How to Prepare for a Microsoft Audit
IT Security IT Support

How to Prepare for a Microsoft Audit

The prospect of being audited by Microsoft for software license compliance is enough to bring even the most law-abiding business owner out in a cold sweat.

Microsoft has gained something of a reputation for being one of the more aggressive license auditors out there (along with IBM and Oracle) and unless you are in firm control of all those CALs, OEMs and VLKs, they can easily balloon out of control and leave you panicking to match up licenses with products.

This article will help you to prepare for your upcoming audit, whether you have received a Software Asset Management (SAM) incentive program invitation or a license compliance verification notification. But what is the difference between these two approaches?

Microsoft SAM incentive programs v license compliance verification

If you have been invited to take part in a SAM incentive program, you can relax a little bit. This is a voluntary program with a flexible format. Through it, Microsoft aims to help businesses to gain insights, manage their compliance and use software licensing more productively. The program is based on industry software asset management standards and offers businesses a 360 degree view of their entire IT infrastructure.

The SAM program, which is run by SAM Certified Partners, offers recommendations on setting up SAM policies to effectively manage assets and licenses, reducing the risk of future non-compliance.

If you are over-licensed, the SAM program can even save you money by highlighting the unnecessary spend and suggesting more economical licensing arrangements.

On the other hand, if you have been issued with a license compliance verification notification, this is a mandatory licence and contract compliance program and a more serious matter.

The aims are to help businesses to achieve and maintain compliance and to protect Microsoft’s IP. To launch an audit, Microsoft will need to invoke your Volume Licensing (VL) agreement. Unlike a SAM program, under-licensing or non-compliance can lead to fines.

A license compliance verification is a professional audit that can only be carried out by an independent, internationally recognized CPA or an authorized trade body such as the BSA.

6 Steps to Prepare For Your Microsoft Audit

Although the BSA, back in 2018, estimated that 37% of businesses used unlicensed software, this is not always deliberate piracy.

Many business owners fall foul of the rules because software licensing is notoriously complicated. The licensing agreements themselves are not always clear, the IT environment of most businesses is complex and reconciling the number and type of licenses with their respective clients, workstations, devices or server cores can cause a headache.

The real solution is proper IT or Software Asset Management (ITAM/SAM) but this is not going to help you if the auditors are expected in the next few days. What will help you is this 6 step preparation process:

  • Get some external help.
    If you are a Houston business, you don’t have to go through a Microsoft audit alone. Contact PennComp for specific advice about your upcoming audit or to find out how we can help you with your overall IT asset management.
  • Take an inventory.
    Make a record of all physical and SaaS Microsoft products and services you have bought or signed up for (including ‘shelfware’ – those products that are still in their cellophane). Remember to include anything featuring the brand names Windows, Office, Outlook, Skype, Teams and Azure among others. For each piece of software, record whether it is under an OEM licence (tied to a specific device) or under open license (transferable between devices). Note down all of your workstations, servers, off-network devices and any device or system with an autonomous system number (ASN). Where software is hosted on a server, or on the cloud, and can be accessed remotely, check that all users are covered by a Client Access License (CAL). This includes database servers such as SQL Server. While automated SAM software can help with creating an inventory, be aware that these often miss out CALs and can struggle where virtualization is concerned.
  • Prepare all license documents.
    Gather together all documents related to entitlements and licenses, including Certificates of Authenticity (COAs), product keys, purchase records and VL agreements. If you obtain some of your Microsoft software through a third party, you will need to ask them to send you the documentation. It often helps to organize products and services by billing method (e.g. whether they are billed by seat/user, workstation or server core, etc.)
  • Match and identify anomalies.
    Next, match every product installation and instance with its proof of purchase. Investigate any discrepancies between purchase orders, ANSs and invoices. This will help you to determine whether you have been complying with your license terms or not. Be particularly careful with CALs because the fines for software access by unlicensed users can be harsh, sometimes up to four times the licence value for every unlicensed user.
  • Evaluate compliance status.
    Decide whether you are fully compliant or under-licensed. If you are under-licensed, refer to the Compliance Verification section of your VL agreement for guidance on how you can draw up a remediation plan. This will normally involve paying Microsoft a ‘true-up’ to bring your licensing arrangements in line with your usage. If your unlicensed activity is less than 5% of your total licence expenditure you may be spared a fine. If you intend to negotiate or dispute your remediation, consider contacting an attorney.
  • Adjust software usage (if necessary).
    Whether you decide to purchase additional licenses or remove software from devices, be open with Microsoft. If you try to hide your non-compliance their action may be more punitive.

What Would Trigger a Compliance Audit?

Officially, Microsoft says that license compliance verification is organized using a programmatic approach and is limited to a small number of customers every year. For businesses under a VL agreement, Microsoft normally reserves the right to audit annually after providing 30 days’ notice. In practise, most businesses won’t be audited as frequently as this.

Select, Open and Enterprise Agreement customers should expect to be audited at least once every three years though.

However, industry insiders claim that certain business events are likely to trigger a license compliance verification notification outside of this schedule.

One of the surest ways to attract an audit, according to these insiders, is to demonstrate rapid growth. Microsoft is aware of the number of software licences you have and will expect to see these increase in step with your headcount.

Another likely trigger is refusing a voluntary SAM incentive program invitation.

Other events which may trigger a license compliance verification notification include:

  • Reduction in rate of new licenses when compared with your previous purchase history
  • The removal of software from servers (a common obfuscation tactic)
  • Infrastructure growth (e.g. server build-out with additional processor cores added)
  • Virtualization (misconfiguration can lead to license breaches)
  • Mergers and acquisitions
  • Zero Sum True-Up form discrepancies following a self-assessment (e.g. fewer licenses than headcount would suggest)
  • Change to Microsoft’s business model (e.g. there was an increase in audits when Microsoft launched Office 365)

Once your ordeal is over and you have hopefully avoided penalties, make sure you take the opportunity to set up (or shore up) your ITAM or SAM policies so that you can receive future auditors without so much as a bead of perspiration.