Open-Source Software: Implications for CPAs

Open-source applications—such as Gnumeric, an Excel-like spreadsheet, or Ximian, a desktop organizer that combines features of Palm OS and Microsoft Outlook—cost nearly nothing to install. In fact, they are freely available for download from the Internet. The developers and distributors (not resellers) of the software hope that users will buy other things when they actually start using the product. Although open-source applications and systems installation is a mature process, and intermediate-level users should encounter few difficulties, there are still consulting opportunities when a system is installed.

Open-source software developers are many and varied. The original developers were programmers that tweaked existing applications in order to add features they wanted. Most of their work was done on their own time, but often used corporate resources. Other programmers, such as academics and students, added research-oriented features or invented new ones. Today, these pioneering open-source developers have been augmented by commercial developers and consulting firms. This is not a small group. Developers of open-source software span the world and communicate their code changes through websites, newsgroups, and e-mail. Because open-source code is free, the Internet’s one-to-many structure makes publishing it a natural growth sector in software development.

Three factors make open-source software free. First, as discussed above, the software developer or distributor hopes to open the door to consulting work. This may not be a perfect business model, but it actually works: Red Hat software and IBM, two open-source software distributors, have done well selling consulting services related to the software they are giving away. Even Microsoft has used this strategy, with its Windows CE software. The common wisdom is that Microsoft is making this operating system available for modification in markets it does not dominate, so that it will be more attractive to telephone manufacturers with particular customization needs.

Second, open-source software developers hope for an “up-sale” of their products. For example, when a customer buys a home-office scanner, often the scanning software included in the package is the “light” version of better commercial software. Software product up-sale is a known technique that ensures consumer brand loyalty. Although software distributors cannot sell their existing product under the open-source license, up-sale of custom software sometimes follows a standard installation.

The final factor that makes open-source software free is copyright protection. Commercial software sellers find that their software is frequently bootlegged, resulting in significant lost revenues. Open-source software developers avoid this problem because their software is free. The copyright nonissue has a small risk associated with it: Occasionally, downloaded versions of software are out of date and have known deficiencies. Users are well advised to download open-source code only from known distributors’ websites.

The Buyer’s Side

As a business’ computer hardware ages, it requires replacement. Typically, a license for new software is purchased along with new hardware. In the fall of 2002, the dominant maker of operating systems and software, Microsoft, revised its end-user license agreement such that users now “rent” a license rather than buy it. Whatever the phraseology used, software users have increasingly concluded that Microsoft is determined to restrict licenses and raise prices for its products. The response to Microsoft has been varied: According to the Yankee Group, some businesses (50%) simply delay additional purchasing, others do it grudgingly, and still others consider other alternatives, including open-source software.

Another compelling business reason to use open-source software is the increasing expense of help desk calls. These calls, whether in-house or to an outside service, have risen in cost from $12 to $22 per call between 1998 and 2002 (Compass Group). In 2002, the average downtime of Microsoft servers has been over 10 hours per year, while Linux servers have averaged about 2.5 hours downtime per year.

Usefulness of open-source software. From the author’s observations over the last four years, users are unsure of open-source’s usefulness and availability. Both concerns have crystallized primarily around Linux. Although Linux is an operating system and not an application, most open-source applications run on it. The most common such applications are: StarOffice, a suite of desktop applications similar to Microsoft Office; Ximian, a desktop organizer; Gnumeric, a spreadsheet; AbiWord, a word processor; and Netscape, an Internet browser and e-mail client. Linux servers can be used as standard file and print servers, NT-emulating servers, Novell-emulating servers, and firewalls. For in-house hosting needs, Linux has several excellent web, e-mail, and FTP server applications; in fact, the majority of the Internet’s web servers run on Linux.

For typical users in small offices with general-purpose applications, or larger organizations with departmental needs, Linux servers and desktops are very reliable. In addition, because Microsoft’s products are ubiquitous, most Linux applications are designed to allow seamless interchanges among the various Word and Excel formats. The overall result is that these packages have been tested in the marketplace for more than three years and have proved to be serious alternatives to Microsoft products, with significant cost advantages as well.

