SAMexpert logo

Microsoft Audit Letter - What You Can and Must Do

Have you recently received an audit letter from Microsoft? If so, you may be wondering what immediate steps you need to take next and how much time you have to prepare.

How much time do you have to react?

It's essential to understand that you have 30 days from receiving the letter to initiate the audit. It may come as a surprise, as the letter may indicate that you need to set up a call within a few days and start providing information to the auditor soon after. But in reality, you have a 30-day window to breathe, gather resources, and prepare for the Microsoft audit.

Do this first

One of the first things you'll want to do is find a partner to help you with the software audit. It could be an experienced team member or an external consultant with experience in this area. They can help you identify the risks and guide you through the process.

Update your stakeholders

This initial step is essential because if the audit goes in the wrong direction and you are found non-compliant, the financial consequences could be significant. Auditors can go back as far as they want, and non-compliance fines can add up quickly. So, it's vital to involve your executive team and ensure they understand the risks.

Take control of the timeline – you can and may

After the initial call with the auditor, there are no calendar stipulations in the agreement. Take your time. You don't have to submit any information or respond to questionnaires immediately. It's necessary to take the time to do it correctly and make sure you're providing accurate information.

Auditors will try to insist on their project plans and timelines. Remember, you are not legally bound to comply with their expectations.

Where can you confirm that this information is correct?

Your Microsoft licensing agreement includes audit terms. 

Most agreements include the Microsoft Business and Services Agreement (MBSA). You'll find the audit terms in the Microsoft Customer Agreement if you procure licences via CSP.

Look for the section called "Verifying compliance".

You'll find that you are only required to comply with the following:

  • Thirty days to allow the audit to start from the reception of the notice,

  • Thirty days to pay the penalties in the end.

Stay calm and take control

When you receive an audit letter from Microsoft, you have 30 days to prepare. Use this time wisely to gather resources, identify the risks, and update your stakeholders. 

And remember, even after the initial call, you can take your time and make sure you're providing accurate information.

If you are found non-compliant, the risk could be significant, as the auditor can go back as far as they want and multiply the discrepancy by multiple years. 

Work closely with your team, partners – Microsoft Audit Defence experts, and stakeholders to ensure you're fully compliant and avoid any financial risks.