alt="https://img-cdn.thepublive.com/filters:format(webp)/dq/media/post_attachments/05849db3ca9fa8810b32b356b82c61a99d08f9d9249fb92320e4674c8267edb7.jpg (13048 bytes)" align="right" border="0">
size="5">"Within an organization I see very little difference between India
and the rest of the world."
–Jimmy Wu,
face="MS Sans Serif" color="#000000" size="3">Client Manager (Enterprise Risk Services),
Deloitte Touche Tohmatsu.
Based in Australia, Jimmy Wu,
Client Manager (Enterprise Risk Services), Deloitte Touche Tohmatsu, boasts of an enviable
job profile. This involves software review of security, assets, management and operating
environment for large vendor and user organizations. Some of his major clients include
Microsoft, IBM Global Services, Sony, Proctor & Gamble, General Motors and others. A
Bachelor in Economics, Wu joined Deloitte, Taiwan, in September 1993 as a Financial
Auditor. His special understanding of issues involving software and the enterprise made
Jimmy Wu a guest speaker at the Software Asset Management workshop, conducted by NASSCOM
in the capital. In an interview to DATAQUEST, Wu presented an overview of the role played
by Deloitte in vendor and user organizations. Excerpts:
Can you describe your role in
Deloitte?
As you know, my department is called Enterprise Risk Services. We are basically
risk experts and more specifically specialize in IT risk usage. While I specialize in
software management, my group is also involved in co-assurance, co-sourcing, process
systems and we work closely with SAP public relations. We also do a lot of internal audit
for companies. So we cover different types of risks, not just software related.
Who are your typical clients?
We are like an independent consulting firm. This means that anyone who wishes to
use our services can approach us. Typically they say, "we perceive there are some
risks in the company but we are not really sure." So we would come in and say,
"Hey! Okay we will do that for you, for a fixed fee." It could be anyone-a
General Motors, a Proctor & Gamble or any Joe down the road or possibly vendors like
Microsoft or Lotus.
What sort of vendor relationships
do you have as part of your business?
The vendor relationships are probably only Microsoft and Novell specific. We get
contracts to do audits or reviews for clients in the region and this involves software
compliance and license assignments. Organizations like NASSCOM and BSA act against piracy,
on behalf of the regulations in their country. They are protecting the interests of all
the members in that association. We come in more on an agreement or contractual basis. In
any organization, there has to be some type of contract between the vendor and the user
organization and that is where we come in. In case we are working for Microsoft or Novell,
we make sure their agreements have been complied with. Every vendor has different
licensing issues. We are risk experts and advise companies the way to go from where they
are now.
What are the various forms of risk
assessment undertaken by Deloitte?
Risk exists in many areas. There are corporate, financial and legal risks.
Internally, there are costs involved
ownership. The estimate from the Gartner Group to run a PC per year is $10,000. And this
includes, support cost, education cost and direct cost of purchase. This is a lot of money
for any organization. And what we really try to address at these places is to minimize the
total cost of ownership. We do that through processes, by identifying some tools. It
depends on the situation of the individual company. Large corporations face different
risks, because logistically it is a bigger exercise to maintain their IT environments.
Do you have any global best
practice guide to follow in consulting assignments?
Well, in the generic concepts of software management, the processes and risks are same for
every company. And best practices always exist. There is a best practice guide-a joint
effort between Microsoft and Deloitte on the Microsoft web page. Other consulting firms
also have a best practice guide. The implementation of best practice involves reducing the
total cost of ownership. But, what we are really looking for is to have those processes in
place and operating every single day.
So that there is no watchdog saying `lets
do this today'. It is a process, which is a combination of efforts between the IT, finance
and administration departments to keep the whole process running and ensure its integrity.
What is involved in a typical
Deloitte consulting assignment?
As you know, IT is a very broad field and there are many, many specializations.
Security may be just one small area but is a very broad field. When you are talking of
internet security, you are talking of internet site server access, your firewall, your
proxy server and your router. When you are talking about access security, you are looking
more specifically at an AS/400 machine or an NT machine or a Novell machine. If you are
talking about security in terms of databases, then you are looking at user access to these
databases. For every application or system, there are different security issues. As a
consulting firm, we specialize in all these things.
So what exactly does an assignment
involve?
At the very end, the vibe is 'the best practice'. A typical assignment would be
to look at a situation, assess the potential risks in the situation and perform tests
before making recommendations for addressing these risks. The risks could be technical,
manual or processes related or whatever.
And these recommendations may not
have anything to do with IT?
That's right.
Yet Deloitte's involvement is
generally because of its IT competency. So how has Deloitte been able to build that up?
