One of the most common misconceptions we see from organizations is concern and confusion surrounding software licensing audits. The “concern” part is always valid as audits are a legal right your organization agreed to when buying the license and the consequences for non-compliance can be very high. It’s important to treat any request for a “self-assessment” or other audit demand seriously as the requesting company is not likely to go away if you ignore them.
The “confusion” element may be somewhat lessened by knowing that just because you receive an audit notification doesn’t necessarily mean you are suspected of being out of compliance. In the case of Microsoft®, they attempt to audit each of their Volume Licensing customers at least once every three years so the notification may simply mean that your time has come. Of course there are other events or scenarios under which you may be singled out. If your organization appears to be under-reporting usage, for example, or you have been part of a widely publicized merger or acquisition(s), these events may cause the licensor to investigate.
Another scenario which is almost always cause for concern is if the Business Software Alliance© (BSA) is involved. The BSA is a global organization of software developers focused on compliance and the legal use of software. The BSA offers financial rewards to individuals who report piracy or illegal software usage. This may be the result of a disgruntled ex-employee or a current employee who may question whether an organization is fully compliant.
An organization that has been audited in the past and was found widely non-compliant may also be scrutinized more closely than others.
Regardless of the reason a software audit is initiated, it’s much better to be prepared before an organization receives notification. Any audit, whether a self-assessment or if it’s performed by a third party, can be resource consuming and disruptive to normal business operations. Since it’s likely to happen at some point, it’s better to be prepared than to hope it won’t happen.
Proactive software asset management (SAM) should be a priority for any organization, and I submit that the more you spend or rely upon software, the more you should prioritize managing it effectively. Consider the steps that will be taken during an audit and periodically perform them before you are contacted by the software vendor. The annual true-up date is a good time to do this since you’ll probably need the data at that time.
In the case of Microsoft, I suggest starting with the Microsoft Assessment and Planning (MAP) Toolkit. The MAP tool may not provide an exhaustive report of inventory and usage, but it’s a good baseline and since it’s a tool from Microsoft, the initial results are rarely challenged. The MAP Toolkit includes a Software Usage Tracking feature to track devices and users.
Once you assess your software usage, it’s time to compare it with your entitlements. The best way to do this is to obtain a License Statement from your reseller or the Microsoft Volume Licensing Service Center (VLSC). It’s important to use a current License Statement, rather than rely upon your own records since that is the document Microsoft will use in the event of an audit. There may be software in your environment that is detected by the MAP tool but does not appear on the License Statement such as OEM Windows which was preinstalled on PCs, or retail purchases.
Performing a gap analysis between software usage and entitlements can be a very complex exercise but it’s the best way to ensure compliance.
Whether an organization elects to do this themselves or hire experts, but doing so proactively before being notified of an audit should be an integral part of any organizations IT management.