Microsoft Software Audit Disputes
The contract that your organization signs you to use Microsoft software includes an agreement to abide by the terms and conditions of use.
There is a provision within it for a mandatory audit of your Microsoft software usage either once per year or once every three years (depending on the agreement).
Microsoft takes an aggressive approach towards auditing customers and there is a good chance that you will be selected for a “Microsoft license compliance verification”, as they term it. This can be an intimidating process if you do not know what to expect.
The following information covers:
- What a Microsoft audit is
- What it entails for an organization
- What Microsoft is looking for in your organization
- What to do if you are notified of an audit
How is Software Asset Management different from a Compliance Audit?
A compliance audit is a “formal, mandatory compliance review of a company's use of Microsoft products and services”.
According to Microsoft, the purpose of the audit is two-fold:
- To help customers achieve and maintain license compliance
- To protect Microsoft intellectual property rights
Microsoft states that a “programmatic approach” is used to select Microsoft Volume License customers for license compliance verification.
From our experience, the following are potential reasons that can lead to a Microsoft software audit:
- Company divestments, mergers or acquisitions
- A sudden change in software spend
- Misrepresentation of the size of an organization
According to Microsoft, “Select, Open, and Enterprise Agreement customers should expect an audit at least every three years.
Microsoft’s Software Asset Management (SAM) program is ostensibly a “voluntary engagement” largely designed to solve IT problems for an organization.
While the program’s stated aim is to provide advice about optimizing licensing and IT infrastructure, it has frequently been perceived suspiciously by organizations as another way to audit them.
Neither a SAM engagement letter or audit notification should be ignored.
What happens when a company gets audited by Microsoft?
An audit may be by self-assessment or on-site (more information about self-assessment audits is included below).
For on-site audits, you will be informed in writing with 30 days notice.
License compliance verification usually takes around one week or longer to complete, depending on the complexity of your IT environment and the volume of audited software.
An independent auditor (often an internationally-recognized third-party accounting firm such as Deloitte or KPMG) will be appointed.
For the audit process, access must be provided to the auditors and the steps required from your organization will depend on what the auditors find.
After conduct the necessary checks, they will inform you of any further information required, such as proof of purchase for installed or accessed software (receipts, Certificates of Authenticity, product keys, etc.)
You should respond in a timely manner to these requests. Often, Microsoft provides only 4-6 weeks to provide it.
Stalling or delaying the process will not be favorable for the outcome. Deleting software or otherwise trying to conceal illegal usage of software will also not be looked on kindly by Microsoft.
If you have developed an internal Software Asset Management (SAM) system, this will stand you in good stead for the Microsoft license audit process. Good organization and administration are the best preparation possible.
However, it is usually advisable to also engage legal assistance as soon as you are made aware of the impending audit.
Legal counsel from experienced software and technology lawyers can provide peace of mind and ensure that your responses to requests for information from Microsoft auditors are appropriate.
Inadequate, slow or incorrect responses can create more serious problems for audited organizations.
Experienced counsel can also help to reduce the disruption to your business by arguing for remote auditing procedures and requiring the auditors to keep the scope as narrow as possible.
What do Microsoft auditors look for during a license audit?
During a Microsoft license audit, the auditors are largely looking for instances of copyright infringement and breach of contract.
They are looking for illegal use of the software that knowingly or unknowingly breaches the terms of the contract signed between your organization and Microsoft.
The scope of the audit can include any and all Microsoft products installed and in use in your organization, such as:
- SQL Server
- Exchange server
- Windows Server
- Office Professional
- Office Professional Plus
- Office 365 Pro Plus
- Microsoft apps
To reiterate, trying to conceal illegal usage by deleting software once you are made aware of an audit is bad practice and can make the problem worse.
Also, avoid knee-jerk reactions like buying new software licenses until you have liaised with your technology lawyer and systematically planned for your audit.
Is a Microsoft license self-audit the same as a compliance audit?
Microsoft mentions two types of audits in its volume licensing contracts.
The onsite audit has been explained above. However, there is also a self-assessment or “self-certification” audit, where Microsoft asks an organization to provide details of its software usage.
This is often seen as a first step in the audit process for Microsoft.
If you are found to be under-licensed, simply purchasing the appropriate number of licenses will usually end the issue.
However, if you ignore the self-assessment audit, it will raise a red flag with Microsoft and you will be required to agree to an onsite audit.
Penalties for non-compliance will then be higher than for infringements identified during a self-audit.
Note that for organizations that provide commercial hosting services, there is a third type of license audit called a “verified self-assessment” (VSA).
What are the consequences of abusing Microsoft’s license compliance?
If the Microsoft software audit finds that your organization is under-licensed by more than five percent, you will be liable for:
- Reimbursement to Microsoft for the cost of the “independent verification process”
- Purchase of all required licenses at 125% of the list price
There may be additional costs for unlicensed device CALs too.
These expensive consequences are stated in the Microsoft Business & Service Agreement (MBSA), which governs all volume licensing contracts.
Prosecution only occurs in the most severe cases. Microsoft prefers to settle without legal action, if possible.
Conclusion: How do you approach a Microsoft audit?
It is imperative to understand what your MBSA contains before signing it. Then, carefully manage internal processes and documentation to support your software usage.
However, organizations do make genuine mistakes and ignorance is not a valid excuse.
Any correspondence from Microsoft referring to a self-audit, “license compliance verification”, or “SAM baseline engagement” is therefore not to be taken lightly.
The potential costs of non-compliance are high. Microsoft will not simply let the matter go and neither should you.
An experienced software and technology lawyer can help you prepare for an audit or other engagement with Microsoft.
The lawyers at Scott & Scott LLP understand the Microsoft audit process and can even conduct a confidential "mock software audit" that will ensure that you are in the best possible shape for an upcoming Microsoft audit.
We provide a free 30-minute consultation if your organization wants to prepare for an engagement or consider the best audit defense strategy in a Microsoft licensing dispute.