Navigating Microsoft Audits and True-Ups – What to Expect and How to Minimize the Impact

By Scott Rosenberg & Tim Hegedus, Miro Consulting

Software audits and true-ups by all software vendors are increasingly routine these days. In fact, many companies expect software audits once a year with multiple vendors. Earlier this year, Gartner reported that 65% of its clients were audited at least once in 2011, up from 61% in 2010. Gartner also reported that the top five vendors in terms of the number of audits conducted are among the most familiar giants of the software industry: IBM, Adobe, Microsoft, Oracle and SAP.

There is no mystery why Microsoft and other software vendors are stepping up their audit activity – it is the only form of protection they have for their intellectual property and its usage. Piracy and non-compliance directly hit a software publisher’s bottom line. Routine software license audits and true-ups represent literally billions of dollars in revenues for the software industry, and organizations such as the BSA (formerly the Business Software Alliance) and the Software Information Industry Association (SIIA) were formed specifically to help perform audits and combat software piracy on behalf of software companies.

There are so many factors in maintaining software compliance that can make it difficult for any organization to remain fully compliant with all the Terms & Conditions (T&Cs) of its license agreements over time: the increasing complexity and constant changes in software licensing agreements, increased IT mobility and virtualization, the fluid nature of the business environment, etc.

Additional Microsoft Audit Drivers

Microsoft is in the process of transforming much of its technology, ranging from the introduction of the Windows 8 operating system last October to an array of new applications and devices engineered for mobility, touch screens and social media. At the same time, Microsoft has experienced purchasing delays due to Windows 8 anticipation, as well as flat overall PC application sales.

One result is that many industry experts have reported a more aggressive approach toward audits by Microsoft as a means of generating additional revenue. In fact, no Microsoft customer should consider itself under the radar from a potential Microsoft audit. There do not appear to be any trends in terms of company size, industry or license agreement status. All Microsoft customers should be ready for an audit … and they need to understand that non-compliance is not an option! Bear in mind that software vendors are in the business of licensing intellectual property, so collecting all the licensing fees they are due is not only fair, and legal, but critical to their success.

Microsoft Licensing Methods and Hazards

Despite all the current technology changes at Microsoft, the organization is sticking with tradition when it comes to its licensing models and enforcement processes. Every Microsoft product has its own licensing intricacies, as do all of its licensing programs, including EA, Select/Open, and MSDN/TechNet.

Although recently simplified, and constantly updated, Microsoft’s use rights (which define the conditions for using each product) are still very complex. Among their many product licensing options are:

  • Per processor
  • Per core (just SQL Server to date)
  • Server plus CAL: Each server, plus devices/users that connect
  • Server management licenses: Similar to CAL, for System Centers
  • Core CAL Suite / Enterprise CAL Suite Groups of CAL licenses

The most common potential problem areas in terms of evolving into incorrect and/or under-licensing with Microsoft over time include:

  • Additional License Procurement with Hardware Upgrade
  • CALs with Edge Devices
  • License Mobility
  • Mismatched CALS
  • Product User Rights & Server Software
  • SharePoint Server
  • SQL Server
  • Virtual Desktop (VDI)
  • Virtualization
  • Windows Server
  • BYOD (Bring Your Own Device)
Microsoft’s Audit Methods

Unlike Oracle and many other larger software vendors, Microsoft outsources virtually all customer auditing using various tactics and channels. Small- to medium-size organizations are most likely to be audited by an Independent Software Vendor (ISV) or a trade group – primarily the BSA – on behalf of Microsoft. Larger customers who are part of the Volume Licensing Program are more likely to get a “request” to participate in a Software Asset Management (SAM) Engagement – a seemingly voluntary, informal audit conducted by Microsoft’s software asset management partner channel companies.

The idea behind SAM Engagements is Microsoft’s articulated belief that most customers want to be compliant, but may need assistance from certified expert partners paid by Microsoft. It’s a way of sharing the burden, and cost, of staying in compliance. Moreover, the objective is not usually “gotcha” penalty fees, but significant true-up fees. Microsoft is betting that these true-up fees will be significantly higher than the cost of paying their SAM Engagement partners.

Microsoft keeps sophisticated, compliance-predictive profiles of its customers, so it usually wins that bet. Customers should recognize that an invitation to participate voluntarily in a SAM Engagement is virtually the same as receiving a demand for audit letter. The customer may refuse to participate, but this response will most likely trigger a more formal audit demand. In addition, if significant discrepancies are found during an Engagement, a formal audit may be initiated. On the other hand, there have been cases – just a few – where a SAM Engagement uncovers potential savings for the customer.

Self-audits and the SAM Engagements are the two most common forms of Microsoft audits. The most common triggers for a SAM Engagement or a formal audit include:

  • Highly visible merger and acquisition activity
  • Inquiries about a complex licensing issue
  • BSA reports
  • Discontinuance of a Microsoft Volume License Agreement
The Audit/Engagement Process Itself

When (not if) a certified letter comes in the mail regarding an audit or an invitation for a SAM Engagement from an alliance like the BSA or a Microsoft partner, don’t panic. First and foremost, it is always wise to seek the counsel and advice of a subject area expert. The importance of cooperating from the outset is key to negotiating effectively with the auditor. Show them you are ready and willing to do what’s necessary to true-up. And don’t rush out to purchase multiple licenses to gain an advantage. The audit is a point-in-time event and it has not yet occurred when the letter is received. However, purchasing new licenses soon after the letter arrives does not escape Microsoft’s notice. That suggests non-compliance and, perhaps more importantly, it suggests that the company knew it was non-compliant.

