By Tim Hegedus, Miro Consulting
Nearly 60 percent of executives report having been audited by Microsoft in the last 12 months. The lesson: If you haven’t been audited by Microsoft recently, you likely will be soon.
What’s driving Microsoft's aggressive audit surge? The software giant isn’t saying, but industry experts have cited many possible incentives, including:
- Revenue generation
- A pronounced reduction in net-new software purchases
- Recouping lost revenue (e.g. the economic downturn of 2007-2009)
Whatever the motivation and while it is loathsome to many, Microsoft and other software publishers are entitled to protect their intellectual property through any means including audits. Their right to conduct periodic audits is spelled out in the terms and conditions (T&Cs) of your contracts with them.
Microsoft’s aggressive audit strategy makes this a good time to review common triggers for a Microsoft audit, the types of audits they conduct, and how to respond effectively.
Microsoft Audit Triggers
There are several possible triggers for a Microsoft software audit, including:
Your Purchasing History: Suppose you opted not to renew your Enterprise Agreement in 2009 and have made few Microsoft purchases since then. Because you no longer perform mandatory annual true-ups, Microsoft may be wondering how you’re surviving (and complying) with hardware and software that is five years old, or older.
Your Enterprise Activity: Any Microsoft account rep worth his salt is keeping abreast of major activity among his clients, such as revenue growth, geographic expansion or acquisitions. This would likely change your licensing compliance status, perhaps significantly.
Technology and Licensing Changes: BYOD, desktop virtualization, hosted services, license mobility, cloud environments, transitional licensing, bridge licenses and evolving Software Assurance benefits all make adherence to licensing rules challenging, at best. Microsoft and other software vendors know this!
Disgruntled Employees or Former Employees: Organizations such as the Business Software Alliance (of which Microsoft is a member) actively ask individuals to come forward to report non-compliance issues. It is not unusual if an employee – former or existing - feels unappreciated (or worse) and instigates an audit.
Types of Microsoft Audits
Microsoft audits come in various forms. Microsoft "offers" its assistance to customers for determining their license position, typically through an "informal" Software Asset Management (SAM) engagement conducted by an audit partner. The audit partner may send you a questionnaire in spreadsheet format. Or you may be asked to run the Microsoft Assessment and Planning ("MAP") toolkit and submit its reports to the audit partner.
Another approach involves "workshops." These are events sponsored by Microsoft that typically focus on a specific product, such as SQL Server. The customer is asked to arrive at a local Microsoft office bearing the output of the MAP toolkit or other information about its infrastructure. Some misalignment of entitlements to deployments is often revealed.
Or you may get an official letter from Microsoft informing you of a formal audit. Though frequently performed remotely to save costs, this sort of audit is often performed on-site by a Microsoft audit partner – with scripts executed and results submitted to the auditors. This process can also invoke the "5 percent rule" – a clause within the contract that allows Microsoft to impose audit costs on you – on top of penalties and additional license fees.
Whether it’s a formal audit, a SAM engagement "designed to provide recommendations for improving SAM processes and procedures," a self-audit in which a company can easily incriminate itself or even a "workshop" which typically targets the company’s technical teams, it is still intended to discover discrepancies within your license position. The results are the same; you wind up buying more licenses.
The Microsoft Audit Engagement Process
The first rule is don’t panic! Software audits are not fun or convenient, but they are manageable. The initial response to a certified letter demanding an audit or requesting a SAM engagement is important:
- Validate Microsoft’s right to audit the specified items, as defined in the T&Cs of your current license agreement, typically the Microsoft Business and Services Agreement (MBSA).
- Respond promptly, indicating your intention to cooperate, subject to negotiation of audit parameters. Cooperating from the outset is critical for negotiating effectively with the audit team and Microsoft.
- Negotiate the scope, schedule and process of the audit to ensure that everything is explicit and written. The auditor will expect this, and it is important for you to control the process as much as possible. A good negotiation can narrow the scope of an audit or SAM engagement, establish a better timeframe, and save a great deal of time, effort and potentially money.
- Define your official audit team. Ensure the auditor interacts only with this team; internally, only the official team speaks with the auditor. Reinforce this internally at all levels to maintain uniform, controlled communication with the auditor.
- Do not delay an audit to make changes or de-install software. Done in haste under time pressure, this exposes your organization to instability and it could leave "residue" that will eventually be discovered. This could also introduce suspicion into the proceedings.
Once the preliminaries are over:
- Gather documentation, but only the information requested. This will include all pertinent Microsoft Agreements, invoices and sales receipts, proofs of purchase, and certificates of authenticity and other renewal or procurement documents for proof of ownership
- Conduct a self-audit that parallels the Microsoft audit or SAM engagement. Know where you stand before the formal audit! If you have an automated SAM tool, double check its findings. No SAM tool is 100 percent accurate; some cannot even differentiate between physical and virtual instances. Bottom line: Conduct both a manual and automated self-audit – just as the auditors will.
- Formulate a plan of action. Once you know your compliance status, you not only know what to expect, you can form a plan for cooperating and negotiating an optimal solution. Licensing issues are seldom black and white, and situations vary.
Negotiating with Microsoft
There are two distinct phases of post-audit negotiation, starting with Microsoft’s audit partner. Both the auditor and Microsoft know that initial findings are seldom accurate. Negotiations with the auditor should only occur after thorough scrutiny of their Effective License Position ("ELP") report. Until you are comfortable with this report, the word "accept" should never be uttered during discussions with the auditor. This is typically an iterative process that aims to finalize results.
Once you accept the ELP findings, the second phase of negotiations begin with Microsoft. At this point, your license position has been determined, so the negotiation with Microsoft is about a favorable settlement. Remember, Microsoft’s primary objective is usually to capture the value of a true-up, not to stick you with "gotcha" penalties. However, do not accept Microsoft’s forgiveness of penalties or a shortfall unless it is written.
Preparing for Your Next Software Audit
Preventing a Microsoft audit is like preventing rain in Seattle, so prepare for it! Like regular maintenance of your car, systematic management of software assets is important. Experts – either in-house or a consultant – with vendor-specific knowledge of Microsoft’s tendencies, preferences and ongoing changes in software licensing rules can be invaluable to most organizations. They can play a critical role in determining your licensing requirements and negotiating the best terms and conditions up front, helping to avoid non-compliance situations later on. They can also help enterprises get software asset management on the right track, automate the process as much as possible and monitor with self-audits to ensure defensibility is maintained.
Miro Consulting offers more online resources to help organizations with Microsoft audits.
Tim Hegedus is a senior managing analyst for Miro Consulting. The firm helps companies analyze and negotiate enterprise software contracts, specifically Microsoft and Oracle licensing. Miro Consulting has 500-plus clients across North America.