SAMexpert logo
Search

Microsoft Audits Survival Guide - 2024

Microsoft audits are still a fact of life. They are still here and most probably won't go away anytime soon.

In the past, Microsoft made a lot of noise about audits. It used very subtle threats to perform an audit or "SAM Assessment" to "persuade" customers to move in a specific commercial and technological direction.

Today, Microsoft has matured in its process and tone, with audits used as a standard operational process to uphold its intellectual property rights and validate compliance where needed. It's no longer a tool used by account teams but mainly triggered by artificial intelligence algorithms that scan thousands of customer licensing data points and look for anomalies to indicate compliance issues.

So, if you receive an audit letter, the good news is that it's not personal. The bad news is that it will be a lengthy and costly process.

If you are a Service Provider, please read our guide on Service Provider Audits instead.

Stated Goal

Reality

To verify compliance and protect intellectual property rights.

More often, to lure you into a new deal on their terms.

What is a Microsoft audit?

A Microsoft audit is a way to ensure you follow the rules and guidelines set by your agreement with Microsoft, such as the Enterprise Agreement or an alternative licensing program like CSP, Open, MPSA, or Select.

Types of Microsoft audits: License Review, Microsoft SAM, Self Audit, Independent Auditor

The initiation of an audit starts with an email/formal letter that the primary contact within your company receives. It is followed by a request for a formal kick-off call with Microsoft and the auditor. After that, the auditor takes full responsibility for the process, with Microsoft moving to the backend until the auditor submits the final results.

Microsoft only invites certain companies, called "independent auditors," to perform software audits. These companies are usually part of the "Big Four" accounting firms: EY, PwC, KPMG, or Deloitte.

The entire idea of a volume license audit is to gather information regarding your installed software regardless of its use and compare it to your licensing records, thus establishing your "license compliance". It is as simple as that (or maybe not, as we will see in the following guide).

Once the auditor provides you with a final effective licensing position report (ELP or LPR), Microsoft re-engages and moves to close the audit. The closure process is your second chance to mitigate the results provided by the auditor and fight off any errors and potential costs and fines accompanying the software audit process.

Why does Microsoft have the power to do an audit?

By signing one of the Microsoft agreements, such as MBSA, CSP, MPSA, Enterprise Agreement, or any other, you have agreed to the terms giving Microsoft the right to conduct an audit. 

This is what the MBSA – Microsoft Business and Services Agreement – includes:

  • Microsoft's right to verify compliance,

  • Your responsibility to give the chosen independent auditor access to data and systems,

  • The requirement of 30 days' notice before an audit,

  • Your right to have a confidentiality agreement with the auditor,

  • "Remedies for non-compliance" stipulating the audit penalties and the 30-day payment term,

  • The threshold for non-compliance, which is usually 5%,

  • Stipulations for when Microsoft may ask you to conduct self-audits.

From MBSA:

Customer must keep records relating to Products it and its Affiliates use or distribute. At Microsoft’s expense, Microsoft may verify Customer’s and its Affiliates’ compliance with this Agreement at any time upon 30 days’ notice. To do so, Microsoft may engage an independent auditor (under nondisclosure obligations) or ask Customer to complete a self-audit process. Customer must promptly provide any information and documents that Microsoft or the auditor reasonably requests related to the verification and access to systems running the Products. If verification or self-audit reveals any unlicensed use, Customer must, within 30 days, order sufficient licenses to cover the period of its unlicensed use. Without limiting Microsoft’s other remedies, if unlicensed use is 5% or more of Customer’s total use of all Products, Customer must reimburse Microsoft for its costs incurred in verification and acquire sufficient licenses to cover its unlicensed use at 125% of the then-current Customer price or the maximum allowed under applicable law, if less. All information and reports related to the verification process will be Confidential Information and used solely to verify compliance.

What is the difference between a SAM Assessment and a formal audit?

A "Software Asset Management (SAM) Assessment" is a formal request by Microsoft for you to perform a "self-assessment" of your current licensing position. They would ask you to run tools or scripts – usually the Microsoft MAP tool application – and compare the results to your licensing purchases – perpetual, subscription, and Microsoft 365 licenses – and provide Microsoft with an official report using their online portal and templates. This report must be signed off by an executive team member and provided within a set timeframe.

