ALP: I keep hearing about Sarbanes-Oxley in relation to software and don't understand the connection. Isn't Sarbanes-Oxley related to financial disclosure and fiscal reporting?

December 2006

Early in my career, I realized that a securities law practice was not for me.   I struggled with the zillion page  disclosure documents that seemed to be all boilerplate.  The only thing to keep you awake was the fear of going to jail if you did not adequately disclose certain facts about a company.  Therefore I pursued other areas of corporate practice that now include negotiating software and systems related agreements for businesses and providers.    I have been all but oblivious to the Sarbanes - Oxley furor that has been occupying the hearts and minds of securities lawyers for the last four years.   However, my period of bliss was destined to end. 
I had noticed over the last couple of years a significant increase in focus by larger companies on the IT assets of the company and the hiring of software audit companies.  Soon I would learn that this was all due to Sarbanes-Oxley or SOX for short.
Congress enacted the Sarbanes-Oxley Act of 2002 following the Enron and WorldCom scandals. In reaction to Sarbanes-Oxley, publicly reporting companies have focused more intensely on identifying and properly disclosing their material assets, including software and other intellectual property, and have put in place additional procedures to protect the ownership and control of such assets.

Historically, many companies had not involved their lawyers in negotiating commercial IT agreements.   IT personnel were responsible for negotiating these agreements, and IT personnel often oversaw the acquisition and transfer of rights in connection with new  software developments.    In many cases, software was acquired without good documentation and without having all i's dotted and t's crossed.
So for many companies the asset "identification" phase had begun, and these companies were hiring software audit companies at great expense to help document what the company had and from whence it came.
Now is a good time to point out that SOX only applies to publicly reporting companies and to a company's material assets.   However, SOX can impact non-reporting companies.  SOX has caused buyers of non-reporting sellers to walk away from a deal when the selling company could not provide full information about its commercial IT assets.   Also, with respect to materiality, very few companies can now claim that its commercial IT assets are not material.  While many companies use third party systems and software under agreements that clearly express the ownership rights of all parties, many other companies had in-house IT personnel who were capable of sophisticated software development and who may have used some open source code or third party code that might have been authorized but was often undocumented. 

So this is where SOX and commercial IT converge. 

There is one additional twist to the story, however, and that involves open source code.   There are over 50 different open source licenses currently in place, and statistically, the odds are that all in-house software development contains some open source code.   Many of the open source code licenses contain a requirement that any derivative work (i.e. modified or revised version of the work) of the open source code be likewise released under the same open source license.  The GNU General  Public License ("GPL") open source license is the best known open source software that has this requirement.   The GPL open source software has many helpful and desirable applications and as a result is very popular with developers.  Therefore, there is a significant concern among publicly reporting companies that certain of their software is derived from GPL software, and thus is not owned by the company and the company's use of such software is in violation of the GPL license.   
While some legal and IT commentators believe this problem to be widespread and to potentially subject company executives to jail time, other commentators downplay the scope of the problem, stating that odds of a company not being in compliance with the GPL license are no higher than non-compliance with any third party license.
While I am not an alarmist, I would advise companies who use GPL open source to be particularly careful.   I have reviewed the license terms of this open source software myself and find is far from clear.   In my experience with GPL, lawyers and developers tend to disagree about what is permissible use of GPL, especially when linking GPL code to other code or in any way causing GPL code and other proprietary code of a company to interact. 
In conclusion, while the SOX issues discussed are primarily the concern of reporting companies, it is a good idea for all companies using third party and/or open source code to ensure that they are in compliance with all applicable software related licenses and agreements.   This could avoid a problem in the future in an acquisition context and might avoid a failure in a representation or warranty if the company happens to be a licensor of software.  In any case, we all want to avoid thinking about SOX to the greatest extent possible, and rigorous compliance is the way to achieve this goal.