An interesting development has been the number of “monopoly-fearing” governments that have started to look for alternatives to Microsoft products. Linux is attractive in this regard because it is not the product of any single country, is delivered without export restrictions, and requires no hard currency to obtain. Domestic not-for-profit and government entities, such as schools, libraries, and agencies, find that Linux’s availability and low cost are attractive features in times of budget cutbacks.

Generally, a well-configured Linux server or workstation runs very smoothly and reliably. The downside is the cost associated with Linux in its setup. If a company’s computer staff is familiar with Unix—the decades-old operating system on which it is based—Linux should be relatively easy to set up. A sophisticated desktop user may also be able to install it using default settings, with little help. Most consultants, however, charge high fees for customized installation, and although the software is free, the installation is often not cheap.

Auditing and Accounting

There are no special accounting issues related to open-source systems, but the open-source alternative requires specialized knowledge. Although most installations are easily done, it is a good idea to ensure accuracy from the start. A second pair of professional eyes looking at the work can be invaluable, especially the first time the system is installed. Hired professionals will obviously have a cost; however, the advantage is that other costs are generally low. Recycled hardware is often used (especially for file and print servers), and, of course, the license itself is just the cost of distribution (normally less than $100). Troubleshooting, though rare, can be costly.

The learning curve for using open-source software is steep. Linux desktops and servers have graphical user interfaces (GUI), so they are point-and-click, just like Windows. Older computers can be used because Linux is very efficient. Linux is 1.5 times the speed of Windows in workstation mode, and 2.0 times in server mode.

As discussed above, open-source software is mature and reliable and can read and write to many file formats, including Word, Excel, Lotus, WordPerfect, and everything in between. General-purpose applications look, feel, and work the same as Microsoft applications. Others are intuitively easy to use, such as Netscape Navigator and Composer, as well as Ximian’s Palm-like software. In short, it is easy for typical computer users to move to open-source applications.

Audit risk. As with any operating system and software, audit risks can be affected by the manner in which systems are installed and used for accounting applications.

The Linux operating system, and open-source applications in general, are affected by very few viruses. In part this is because, unlike Windows, there are no macros or executables in Linux that can be automatically run. If a virus is included in an e-mail or a file, it has to be manually extracted from the file and run by the user. This is a major security advantage.

In Linux, as in Unix, the system administrator—the individual responsible for the entire system and for those using it—works in the system “root.” If the root password is known to many users, or if there are users with root-like privileges, the system is completely open to them. A prudent auditor should at least understand who uses root-privileged accounts and how.

Internal monitoring and logging is a built-in feature of Linux. Logs for almost every activity from start-up to shutdown are created, and can be reviewed by auditors or specialists hired by the auditor. The logging feature in Linux helps reduce audit risk. Logs can aid in searching for suspicious activity in conjunction with computer-aided auditing techniques (CAAT), if so desired.

Linux can emulate Windows NT and Novell network servers, albeit generally using less-strict password controls. This would increase the assessed audit risk. Similarly, a remote-access service such as Telnet, which might make it easier for unauthorized users to access important company data, should be disabled if it is not needed

Overall, Linux is a reliable operating system. It has good defense mechanisms against intruders, and its hardware compatibility is impressive. The high reliability of this system—especially when used in server mode—helps reduce the assessment of audit risk. However, an auditor should be inquisitive about the source of the software; an operating system downloaded from the Internet may be an old or incomplete version. The best option is to obtain the software from a known commercial software developer or an established nonprofit organization.

In the last three years, open-source software has become a mature alternative to commercially developed systems. Users should expect high installation costs and reduced maintenance costs, along with high reliability and interoperability with existing systems and file formats. Audit risk may be reduced due to increased reliability, reduced exposure to viruses, and robust logging features.

Yigal Rechtman, CITP, CISM, CPA, is partner and information technology specialist at Person & Company, LLP, CPAs, New York City. Amanda B. Chaloupka provided assistance as a technical editor to this article.