A failure to cooperate usually ends in a formal audit by an "independent auditor" of Microsoft's choosing.

The upside is that it is non-intrusive to your daily business. Plus, the final results do not carry penalties or the "independent auditor" cost that can reach fifty thousand dollars.

Top Microsoft audit risks

  • Unbudgeted licences you must buy if you are non-compliant,

  • Audit penalties on top of the license cost,

  • Auditor fees if you are non-compliant on more than 5%,

  • Unplanned resources to conduct, negotiate and remediate the audit,

  • Disruption to your regular business operations,

  • Undermined negotiation position if you are negotiating discounts with Microsoft,

  • A damaged relationship with Microsoft — this works both ways,

  • Legal action in extreme cases,

  • Negative PR if it leaks to the press.

Microsoft Audit risks

The audit process

There are the following phases in any compliance audit:

  1. The initiation phase starts with an audit letter (audit request) and ends with a kick-off meeting.

  2. The data gathering stage is where you provide the data to the auditor.

  3. The auditor will then present you with a draft report.

  4. Report reviews: When you review the draft, defend your position and provide additional data and evidence.

  5. After the final report sign-off, the auditor disengages and hands you over to Microsoft.

  6. Commercial negotiations with Microsoft, in which you present your business arguments and reach a settlement.

Four essential things to remember

  • The auditor's role is to deal with data and data only. Keep your business arguments for the final negotiations with Microsoft.

  • The auditor would typically take Microsoft's side in an ambiguous situation.

  • The auditor won't discuss any financial figures with you. It is Microsoft's prerogative.

  • The Effective Licensing Position produced by the auditor is not your final sentence. After the auditors present their report, you will defend your case and negotiate the outcome with Microsoft.

The official audit letter

Microsoft will email the official audit letter to the contact on the Microsoft contract from the Microsoft License Contract and Compliance Group (LCC). It will say something like the following: "Microsoft selected your company for a formal license compliance review."

If you have never done this before, your adrenalin level will rise. It's never the right time. You won't know where to start. The advice we give every client is to relax. Nothing terrible has happened yet. Study their email calmly, casually, but carefully.

When you receive the notice, be sure to pay attention to the important details it contains, for example:

  • Your company's name (legal entity) and its associated MBSA number.

  • If your company is part of a larger group of companies, keep in mind that Microsoft may only choose to audit a specific entity within that group. The audit should not affect the entire group.

  • Ensure the contract referenced in the notice is the one your legal entity actually signed.

The letter will refer to the 30-day notice period, which is a contractual obligation. According to the same agreement terms, your acknowledgement is not required. 

You will have 30 days to communicate with the auditors for the first time, starting from the date of the notice letter. Please do not be concerned about this time constraint because:

  • The 30-day time frame is the only hard deadline specified throughout the audit process, apart from the 30 days to pay any penalties that may apply at the end of the audit.

  • The audit process will begin with a "kick-off" period, during which you can and should take control of the audit schedule.

Microsoft audit time constraints

Preparing for an official Microsoft audit 

  • Inform your stakeholders of the upcoming audit. They will ask for a risk assessment. Be ready to provide one.

  • Organise a team of experts to work on the audit and brief them on the expected process.

  • Set expectations regarding required internal resources, timeline and impact on ongoing activities.

  • Keep your agreement paperwork organised, safely stored and available to the necessary parties.

  • Additionally, having your legal team trained on volume licensing and familiar with Microsoft's legal guidelines is a good idea. This way, they'll be well-equipped to handle any issues that may come up during the audit process.

What happens during the kick-off meeting?

The active phase of the audit process typically starts with a kick-off meeting. During this meeting, you will typically only meet with the auditors. However, Microsoft may also request to be involved. You have the right to express your preference to have Microsoft on the call.

When the auditors arrive for the kick-off meeting, they will provide you with the following materials:

  • presentation deck that will provide an overview of the audit process, including the steps that will be taken, the data that will be required, the expected outcomes, and any other relevant information.

  • Questionnaires that you will need to fill out with information about your company, infrastructure, and use of Microsoft software.

  • Scripts to run on your devices, servers, and virtual machines, as well as Instructions on how to run the scripts.

