Microsoft Licensing – What do auditors look for during a Microsoft audit?
Computer software must be treated as a tangible asset. Some individuals or organizations may be using software illegally without their intent or knowledge. This is not a valid excuse and does not absolve you of your legal obligations. Nor is it likely to lessen the penalty in case of an audit or prosecution. You may be tempted to install or access software on more systems than you have licensed, just because it is possible. However, doing so without a valid license for each instance is considered theft and will be treated as such in court.
When can you expect a Microsoft audit?
For Microsoft Volume Licensing (VL) customers, the question is not if they will be audited, but when this will happen. The terms of VL Agreements gives Microsoft the right to perform an audit once every year, with a thirty days notice. Select, Open, and Enterprise Agreement customers should expect an audit at least every three years. This may either be a self-assessment or an onsite audit.
A proper software license administration
The most valuable preparation is being well organized and having a complete and accurate administration. This can be difficult in large organizations where software and hardware are available through multiple sources. The auditee must provide proof of purchase for every copy of the software installed or accessed via invoices and receipts, Certificates of Authenticity (COAs), product keys, VL agreements, and any applicable purchase records.
If you perform an inventory of your installed and accessed software, do not forget that employees work remotely! When the software resides on a server you must ensure that every user or device accessing the product is licensed with appropriate user or device Client Access Licenses (CALs). Many users will use corporate assets on [HG1] personally owned devices such home PCs, tablets, and smartphones. A common violation is that virtual servers (primarily SQL) are being accessed remotely. Auditors know this, so they certainly will focus their attention on such areas.
A number of Software Asset Management (SAM) tools may help to partially automate the inventory process but manual research and documentation will be required as well. Most inventory tools for instance don’t account for CALs, nor do they adequately analyze virtual scenarios.
Once you have an accurate inventory of applicable software, devices, and users you’ll need to match the proof of purchase with each installation or instance of the software. If you cannot demonstrate that everything has been properly licensed and purchased, you will be out of compliance and subject to additional purchase and/or penalties.
What is the cost of a Microsoft audit?
Unlicensed usage of five percent or more of the purchased license value will leave a customer to pay the retail price for all unlicensed products plus the cost of the audit. If your organization purchases device CALs and fails to license personally owned devices accessing company resources, the fine will be two to four times the price of the CAL for each violation. There may be multiple violations on each device. Multiply that by the number of potential users and devices and it’s easy to see why you should pay attention!
Accurately managing software can benefit your company in more ways than just being able to timely respond to an audit request. It is not uncommon to discover that you have paid (or are paying) for more licenses than needed. Maybe because you have fewer employees, a reduction in business, changes in technology, decommissioned equipment, or otherwise.
Knowing exactly what your company has licensed and how the software is used may well save a substantial amount of money during your next true-up or license renewal. Gathering and interpreting the license and usage situation is a daunting task since the rules governing software licensing are very complex and always evolving. That’s why many companies are hiring licensing experts to assist them. These experts not only will assist your company in becoming compliant, they also can ensure that you are using the most cost effective software licenses for your business needs.
Regardless of whether you are being audited or not, the discipline and administration for ensuring software license compliance needs to be a core business practice. Ignorance is not a valid excuse from a legal perspective while knowingly being out of compliance constitutes a civil and potentially criminal offense.
Don’t be overly afraid!
Thinking of worst case scenarios is very common, but in reality prosecution will occur only in the most severe cases. Usually, when Microsoft has reason to suspect that a customer is significantly out of compliance, the company involved is asked to perform a self audit and report the results. If you cooperate and agree to pay for additional licenses to become compliant, then there won’t be any further consequences.
If your company would ignore a self-audit request or refuse to comply, the case may be turned over to the Business Software Alliance (officially BSA | The Software Alliance). If the BSA takes action and a company is found to be non-compliant, the fine is often two to four times the license cost for each instance. In addition, the offender will be required to purchase valid licenses or remove the software from their systems.
Four articles – read them all!
This is the second article in a series of four, focusing on Microsoft license audits. We already discussed the importance of being prepared and the steps to be taken to ensure your organization is ready for an audit. In the next article we’ll be more specific as to what Microsoft or the Business Software Alliance (officially BSA | The Alliance) will expect to see. The fourth and final article will be on developing a sound SAM discipline.
If you are in need of extra expertise, and a structured license administration and management approach, feel free to contact B-lay. We will help you make software compliance an exciting opportunity to improve your business!
Richard is one of the managing partners at B-lay. He started to work in the license management industry in 2004 and worked for almost 10 years at Oracle as regional director of compliance. He uses his knowledge of enterprise software vendors (such as Oracle, SAP, IBM and Microsoft) to educate, equip and enable software end users in their challenges regarding proper software license management. Richard holds a master’s degree in IT, from University of Amsterdam in the Netherlands.