Microsoft audit

Microsoft Audits

What is a Microsoft Audit?

 A Microsoft Audit is a general check of companies’ proper licensing. Despite the name suggesting that Microsoft performs the audits, they are conducted by a third party hired by Microsoft. The external auditors are responsible for establishing whether companies use Microsoft software in a proper way compliant with Microsoft’s guidelines. If the auditor discovers any misalignments or suspicious software use, the company being investigated might need to justify and present proof for that software use. A software use that could be classified as suspicious or incorrect entails a mismatch between the purchased software licenses and the licenses in use when the latter is greater than the former. Therefore, according to Microsoft’s guidelines, a company is only allowed to use the same amount of licenses as the purchased amount or less. Every Audit is different, since companies have different licensing infrastructures. Because of this, there is no one straightforward definition of all the processes included in a Microsoft Audit. Although the procedures vary, there are a few standard steps disclosed by Microsoft and companies that have been audited.

The process of the Microsoft Audit depends on its type (see below). The most general following order would first include an official letter sent to the company informing it about the Audit and its purpose. The company can also schedule a meeting with a Microsoft representative about the audit and to voice any questions or concerns. In this meeting, the auditors also provide all the relevant information about the Audit’s timeline, processes and expected outcomes. The next general step is the data collection performed by a third-party auditor. This data-collection might include an on-site visit from the auditors for the sake of an adequate evaluation. After the data gathering, the auditors present a report that entails the findings of the audit, any recommendations and relevant context. These reports usually are prone to mistakes due to the lack of in-depth knowledge or understanding of the company’s internal processes and licensing decisions. At this point, the audited company can address any miscalculations, misinterpretations or other mistakes and provide additional context or legal documents. After this is done, a final audit report is presented to Microsoft. In most cases, Microsoft acts from the perspective that the company is complying with the licensing agreement until proven otherwise. 

Types of Microsoft Audits

There are three general types of Microsoft Audits. The most common one is the Self-Audit, followed by the Software Asset Management ( SAM) Engagement. The most strict Microsoft Audit is the License Contracts and Compliance (LCC) Audit. 

The Self-Audit usually requires the audited company to collect and present Microsoft with the purchase records and software keys of the software in use. The main purpose of this audit type is for the company to prove its compliance with Microsoft’s licensing agreement.

The SAM Engagement is usually conducted by a third-party that performs the audit. The cost of SAM Engagement is usually covered 100% by Microsoft. The audited company usually receives a recommendation on the correct licensing for its software.

The most strict Microsoft Audit is the License Contracts and Compliance Audit (LCC). This audit results when a company ignores or declines Microsoft’s request to Self-Audit or perform SAM Engagement. Due to its obligatory nature, the LCC audit is formal and could lead to legal actions. LCC Audits usually lead to additional sales for Microsoft due to inadequate licensing from the audited companies. This audit type is often associated with Microsoft creating a legal case against the audited company with the aim to receive financial compensation. This can vary from simple penalties to legal prosecution. The latter is usually the worst case scenario. A more common compensation is the additional license sales mentioned above. 

Why does Microsoft perform Audits?

Microsoft can perform an Audit randomly and at any time. If a company is using Microsoft licenses, there is a chance that it might be audited at one point in time or another. Audits are a regular check from Microsoft that aim to establish whether a company is legally using its software. The main objective of a Microsoft Audit is to inspect whether the number of software licenses match the licenses with a proof of purchase. Additionally, the licensing of all software and users/devices is also explored during an Audit. 

If Microsoft has any reason to believe that a company is not complying with the licensing agreement and/or is using software illegally, that company would most likely be audited. An Audit might be triggered by multiple factors such as unusual software usage patterns. Another reason for an Audit could be a recent software purchase or renewal. In these cases an Audit checks if the correct amount of required software is in fact licensed. Companies that have recently merged or acquired another enterprise also might face a Microsoft Audit in order to avoid under-licensing by confusion.

What does the Auditor check for during a Microsoft Audit?

Third-party auditors are hired by Microsoft to gather and provide the software manufacturer with the available data regarding the investigated company’s software use. Auditors need to remain unbiased towards both Microsoft and the audited company, therefore they more often than not proceed from the standpoint that the company is not licensing correctly. In the event of any ambiguity or mismatch, the auditors would lean more towards Microsoft’s side. After investigating the data and licensing proofs, the auditing company presents a final report to both your company and Microsoft. This is, however not Microsoft’s final decision. In case a company does not agree with the auditor’s report, it can object the finding by providing any missing context or documentation.

How to prepare for a Microsoft Audit?

When notified of an upcoming Microsoft Audit, companies usually conduct initial internal “audit” by counting the software in use and gathering the respective proofs of purchase. Companies also prepare for Microsoft Audits by consistently keeping track of their documents and proofs of software purchases in an organized database. After receiving a letter about incoming Audit, companies are also advised to count all virtual machines, physical servers and User/Device CALs.  Large organizations do Software Asset Management to make sure they are compliant with Microsoft's rules.

In which cases can you fail a Microsoft Audit?

One of the most common reasons for a company to fail a Microsoft Audit is its lack of proper knowledge or understanding of the license agreement. A company’s licensing agreement could be context dependent. Since auditors lack the knowledge of each company’s specific context, they cannot take it into account during the auditing. Therefore, companies that license their software depending on additional circumstances, need to provide the respective background and documents in support of their licensing choices. 

Another reason for why a company might fail its Microsoft Audit is a mistake in the calculation. Auditors usually make use of Excel to gather the necessary data for the calculation of licenses, however, mistakes could occur in this process. For this reason, companies are advised to critically evaluate the data by the auditors and voice any disagreements or miscalculations. 

Next to mistakes done by the auditors, companies can be responsible for wrong inventory data. Whether intentional or not, unorganized Active Directory data might lead auditors to wrongly gathering the necessary data. Other factors could also be outdated, incomplete or poor quality inventory data. Test environments and unaccounted development in the software requirements of the company could also misrepresent the actual software usage and in turn the auditors’ reports. Therefore, in the event of an Audit, companies usually choose to conduct an internal “audit” of their hardware and software database to prepare and organize it for the auditors.

A company using greater number of software than the number indicated in the proof of purchase would also fail a Microsoft Audit. Assuming there is no exploitation of Microsoft’s guidelines and a proof of purchase (e.g. invoice) is missing by accident, the company has the right to supply it additionally. Some proofs of purchase could be Software Assurance Licenses, Microsoft License Statement, OEM licenses or the invoice. In the event of an Audit, companies do not need to provide all types of proof of purchase. As long as there is a legal document or a single proof of purchase that supports the number of software used, there is no reason for a company to fail its Microsoft Audit. Following all general rules and specific conditions set in a license agreement wil result in a passed audit.

What are the consequences if you fail a Microsoft Audit?

If a company does not comply with Microsoft’s licensing agreement or fails to prove that it does, there are certain consequences it might face. For example, the company would receive a fine and/or penalties. If applicable, Microsoft might also take legal actions against the company based on its illegal software use. Besides paying the above mentioned fine(s), the company could be required to comply with Microsoft’s licensing agreement by purchasing the licenses for which there is no proof of purchase. Companies that have failed to pass a Microsoft Audit also report reputational damages.