The Anatomy of a Microsoft License Audit
Microsoft makes no secret of the fact that it is aggressively auditing its customer base. Over the last few years, Microsoft has generated billions of dollars in revenue through the proactive, intentional discovery of licensing non-compliance amongst its enterprise customers. In fact, the vendor has a revenue quota for audits, and a dedicated team to pursue it.
There are two types of Microsoft audits:
Microsoft certifies third parties to conduct audits, including national accounting firms and boutique auditors. If the Microsoft license audit notification suggests it will be performed by a national accounting firm, this can be an indicator that Microsoft anticipates finding significant areas of non-compliance.
A variety of factors increase the likelihood that a particular company will be at higher risk for audit and will therefore go to the “top of the list” as Microsoft cycles through its installed base. For example:
The typical process for a Microsoft license audit or SAM Assessment is:
1. Microsoft selects an auditor or SAM partner (often a Microsoft reseller in SAM scenarios) to perform the assessment. As noted earlier, if a national accounting firm is chosen to perform the audit, it’s a good sign that Microsoft anticipates finding significant non-compliance.
2. The auditor or SAM partner puts an agreement in place with the customer. For most customers, this is a new experience and they’re often unaware of best practices for reacting to and optimizing this agreement. Among other things, the agreement will spell out the cost of the audit. If the audit uncovers material noncompliance (usually >5% calculated on license counts, not dollars), then the customer will typically be obligated to pay for the audit. If no material non-compliance is discovered, Microsoft pays. SAM assessments are usually at Microsoft’s expense.
3. The auditor/SAM partner conducts discovery and analysis. This is performed using information provided by the customer, including deployment information gathered via Microsoft tools such as SCCM and Active Directory. In some cases it will include information gathered via the auditor’s own tools. In this step, customers frequently provide more information than they are contractually obligated to share – and the auditor will use that information against you.
4. The auditor/SAM partner produces a workbook with an Effective License Position (ELP). The ELP compares licenses owned against licenses deployed and quantifies purported non-compliance that would require payment of additional fees to Microsoft. In a formal audit situation, the price for licenses is typically retail price and can include penalties. In a SAM Assessment situation, licenses are purchased under the customer’s then-current agreements, with no penalty.
5. The customer is asked to respond to purported non-compliance within a limited time period. Any refutation of compliance must be vigorously proven and defended.
In addition to the risk of unexpected fees and penalties, audits are daunting, frustrating, time-consuming experiences. Audits frequently progress in fits and starts – with delays contributing to frustration and fear. Most critically, every aspect of the Microsoft license audit process is stacked against the customer.
Timing: The auditor will attempt to set the schedule, and many customers think they are obligated to meet that schedule. However, there are a variety of ways the customer can influence the audit cadence.
Data: Customers almost always over-communicate deployment data. To optimize the outcome, it is important to provide only what you are contractually obligated to – all submissions need to be properly curated and sanitized.
Complexity: NPI’s experience indicates that auditor-side and Microsoft-side discovery tools almost always produce findings that are typically NOT in the client’s favor and usually overstated. The ELP workbook – the culmination of the discovery phase of the audit – is typically overwhelming and difficult to understand and interpret. It comprises hundreds of thousands of line items, multiple tabs and (intentionally) confusing assumptions, analysis and findings. You will need to understand it and challenge it.
Accuracy: There are usually errors in the workbooks, and misinterpretations of license rights. This is the biggest problem with audit claims.
Motivation: Further stacking the deck against the customer is the fact that the auditor/ SAM partner is incented to discover non-compliance. Their goal is to interpret everything in Microsoft’s favor (in order to generate revenue).
All of these factors conspire, causing customers to struggle with interpreting the auditors’ findings, defining an alternate position, and successfully defending it. Without expert guidance, mitigating or minimizing Microsoft license audit penalties can be a nearly impossible mission.
NPI recognizes that customers need Ph.D.-level Microsoft licensing and negotiation expertise to fend off the stunning, unbudgeted penalties that typically result from a software license audit. They need licensing interpretation and analysis that work in their favor.
NPI helps you minimize your audit risk and penalty exposure – on your terms, and at any stage of the audit lifecycle. The three ways we typically engage with clients are:
NPI advises customers to never go it alone during a Microsoft license audit or SAM engagement. It’s not uncommon for Microsoft to “discover” non-compliance that amounts to tens of millions of dollars in licensing fees/penalties. And consider analyzing your audit risk independently before an audit strikes. By conducting periodic self-audits proactively, customers can define and implement remediation so they are audit-ready.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.