variety of penalties. Penalties can range from fines to freezes on certain payments to management to $5 million and/or 20 years' imprisonment for 'willfully' certifying a SOX-required statement while knowing that the statement does not comply with SOX requirements.

Open Source and SOX:
The Good News

Many publicly traded companies use open-source software for a variety of tasks, some of which will have little or no impact on internal controls over financial reporting. In addition, many open-source licenses grant permission to use the software on an as- is basis but with few restrictions, so many publicly traded companies may conclude that there is little risk to the company from using open source. Note also that many companies do not use or change the source code, but simply run the software.

A few open-source licenses specifically permit the user to incorporate and distribute the open-source software along with the user's own code, with no impact on the user's code except to require that the open-source code license governs the open-source code and must be included with the user's code. An example of this latter type of license is the License Agreement for Use of Interactive Financial Report Viewer Source Code, from open-source licensor the U.S. Securities and Exchange Commission (availiable at www.sec.gov/spotlight/xbrl/xbrlnewerlicense.htm). In short, many publicly traded companies will likely treat open-source programs in the same manner as commercial third-party software for SOX purposes.

Open Source and SOX:
The Bad News

On the other hand, because open-source licenses are typically licenses on an as-is basis, publicly traded companies electing to use the open-source software could face an increased risk of an intellectual-property infringement claim. Unlike most third-party commercial-software licensors, an open-source licensor typically does not provide any indemnity for infringement of third-party rights (although third-party service organizations may do so), leaving the user with an infringement risk. Also, because open source is usually available for downloading from a Web site with no licensor obliged to provide updates, maintenance or troubleshooting, publicly traded companies need to evaluate the risk that the software will not be operational, and the impact that failure could have on internal controls over financial reporting. Therefore, some publicly traded companies may want to include a 'risk factor' entry in their 10-Ks and other disclosures to cover these points.

A few open-source licenses, such as the GPL, pose some additional risks to publicly traded companies, depending on how the companies use the code. Like most other open-source licenses, the GPL permits users to alter the code in any way they see fit, but if the user conveys that altered code to anyone, then all altered versions of the software must be licensed under the GPL and contributed back to the open-source software community. What makes the GPL special is its requirement that the GPL's terms apply to other software that the user incorporates with the GPL-covered software, governing 'the whole of the work, and all its parts, regardless of how they are packaged.' This feature of the GPL is sometimes referred to as the 'viral nature' of the licensing agreement. If a publicly traded company is in the software/technology business, the 'viral nature' of the GPL could cause the company to have to distribute its proprietary technology at no charge if the company has combined its proprietary technology with GPL-licensed code in a certain way.

The GPL also prohibits a user from:

• Imposing a license fee or patent royalty for use of the combined product;
• Making any patent-infringement claim as a result of use of the combined product; and
• Automatically grants all users a worldwide, royalty-free patent license to 'make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.'

In other words, the viral nature of the GPL could mean that the publicly traded technology company's most valuable assets must be made available to anyone at no charge. Using GPL-licensed code might be considered a risk factor by some companies for purposes of 10-Ks and other disclosures. If the GPL's effect is to require that a company's intellectual-property assets must be made publicly available at no charge, then their value as indicated on the publicly traded company's financial statements must accurately reflect that fact.

And publicly traded companies outside the technology sector also must be aware of the GPL ' particularly companies outside the traditional technology sector, because an increasing share of their intangible assets consists of trade secrets and intellectual property.

If a publicly traded company is not in the technology business, for example, then IT is more likely to be viewed as an expense rather than a revenue generator, and so the existence of the open-source licenses used may be more difficult for management and in-house counsel to discern. Nevertheless, the viral nature of the GPL could have a surprising effect on asset valuations reflected in financial statements of these non-technology companies.

To-Do's

The use of open source software may have no impact on your company's financial statements or it could have the effect of devaluing several important assets. Below are a few to-do's designed to help determine the impact of open source on your company:

1. Find out how much open source is already in your company:

• Ask the head of IT.
• Ask your programmers.
• Ask your consultants.
• Ask your vendors.
• Conduct an open-source audit (preferably under the auspices of a law firm, given the litigation risks).

2. Your company should establish an open-source policy that addresses:

• Whether there are certain types of open-source licenses that you will '

1. Always deem appropriate for use;
2. Never deem appropriate for use; or
3. Deem appropriate for use only after a review process (who takes part in the review process ' law, security, IT?)

• Whether the open source will be used only internally.
• Whether the open source will be used as a tool ' that is, used to build software, but not remaining part of the finished code.
• Whether it will be used with your intellectual property.
• Whether commercial alternatives are available.
• Who will be responsible for maintaining and fixing the software.