The auditors will also present you with a project plan outlining the desired timeline for the audit process. They may ask you general questions about your infrastructure and network. They will also inquire about the individuals or teams who will be your point of contact and stakeholders throughout the audit process.

Our suggestions for the kick-off meeting

Listen attentively and take notes on any information that seems important. If there is anything unclear, don't hesitate to ask follow-up questions.

Be sure to clearly define the scope of the audit, including which legal entities and territories are covered.

Remember, the goal of the Microsoft audit is to verify your licensing compliance as a point-in-time assessment, unlike an SPLA audit that verifies a monthly compliance backdating as far as five years.

Taking control over the Microsoft audit timeline to minimise disruptions to your business operations is crucial. Let the auditors know that you may need to rely on external parties, such as outsourcers. Keep in mind that there is no requirement for you to adhere to the proposed project plan. 

If you don't have an independent advisor present during the meeting, only provide high-level answers and avoid sharing too much information or submitting any data until an expert has reviewed it.

Data collection and provisioning

The MBSA agreement requires you to provide the auditors with access to any systems running Microsoft software. However, in practice, auditors prefer not to access your systems directly. Instead, your IT team will typically run scripts provided by the auditor or use inventory tools to extract the necessary data.

Please remember that auditors will not accept self-reported deployment data without evidence to back it up. Instead, you will need to provide data gathered through scripts or tools. 

During the audit, the auditors may ask for additional proof, such as screenshots, to verify the output of the scripts and data from the tools. 

You don't have to comply with these requests if you feel it's too time-consuming, as they will conduct an in-person verification exercise to confirm the data provided. 

Even if the auditor doesn't ask you to provide it, find and organise your licensing history, including all M&A information and historical perpetual license records. Remember that Microsoft's internal records they use to extract your licensing data will not have any traces of license transfers, mergers or acquisitions. You must provide it yourselves.

Our advice for the data-gathering stage

It's best to limit the amount of information you provide to the auditors rather than sharing too much. You can always share additional information later if needed. Providing too much information can lead to the auditor counting it against your Microsoft licensing debt, and you would need to request that it be removed later, which can make the audit defence more complex.

Having an experienced audit defence consultant on your team can be highly beneficial during the audit process. They can help you with essential tasks such as:

  • Determining which parts of your infrastructure are within the scope of the volume licensing audit and which data you don't need to provide, as providing too much information can be strategically detrimental.

  • Evaluating the accuracy and completeness of the data you've collected and providing guidance on addressing any shortcomings.

  • Identifying any additional information that may be required and helping you collect and provide that information to prevent auditors from making assumptions that are not reasonable.

How auditors analyse the data

They calculate what you owe to Microsoft on the date you ran the scripts from the deployment data you provided. (Note: Service Provider audits are different).

If you don't provide complete user data, server installation information, change records or other evidence — they will extrapolate, infer and assume your volume licensing debt from the provided dataset.

Auditors will always start with the assumption that you are not compliant, and it is up to you to prove otherwise.

For instance, if the tools or scripts fail to determine the edition of a SQL Server database, the auditor will assume that it is the most expensive edition, SQL Enterprise, unless you provide evidence to the contrary. The same is valid for all other Microsoft products: Windows Server, Exchange Server, Office editions, etc. Data quality is paramount.

Validate the audit report and push back

The first draft report will often have the following:

  • Excessive assumptions,

  • Misinterpretations,

  • Omissions,

  • Errors in formulae.

Here is what you should do:

  • Validate all formulae,

  • Check for assumptions, provide additional evidence and push back on misinterpretations,

  • Verify correct classification of production, non-production, dev and test environments,

  • See what data gaps and assumptions the auditor listed in the report and provide additional data to mitigate the assumptions,

  • Ensure that the scope is correct.

The final audit report

Once you have completed all the corrective measures or decided to stop the process, the auditor will issue a final report. It's vital that you:

  • Document any disagreements you have with the auditor's findings in the report.

  • Refrain from agreeing with the results in writing, but instead, sign off on the report as a complete document without accepting the numbers presented.

It's important to note that the auditor is not authorised to make any commercial agreements or discuss the complexities of your business. That is Microsoft's prerogative.

