




	Compliance Best Practices
	Step One
	Step Two
	Step Three


	See Other IP Ingredients on the Internet
	Form to publish IP Ingredients URL
	IP Compliance Blog

Step Two

Consult specialists for current approaches to audits and governance

Engaging Specialists

Every governance project should begin with an initial audit of the existing code base. This provides a starting point from which to measure future changes to the code base. The audit determines whether an organization uses open source software at all, and if so, where. In most cases, an audit shows that more open source is being used than originally thought.

However the developers may not be able to recall the origins of all components used. So, except to identify source files in the build tree, developer interviews and questionnaires should be minimized. A far better approach is to perform an automated scan using a professionally developed tool. An automated code scan is far more objective, timelier, and cost effective. Above all, an automated code scan is more thorough. Upon obtaining the scan results, it is appropriate to discuss the results with developers. This approach is effective and constructive.

Minimally the first formal audit and any annual audits should be outsourced to specialists with the expertise and tools to perform a source code audit. The goal of the audit is to provide management with an independent and objective view of the organization's use of open source. Having no inherent conflict of interest, an outside auditor is able to fill this role. Likewise, with the support of outside specialists, the compliance team will feel much more confident in representing to management any circumstances that may pose a risk.

In addition, audit specialists can recommend, as appropriate, improvements to governance processes and controls. This may include a scan for proprietary software snippets.

Finally, as legal specialists, both in-house and outside counsel can be invaluable in training developers on copyright law and licensing issues. Counsel should give developers regular updates about confidentiality, copyright and licensing issues. But they should avoid legalistic and theoretical debates. Their time is more productively spent identifying rules and demonstrating appropriate use patterns for open source components and related licenses, helping engineering management and developers make better licensing decisions on their own.

Step Three