Are you prepared for a Microsoft audit?



A Software Asset Management process is, in general, presented by vendors as a helping tool that will help you keep your software compliance level in check. However, for most customers, SAM has a negative connotation, as it is seen as a check-up by the vendor.

According to Gartner, software audits have had an accelerated growth over the last years as they are used by software vendors both as a stream of revenue and as a way to stop piracy.
Gartner’s reports also include recommendations, for CIOs and IT Managers, to invest in Software Asset Management processes and tools in order to be able to abide, in a proactive manner, to the terms and condition of licensing contracts.

I would also recommend the improvement of communications and operational flow between the IT and sourcing departments – as it is essential that a procedure exists to track the software asset from the moment of the acquisition (financial records) until it is decommissioned.
It is very important to track the type of acquisition of a software license (type of contract), the way it is used (installation), the rights to move it between different devices and the financial/legal documents that appendix it.

The major vendors: Microsoft, Oracle, IBM and others have made, lately, a series of changes to their licensing models making it extremely complex by using a multitude of metrics (per CPU, per Core, NUP, PVU etc). As the IT environments became dynamic due to virtualization, these changes have had a huge impact on licensing, expressly on the number of licenses needed.
The frequent changes in licensing rules, coupled with the lack of a software management and control tool are putting companies in a major financial risk of getting audited by the vendors.

Below I will summarize a number of important information regarding Microsoft audit:
 
1. Common criteria used for selecting audit prospects:
  • Mergers and acquisition
In mergers and acquisitions scenarios, usually, the transfer and consolidation of software licenses between the entities is done poorly or not at all. In this case, the new entity is lacking heavily in software compliance
  • The correlation made by vendors between your acquisition history and your companies’ official financial data
 This category includes companies that opened an Enterprise Wide Volume Licensing agreement and their number of licenses is not on par with the economic growth of the company, like: number of employees, net worth etc.
  •  “Hit them when they are weak” or while you are getting audited by another vendor
In most cases, companies that are engaged in an audit by a software vendor, get “mysteriously” targeted by Microsoft as well.
  • Ongoing Volume Licensing Agreements
If there are significant growths in number of employees or mergers and acquisitions during an active contract, but these situations are not reflected in your true-ups, than your compliance will be questioned by Microsoft.
  • Volume licensing contracts that are not renewed
 This category includes companies that don’t present an interest in renewing their ongoing Volume Licensing Contract or moving to another type of contract.
  • After a major licensing change occurs
 A good example is the change of Microsoft SQL Server licensing. Once 2014 version was released, a lot of companies that benefited from an upgrade to this version, made the upgrade, but found themselves in a non-compliant scenario because of it.


Audit, SAM, Microsoft Audit, audit software

2. Types of Microsoft audits:


Self Audit – is the “easiest” types of audit. As for this procedure, audited companies need to create an inventory of their used licenses and send this info to Microsoft. The information will then be verified against the acquisition history to determine compliance.

Software Asset Management (SAM) Engagement – is a preventive type of audit. Microsoft recommends an internal audit with the help of a Microsoft Certified SAM partner. At the end of this engagement, the results are discussed with Microsoft.

The advantages of a SAM Engagement:
  • The cost for the project/audit simulation will be covered by Microsoft;
  • The Microsoft SAM certified partner will enlist in the customer’s aid both technical specialist (for roll-over of the technical solutions) and licensing specialist (for compliance assessments and delta clarity)
  •  The customer will be able to use this expertise to better understand and comprehend his license grant and will be helped to establish inside procedures for asset management.
 Legal Contracts and Compliance (LCC) Audit – it is the most “expensive” audit.

This type of engagement is done by an authorized auditor that will act in the best interest of the vendor. The auditor is legally empowered to examine the licensing proof, to make technical on-site checkups and to supply the results of said audit to Microsoft.

The best audit protection is the implementation of an on-going Software Asset Management solution, made out of the technical solution and licensing expertise – that will keep your company’s software compliance up to date.

Audit, Microsoft Audit, SAM

 3. The stages of a Microsoft audit

A. Kickoff meeting

In this initial stage, the representatives from the auditor contracted by Microsoft (PriceWaterhouseCoopers, Deloitte, KPMG or Ernst & Young) will schedule a meeting (usually a conference call) in order to present the stages of the audit and the timeline.

BData collection

The audited company will have to collect a series of IT infrastructure related information that will have to present to the auditor, like:
-          The hardware configuration of the devices;
-          A list of Microsoft application installed on their devices;
-          The users that access these devices and Microsoft applications;
-          Proof of licensing (documents).

C. Onsite visit

In this stage, representatives from the auditor will visit the audited company to verify the accuracy of the supplied information, eventually to collect additional information.

D.  Draft Report

Based on the information collected during stages B and C, the auditor will prepare a delta report (comparative report - ELP) of installed Microsoft licenses versus purchased Microsoft licenses. This report will be sent to the audited company for checkup of possible errors and discrepancies.

E. 3 Way Exit meeting

In this final stage, a virtual meeting will be set up with all interested parties of the audit process: representatives of the auditor, representatives of the audited company and Microsoft reps. The auditors will present their final report and will answer any questions regarding it.
After this final stage, the auditor gets out of the picture leaving the final commercial/legal terms to be negotiated between Microsoft and the customer.


4. FAQ

Is Microsoft entitled to audit private companies?

Based on the conditions enlisted in section “Verifying Compliance” of the licensing agreement: The Microsoft Business and Services (MBSA), Microsoft has the legal right to hire an authorized auditor that will engage in verifying the use of software licenses inside a customer’s IT infrastructure, based on the contract.
Most of the Volume Licensing contracts abide by the terms and conditions of the MBSA.

Can companies refuse a Microsoft audit?

By refusing the audit, you are infringing the contractual terms of the MBSA. In this case, Microsoft can cancel all licensing contracts with the customer, leading to the immediate uninstall of all Microsoft proprietary applications. Not abiding to this will lead to Microsoft suing for copyright.

Is there any risk in providing the auditor/Microsoft with the requested information?

A Microsoft audit is a complex process with many possible outcomes. It requires licensing, technical and law related expertise.
It is recommended that companies request outside help from a consultant that is a software licensing/ technical expert.

With help from these consultants, you will get a realistic and correct interpretation of your software licensing grant that will help you go against the auditor resulting in a substantial cost saving.

Autor : Catalin Iancu