Our suggestion is to be assertive in challenging any disagreements. Consider whether it is better to negotiate from a position of $10 million or $5 million, even if the initial figure is incorrect or overly presumptuous.

Negotiating the outcome with Microsoft

Most of the time, Microsoft's objective is not to penalise you. Microsoft is often more focused on future growth. The negotiation phase should be seen as an opportunity to engage in commercial discussions and explore alternative solutions. For example, Microsoft may be interested in you committing to increasing your Azure consumption, moving you from Microsoft 365 E3 to Microsoft 365 E5, or migrating you from Salesforce to Dynamic CRM.

Having a professional Microsoft negotiator on your side is always a good idea. They will know what works and what doesn't. They may guide you while staying in the shadow or being present as a part of your team.

Negotiating Microsoft Audit Settlement

Paying the penalties

Whether you will have to pay the penalty and its amount depends on the outcome of the negotiations.

MBSA stipulates that you must purchase the missing licences in 30 days. 

Volume licensing clarifies that you'll have to pay 125% of the list price. In addition, if your non-compliance exceeds 5%, you will have to cover all audit expenses.

From our experience, if you gather the necessary evidence to support your case, you can negotiate the compliance metric of >5% and any penalty. Our advice is not to give in too quickly. Remember, Microsoft also wants to close off the process and keep you as a long-term customer.

Microsoft Audit Penalties

How do you know you are ready for an audit?

We have compiled this volume licensing audit readiness checklist for you. If you prefer it in a document format, please get in touch with us using the form below the article. 

Please note that this list is different if you are a Services Provider undergoing a Microsoft SPLA audit.

The more points you tick, the better you are prepared for an audit. A good, working Software Asset Management program is a must.

  • We have reliable, near-real-time data from all the end-user devices and servers in our estate. 

  • We realise that Microsoft will presume that we are liable for all the Microsoft software deployed in our estate, whether we support or maintain it.

  • We know our infrastructure and environment types across all data centres, including outsourced and hosted.

  • We perform regular True-Ups.

  • We regularly clean up our old on-premise software installations and maintain Active Directory records.

  • We separate our production environments for our Development, Test and Disaster Recovery environments.

  • We continuously monitor the compliance of installed software with the license purchases ("entitlement").

  • We have a robust way of identifying service and discountable records in Active Directory.

  • We have all our agreements in order, including Enterprise Agreement, CSP, Open, Select, and others.

The internal resources needed for the audit process     

If you want to play on the same playing field as the auditors and Microsoft, you need to have a great team of specialists on your side, including:

  • Team lead – single point of contact,

  • System team lead,

  • Procurement lead,

  • Legal lead,

  • Executive sponsor.

How to control an active Microsoft audit

The first step is to make sure you have a direct NDA with the auditor. The auditor and Microsoft will push back on this, but you may insist on a confidentiality agreement between you and the auditor. Microsoft even explicitly permits you to do that in the most recent versions of MBSA. However, you are within your legal right regardless of their benevolence. If the auditor pushes back, involve your legal counsellor.

Usually, auditors don't share the details behind the audit findings with Microsoft. However, that is not stipulated in the agreement. You may insist on it being included in the NDA. The only limitation stated in the agreement is that the NDA may not restrict the auditor's access to relevant data.

Microsoft Audit Confidentiality and Data Sharing

Five reasons why audits go wrong

1. Insufficient agreement knowledge

  • The auditor may not know or fully comprehend your specifics and background.

  • The auditor is not on your side if there is room for interpretation.

You are responsible for providing the complete agreement paperwork and explaining the background.

2. Incomplete entitlement data

  • The auditor will have a Microsoft License Statement, yet the MLS does not include the following: 

    • Licenses obtained through mergers/acquisitions

    • Licenses bundled with hardware (OEM)

    • Licenses bundled with other software (ISV)

    • Your specific grants (at least not all of them)

    • Special terms in your agreements

    • Links between OEM and Software Assurance

It is in your interest to provide all this information.

3. Inventory data gaps and issues

  • Technical and process-related:

    • "Dirty", disorganised Active Directory data

    • Outdated user and computer records in AD

    • Incomplete and low-quality inventory data

  • Unable to obtain technically, must declare:

    • Disaster Recovery, SQL passive instances

    • Development and test

    • Covered with third-party licenses (SPLA on-premises, etc.)