Is open-source software a SOX issue for your company?

The answer may be 'Yes' or the answer may be 'No,' but one answer you should not give is, 'I don't know.'

If you use software and work for or with a company subject to Sarbanes-Oxley ('SOX'), then 2007 was an interesting year for you.

How interesting?

I'll raise some issues arising from the intersection of the topic of software use and SOX from last year to help you keep to a minimum the risk that 2008 will be an interesting year in some very bad ways.

Sox and Open Source:
How They're Related

Although many people likely would not use SOX and open source in the same sentence, two significant events affecting these issues occurred in 2007 less than 48 hours apart:

• On June 27, the Securities and Exchange Commission ('SEC') issued guidance on SOX and internal controls; and
• On June 29, the open-source license known as the GNU General Public License (or 'GPL') Version 3 was released.

You might also recall the headlines in September and November about lawsuits being brought against four companies for allegedly violating the GPL by not making the source code to an open-source software component of their products available. Although none of the lawsuits led any of the affected parties to file an 8-K with the SEC, the use of some open source can raise issues under SOX.

Background

What is Open Source?

Open-source software has source code (the human-readable part of the computer code) that is available to everyone, to use or to modify. The software is commonly free. Open-source software is subject to a license agreement that describes how you can use the code, along with various disclaimers and ' sometimes ' additional restrictions. There are a large number of open-source licenses, ranging from simple half-page 'as is'-type licenses to multiple-page licenses governing how to use the code and the effects on intellectual property that changing the source code can have.

Why would anyone use open source software? Any IT person will tell you that the ideal IT project has the following characteristics:

• Unlimited funding;
• No time deadline;
• An unlimited number of programmers available;
• Availability of commercial software that perfectly fits the project's needs; and
• Instant procurement of that software.

Reality, however, tends to fall short on most of those characteristics, making open source an attractive option because it frequently:

• Is free;
• Is available right now (upon downloading);
• Includes code that has probably been reviewed by other people who have located and fixed any bugs; and
• Can be modified to meet any unique needs.

Unfortunately, the downside is that open source software also:

• Is not very user-friendly;
• Needs to be maintained just like any other software ' which expert or company gets a call if a problem occurs?;
• Could create security holes;
• Is typically licensed on an as-is basis, leaving certain legal risks; and
• Can result in a company's losing the value of its own intellectual property.

These characteristics ' especially open source's frequent user-unfriendliness ' can raise SOX concerns for publicly traded companies using open source. Despite the risks, open source is likely to become more prevalent in the next few years. Research firm Gartner Inc., for instance, estimates that by 2011 at least 80% of commercial software will contain significant amounts of open source code.

Background

SOX

Enacted to address the accounting scandals of Enron and other ethical and legal lapses in the business world, the law formally named the Public Company Accounting Reform and Investor Protection Act of 2002 is more commonly referred to by an abbreviated combination of the names of its sponsors, former U.S. Sen. Paul Sarbanes (D-MD) and former Rep. Michael Oxley (R-OH) ' SOX.

Among the many provisions of SOX, two provisions focus on publicly traded companies maintaining the internal controls necessary for integrity of financial-statement information: Section 302 and Section 404.

Section 302 requires publicly traded companies to have internal procedures designed to provide accurate financial statements, and requires officers to certify their internal controls to that effect.

Section 404 requires publicly traded companies to provide a report containing an assessment of the 'effectiveness of the internal-control structure and procedures of the issuer for 'financial reporting' in accordance with SEC rules.

The SEC rules define 'internal control over financial reporting' to include 'reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.'

The SEC's June 2007 guidance focused on Section 404, and is based on two general principles:

1.'[M]anagement should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner' and

2.'[M]anagement's evaluation of evidence about the operation of its controls should be based on its assessment of risk.'

Publicly traded companies cannot simply delegate these obligations by outsourcing significant processes to third parties. In addition, if a publicly traded company outsources a significant process that relates to controls affecting its financial statements, management is required to obtain assurances about the controls in place for that service organization. The SEC's June 2007 guidance states that if management is unable to determine the effectiveness of the service organization's controls, then 'management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR [internal control over financial reporting] is not effective.' Consequently, SOX can affect even companies that are not publicly traded, if they work with publicly traded companies.

Violations of SOX are deemed by statute to be violations of the 1934 Securities Exchange Act, and can bring a variety of penalties. Penalties can range from fines to freezes on certain payments to management to $5 million and/or 20 years' imprisonment for 'willfully' certifying a SOX-required statement while knowing that the statement does not comply with SOX requirements.