Form your audit/engagement team; include legal, the C-Suite and any IT staff involved with your SAM to be sure that proper communication between team members takes place. Be sure to gain buy-in from the C-Suite, explaining what the situation is and what you need to get the best outcome. It’s important when providing documentation and required materials from the auditor, to provide only the information requested.

Information they will likely ask for includes:

  1. Proofs of purchase such as invoices or sales receipts from vendors
  2. Certificates of authenticity
  3. Comparison of your purchased licenses to the installations found – be sure to consider free and paid upgrades

Since auditors and engagement partners will typically give you a specified amount of time to gather these materials (which can and should be negotiated based on the scope of audit), a thorough self-discovery or self-audit process must be put into place immediately. If you have an automated SAM tool, be sure to double check its findings; while these tools may provide some on-demand information, at times they can miss products such as Client Access Licenses and licenses used for remote employees.

No SAM tool is 100 percent accurate – and this includes the tools that Microsoft’s partners employ. CALs, for example, are not software and cannot be detected (RDS CALs are a noted exception). Thus, the tool will fail to report them accurately. The number of users on the network at the time at which the scan is run will impact the results. And so will the status of the server running Microsoft software since you do not need to license idle instances. And, some of these tools cannot even differentiate between physical and virtual instances.

When the audit or engagement is complete and the discrepancies are identified, communication comes back into play. There will be an explanation to the C-Suite as to what is missing, how much it will cost, and how to avoid future problems. Additionally, you will need to purchase the correct number of licenses.

After your audit or engagement is complete, it’s time for negotiation. It is the duty of the C-level to report back to the auditor, who will determine the cost of your non-compliance. At this point, you will have the opportunity to negotiate several points, including whether you would like to settle in court – which is quite rare – or out of court, and to request that the results of either remain private. This is especially important concerning audits by the BSA, which seems to love publicity. From your side, you will likely be asked to consent to ongoing audits and present a plan for future SAM.

Prevention: Establish Best Practices

In terms of managing your software licensing and assets – definitely a “team” effort – this means taking a proactive approach toward optimizing software efficacy, costs and compliance. While this may seem obvious to many IT professionals, a recent survey by King Research revealed that an alarming 69% of IT executives are not confident about being compliant with their software licensing agreements.

Software licensing compliance is an issue that should remain a priority for C-level executives, as well as IT Managers – who can end up being held personally responsible for mismanaged software assets. However, the main issue is that no one is calling the plays. There doesn’t seem to be an identifiable person accountable for software asset management. You may have a software asset manager, but is that person a decision-maker that can take ultimate responsibility for all aspects of SAM – financial, legal, HR, procurement, compliance, IT, risk mitigation, etc.? Managing this huge investment parallels a Human Resources department. Every company of an appreciable size has HR; few – at least from what I’ve seen – have a formal SAM program that is properly staffed. Purchasing and finance is not always sufficiently knowledgeable; IT is overwhelmed; and Legal isn’t the right fit. Internal Audit could be the answer, but a SAM program is a full-time job. The managing of software assets is pervasive throughout every aspect of an organization and directly impacts business and operations.

Prevention of unnecessary software costs and nasty surprises after an audit begins with negotiating the best T&Cs for your organization in the first place, and includes routine self-audits using a good SAM program that monitors your software asset usage and status, taking into account any business or operational changes as they occur. Without an existing enterprise SAM program, an external software audit will invariably lead to surprise expenses from penalty fees due to non-compliance. Additional costs may include significant attorney fees and the opportunity costs of staff time devoted to working on the audit. Lack of a SAM program also draws unnecessary attention to your IT practices from customers and even internally with the C-Suite (especially in light of the very public lawsuits by the BSA).

The importance of regular self-audits cannot be overstated. These exercises will ensure that your enterprise is up to date on all your systems and how they are licensed – products, license models, product use rights and dependencies. They will also help you understand licensing ahead of new development. Ideally, IT and procurement should work directly with business development to understand potential licensing costs during the planning stages of new projects and ventures.

Get Expert Help

Automated SAM software programs can help jumpstart compliance management, but they cannot replace human decision making. Utilizing an expert – either on staff or an outside consultant – with vendor-specific knowledge of Microsoft’s tendencies, preferences and ongoing changes in software licensing rules is invaluable for negotiating the best T&Cs up front, and to avoid non-compliance later on. Before an auditor comes knocking at your door, get help – call in the experts to help get software assets on track and automate the process as much as possible. Outside consultants are available to evaluate licensing on an ongoing basis to keep up with business and licensing changes.

By properly managing software assets, cost savings will result over time by avoiding both over and under-licensing. The average savings is usually about 18% the first year and increases year-over-year, with the average cost savings being 30% from the total sum of the software licensing and maintenance fees over the years.

About the Author

Scott Rosenberg is the CEO of Miro Consulting, Inc.