    • Covered with OEM and ISV licenses

4. Licensing interpretation 

You may assign the same licenses in various ways. The auditor does not have your best interest at heart, and their employees may lack licensing experience.

Do not mistake the auditor's "big name" for the experience and quality of the auditing team.

It is in your interest to know how and why licenses are assigned in a particular way, for example:

  • License stacking versus Datacenter edition,

  • Software Assurance versus alternative licensing scenarios.

5. Calculation mistakes

The auditor will use Excel, predominantly performing manual updates and manual data manipulation.

We see formulae and calculation mistakes made almost in every audit. It is a human trait.

You should meticulously check every version of the report. Once fixed, an error may re-appear. 

Frequently asked questions about Microsoft audits

What's the definition of non-compliance?

Per Microsoft's official legal terminology, "unlicensed use of 5% or more of Customer's total use of all Products." 

Where in my agreement are the audit terms?

In the MBSA.

Can I negotiate my audit terms?

It is a sensitive negotiation topic; in most cases, Microsoft will not entertain negotiations on the subject. Exceptions may be made for substantially large enterprises and defence and military organisations only.

Can I stop an audit?

In rare cases, an audit can be postponed or cancelled if you can prove force majeure or a unique business case to support your request.

Does Microsoft give advanced notice of an audit?

Microsoft provides 30 days advance notice of an upcoming audit. "Microsoft may verify Customer's and its Affiliates' compliance with this Agreement at any time upon 30 days' notice." 

Is there an audit fee?

If unlicensed use is 5% or more of your total use of all Products, then you will pay the auditor's fee, which may range between $30,000 and $50,000, depending on the size of your estate.

Can I negotiate the results of an audit?

Yes, you can. Once the auditor finalises the audit report, you will have the option to negotiate the outcome with Microsoft. That is a critical stage in the audit process and should not be overlooked. Preparation is key! 

Who performs an audit, Microsoft?

Microsoft does not perform audits. An "independent third party auditor" will engage you on behalf of Microsoft. In most cases, it's one of the "big 4": KPMG, Deloitte, PwC or EY.

Do I need to be active in the audit process?

To manage the audit process and not be managed, our recommendation is for you to be proactive throughout the entire process, from data gathering and entitlement review to analysing the calculations and metrics the auditor used.

What to do after I settle an audit?

Following the settlement stage, we recommend taking an extended break to recuperate from the long and disruptive project. When you get back, ensure you are ready for the next audit in 3-5 years.

Are Windows desktop OEM licenses included in the audit?

You can expect a spot check to verify compliance.

Why does Microsoft still perform audits in the cloud era?

One reason is the on-premises software install base, which is still huge. On average, Microsoft expects it to be roughly 15%-25% under-licensed. The second reason is that Microsoft uses audit results as leverage to accelerate the adoption of the cloud.

If I use AWS or GCP with my volume licenses, are these audited as well?

Yes, they are.

Does the auditor use their own scripts and tools?

Yes, each auditor has their own proprietary scripts.

If I use a SAM tool to manage my environment, will Microsoft accept a simple report of declaration of compliance?

No. They may accept inventory data from your SAM tool if its coverage is good and the data is trustworthy.

Talk to a Microsoft audit defence expert

Don't leave it to chance if you don't have previous audit experience.

Our experts have helped mitigate over $1 billion of avoidable audit penalties. We also don't sell licenses or partner with Microsoft, so our advice is unbiased.

The earlier we have a chat, the better. Of course, the best time to talk to us is when you receive the audit letter. But worry not. Your case is not lost even if you have already gone through the initial stages.

Here's what we will do for you:

  • We will analyse your scope, business, processes and information.

  • We know how auditors think, so we can help you compellingly present the evidence.

  • We will then build a solid case together and help you defend it.

  • We will validate and scrutinise the report and advise on pushing back.

  • And finally, we'll support you in negotiations.

We can include an ROI guarantee, so you have additional peace of mind.

Please don't hesitate to message us using the form below. We respond quickly. Our senior team member will contact you to understand your situation better and develop a proper strategy.