Open Source and SOX:
The Good News

Many publicly traded companies use open-source software for a variety of tasks, some of which will have little or no impact on internal controls over financial reporting. In addition, many open-source licenses grant permission to use the software on an as- is basis but with few restrictions, so many publicly traded companies may conclude that there is little risk to the company from using open source. Note also that many companies do not use or change the source code, but simply run the software.

A few open-source licenses specifically permit the user to incorporate and distribute the open-source software along with the user's own code, with no impact on the user's code except to require that the open-source code license governs the open-source code and must be included with the user's code. An example of this latter type of license is the License Agreement for Use of Interactive Financial Report Viewer Source Code, from open-source licensor the U.S. Securities and Exchange Commission (availiable at www.sec.gov/spotlight/xbrl/xbrlnewerlicense.htm). In short, many publicly traded companies will likely treat open-source programs in the same manner as commercial third-party software for SOX purposes.

Open Source and SOX:
The Bad News

On the other hand, because open-source licenses are typically licenses on an as-is basis, publicly traded companies electing to use the open-source software could face an increased risk of an intellectual-property infringement claim. Unlike most third-party commercial-software licensors, an open-source licensor typically does not provide any indemnity for infringement of third-party rights (although third-party service organizations may do so), leaving the user with an infringement risk. Also, because open source is usually available for downloading from a Web site with no licensor obliged to provide updates, maintenance or troubleshooting, publicly traded companies need to evaluate the risk that the software will not be operational, and the impact that failure could have on internal controls over financial reporting. Therefore, some publicly traded companies may want to include a 'risk factor' entry in their 10-Ks and other disclosures to cover these points.

A few open-source licenses, such as the GPL, pose some additional risks to publicly traded companies, depending on how the companies use the code. Like most other open-source licenses, the GPL permits users to alter the code in any way they see fit, but if the user conveys that altered code to anyone, then all altered versions of the software must be licensed under the GPL and contributed back to the open-source software community. What makes the GPL special is its requirement that the GPL's terms apply to other software that the user incorporates with the GPL-covered software, governing 'the whole of the work, and all its parts, regardless of how they are packaged.' This feature of the GPL is sometimes referred to as the 'viral nature' of the licensing agreement. If a publicly traded company is in the software/technology business, the 'viral nature' of the GPL could cause the company to have to distribute its proprietary technology at no charge if the company has combined its proprietary technology with GPL-licensed code in a certain way.

The GPL also prohibits a user from:

• Imposing a license fee or patent royalty for use of the combined product;
• Making any patent-infringement claim as a result of use of the combined product; and
• Automatically grants all users a worldwide, royalty-free patent license to 'make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.'

In other words, the viral nature of the GPL could mean that the publicly traded technology company's most valuable assets must be made available to anyone at no charge. Using GPL-licensed code might be considered a risk factor by some companies for purposes of 10-Ks and other disclosures. If the GPL's effect is to require that a company's intellectual-property assets must be made publicly available at no charge, then their value as indicated on the publicly traded company's financial statements must accurately reflect that fact.

And publicly traded companies outside the technology sector also must be aware of the GPL ' particularly companies outside the traditional technology sector, because an increasing share of their intangible assets consists of trade secrets and intellectual property.

If a publicly traded company is not in the technology business, for example, then IT is more likely to be viewed as an expense rather than a revenue generator, and so the existence of the open-source licenses used may be more difficult for management and in-house counsel to discern. Nevertheless, the viral nature of the GPL could have a surprising effect on asset valuations reflected in financial statements of these non-technology companies.

To-Do's

The use of open source software may have no impact on your company's financial statements or it could have the effect of devaluing several important assets. Below are a few to-do's designed to help determine the impact of open source on your company:

1. Find out how much open source is already in your company:

• Ask the head of IT.
• Ask your programmers.
• Ask your consultants.
• Ask your vendors.
• Conduct an open-source audit (preferably under the auspices of a law firm, given the litigation risks).

2. Your company should establish an open-source policy that addresses:

• Whether there are certain types of open-source licenses that you will '

1. Always deem appropriate for use;
2. Never deem appropriate for use; or
3. Deem appropriate for use only after a review process (who takes part in the review process ' law, security, IT?)

• Whether the open source will be used only internally.
• Whether the open source will be used as a tool ' that is, used to build software, but not remaining part of the finished code.
• Whether it will be used with your intellectual property.
• Whether commercial alternatives are available.
• Who will be responsible for maintaining and fixing the software.

Is open-source software a SOX issue for your company?

The answer may be 'Yes' or the answer may be 'No,' but one answer you should not give is, 'I don't know.'