There are several aspects to our competency. Deloitte, through its client base develops a
lot of those skills. And in the background, we have something called the audit system,
which you can liken to a best practice. It is something that Deloitte has based on
statistical background and there are specific methodologies to that. In terms of the IT
skill-set, we do spend a lot of resources on in-house training, where we obtain technical
knowledge of our expertise.
Is this training for all employees
across the organization?
This is for everybody. In Deloitte Australia, my budget at the moment is $3000
per year, which I have to spend. So, I can take any courses as long as it helps my work.
If a consulting assignment involves
some of the latest technology trends, would you be in a position to pass judgement and
give recommendations?
Under the circumstances, we would approach it on the basis of specialization. If the
question is posed to me and it is not my specialization, then it is passed on to someone
in Deloitte who has specialization in that field.
Under what circumstances do you
usually turn down an assignment?
We almost go ahead with any assignment, except one pending a conflict of
interest. We have not only IT consulting but also have financial auditing, tax services,
management services et al. So if it does not conflict with our interests in other areas
and departments, we go ahead. There are two main principles that we adhere to as an
accounting firm, which are independence and confidentiality. If anything jeopardizes our
independence then that is not on.
How is independence explained to
the employees?
The most sticky situation for us to do is a software licensing review. That means to
review one of Microsoft or Novell customers for licensing compliance. That would be a
shade of gray on the independence side. A licensing audit involves determining the number
of licenses the customer owns and the number of licenses the customer is actually using
and coming up with the difference. From customers' perspective, here is Microsoft
employing some guy from Deloitte or anyone else in the world to come into our
organization. So in that instance, we want to maintain our independence and say we don't
care how big or how little, we just want to present the true picture of your environment.
So as an independent party, we present a true picture of what is there through our audit
methodologies and our stringent quality assurance within the audit methodologies.
So what do you finally present to
Microsoft or the vendor?
All of our working papers, including what we document and get from the customer
is confidential to Deloitte. Nobody outside Deloitte sees that documentation, including
Microsoft. So Microsoft would employ us to do the review with an objective, which is to
find the difference in licenses and we would tell them the difference in the licenses. But
in terms of our documentation and how we arrived at that, it remains undisclosed.
Considering that China has 99%
pirated software, is there a difference in conducting audits in developed and developing
countries?
Software licensing or intellectual property rights (IPR) is a generic concept around the
world and really the bottomline is IPR. So for big companies anywhere in the world, the
purpose is to make sure that IPR is not abused. The way we arrive at these results may be
different in various countries, but the end results are the same. The real difference is
in terms of the development of IPR laws. India already has very good IPR laws, so to you
guys it is no longer a concern whether it is right or wrong.
So you can go to an Indian company
and demand the right to audit their software.
We don't demand anything. We act on a contractual basis, which means that one day it is
Microsoft, the other day it could be Novell.
l So you could also enter an Indian
company for audit?
Yes, you can.
What if the company refuses and
questions your right to audit?
There you go. That is one of the risks, which leads to litigation. This is a
common thing around the region. We go in and the company asks what right do you have to
audit us. The first thing, you
vendor. This agreement allows you to buy software at a discounted price, in terms of
volume licensing. For that pricing there are some conditions attached to it, like product
use and in addition an audit right. So we go in and say this is where we are coming from
and this is the audit clause and Microsoft or any other vendor has the right to hire us.
And Microsoft or any other vendor has the right to take legal action.
What are the other issues with
software licensing?
Software management is not entirely limited to licensing. Some companies also over-license
and they don't even know it. If you buy unlicensed software, there could be lack of
support or problems with the application. And you don't really know what to do since you
cannot talk to the vendor. You are looking at your support costs running high, because the
service calls are becoming longer and longer and the IT environment has become unstable.
Then there is the security risk associated with viruses. So if you don't manage your
software then all these problems arise. For me, as a risk expert, software management is
far more important than licensing.
What is the difference between
Indian organizations and others in the world?
In terms of coverage and exposure to IT, India still has to catch up. In terms of
technology deployment, it is limited by the infrastructure in terms of bandwidth,
telephone lines and other physical limitation. At the moment, I believe there are 200,000
internet connections. In comparison, the usage of internet in Hong Kong and Taiwan would
be extremely high in core businesses. It takes time. It is not a matter of 'let's all get
internet access today'. You have to put infrastructure in place, ISPs have to get their
service going and bandwidth has to be increased. The reliability of the telephone lines
and power has to be there to obtain the same level of IT exposure as anywhere else in the
world. Within an organization, however, I see very little difference between India and the
rest of the world.