Microsoft Review v Audit
There are two letters that you might receive from Microsoft that will likely make you sit-up and take notice. The first is a request for a ‘Software Asset Management Review’.
The second is a notice of an audit. Although for many, SAM Reviews are regarded as the ‘new audit’, there are in fact some fundamental differences between the two processes and how you should react to, and manage them.
If you’re responsible for managing Microsoft software licensing in a smaller organization, you might even receive a third type of communication, which is an invitation to ‘self-certify’ your Effective License Position for the Microsoft applications and operating systems in use across your IT estate. More on that later.
In this blog, we will focus primarily on the differences between a Microsoft SAM Review and an audit and what that means to you as a Microsoft customer.
MICROSOFT REVIEW
The Software Asset Management Review is an initiative from Microsoft’s Software Asset Management team – not from an external auditor. From Microsoft’s point of view, performing a SAM Review is a scalable way of ensuring that, as a customer, you have all of the required licenses, and are using its technology effectively.
ACKNOWLEDGEMENT
The first thing you should do if you are an Enterprise organization is to acknowledge the request. It is in your Terms and Conditions to comply with a review. For SMBs however, it is not a demand but it is wise for you to respond to Microsoft and comply with the request. You should respond to Microsoft stating that you understand its request (or if you need to, ask for further clarification), and that you can either start straight away or that you have a valid business reason why you wish to postpone the request.
You are entitled to set some kind of limit on how long you expect the review to take in terms of days or man hours, but you cannot typically dictate an overall timeframe, as the time taken is at Microsoft’s discretion. You should seek to clarify exactly what Microsoft wishes to review. It may be the case that it only wants to audit your Select Plus agreement or a certain entity within your business. Alternatively, Microsoft may want to review the entire estate – but do not assume this, ask the question.
SUPPORT & CONTACT
The request for a review may cause panic if you do not have your entitlement or inventory data available, or the appropriate Software Asset Management processes in place within your organization. It is important to make contact with a Microsoft Certified Partner who will help gather the information for you. This may be your reseller, for example. If you have a SAM solution like Snow License Manager, then you are able to store all of your contracts centrally and pull a report of all installed Microsoft products and usage. If you don’t have Snow License Manager, then it is more than likely that the Microsoft Partner that you use will as Snow Software technology is used by more Microsoft Partners than any other SAM platform.
JUSTIFICATION FOR DELAYS
If this is genuinely a time where you can’t provide the data or resources for whatever reason, then you can ask Microsoft to delay the review. Microsoft understands business pressures, so as long as you acknowledge the request for a review and provide a valid reason as to why you need to delay the review, then Microsoft will likely be accommodating to some degree. However, the Review will happen eventually and the delay of a Review is at the discretion of Microsoft’s SAM team as to whether the customer has a genuine business justification to delay.
DATES
A typical Review looks at your deployment versus entitlement information from the date Microsoft makes contact with you. Microsoft will use the Microsoft License Statement to call out the agreements they wish to question you about, asking you to provide information by a set date. When Microsoft receives your License Verification Worksheet (the data), it will produce and send you an estimated license ownership position document back within seven days. Customers who have Snow License Manager can populate the data required within minutes so they can respond to Microsoft in a quick and effective manner. A review starts when both parties agree they are ready, and will take as long as it takes with no set deadlines.
REVIEW CONCLUSION
The conclusion of a Microsoft Review is quite different to an Audit. It is a more flexible, forward thinking activity. It is used to make sure that customers are using Microsoft technologies, and to move customers to new Microsoft technologies such as the Cloud or Office 365. If you have been found short of licenses, Microsoft will simply ask you to ‘true-up’ paying only for the shortfall via your IT Partner/Reseller within 14 days.
Or, if you are under-licensed on a certain product Microsoft will encourage you to move to the latest version at a discounted cost, or even offer you a discounted deal to move to the Cloud. You do not have this level of flexibility or discounted licenses at the conclusion of an Audit.
FIVE STEP PLAN
ACTION | ADVICE |
Acknowledgement | Do not ignore Microsoft’s request. |
Support and Contact | What is Microsoft reviewing and who will your Microsoft Partner be? |
Delay(s)? | Valid reasons can delay a review for an agreed period of time. |
Time Frames | No formal dates with a review. |
Review Conclusion | Advice on how to manage your Microsoft licenses, a required true-up if non-compliance found or migration to new technologies such as Azure. |
MICROSOFT AUDIT
For Microsoft to audit you they will appoint a SAM Partner, if you haven’t already appointed one yourself.
Microsoft can, of course, bypass the review stage and go straight for legal enforcement. This is when Microsoft will conduct via an LCC (Legal Contract and Compliance) audit and appoint an auditor such as KPMG, Deloitte, Ernst & Young or PWC. This is a formal request so you are legally obliged to comply. You may find that it will cost you a lot more than if you had agreed to participate at the outset!
ACKNOWLEDGEMENT
Like a review, for a formal audit, you must acknowledge the request from Microsoft. Ignoring the audit request will not make it go away – the vendor has the legal system on its side so it will audit you. For a formal audit, Microsoft will specifically state what it is auditing. This may be a business entity, certain contract or the whole estate.
SUPPORT & CONTACT
For a formal audit, you will need the help and support of a Microsoft Certified Partner or an independent Microsoft licensing or Software Asset Management consultant. They will understand the complex licensing models and your agreement structures. Doing it alone and using internal resources may be an option if you have an internal Microsoft Licensing expert – but the sheer time and drain on resource mean that the management of an audit cannot be down to a single person.
JUSTIFICATION FOR DELAYS
You might delay the start of an audit if you have a valid business justification for doing so. Anything after six months becomes uncomfortable. Reasons for delaying an audit include:
- Change control freeze
- Mergers/acquisitions
When being formally audited, stating that you do not have the technology to provide the inventory information will not stop the audit. Microsoft will mandate the use of inventory and SAM technologies to gather data and proceed with the audit. Also, Microsoft will look at other sources such as AD groups and registry information to gather data on all installed Microsoft products.
FORMAL TIMEFRAMES
Microsoft will work with you and set formal dates as to when the audit will start. Any changes made after the dates may not be count towards the audit – Microsoft will simply look at your inventory details for the date they provided. This means that any organizations thinking they can perform a mass removal of Microsoft software, or purchase thousands of licenses to avoid a fine, will be proven wrong.
Audits can take a long time – with some Microsoft audits lasting between three and 18 months. The end date can be defined after the call with Microsoft and your Microsoft partner, once Microsoft has a scope for the work required and potential issues.
AUDIT CONCLUSION
At the conclusion of a formal audit, if found to be under licensed, you will have to pay the latest list price for any instances of non-compliance as well as a settlement fee. This is part of the reason why audits are a costly exercise for organizations (another being the cost of the time involved). The audit fee depends on who is reviewing you, the cost of the audit to the auditor and the shortfall of licenses.
For example, if the auditor is a Microsoft SAM Partner as opposed to an LCC-driven audit then the settlement fee for any instances of non-compliance will likely be less.
FIVE STEP PLAN
ACTION | ADVICE |
Acknowledgement | Do not ignore Microsoft’s request! |
Support and Contact | The exact definition of the agreements Microsoft will be auditing. Pick a Microsoft SAM Partner. |
Delay(s)? | Valid reasons can delay a review for up to six months. If Microsoft does not think it is a valid reason, they will work with you to set a formal start date. |
Time Frames | Formal start-date. No end date. |
Review Conclusion | Pay list price, and fines for non-compliance |
SELF-CERTIFICATION
Finally, there is the option for you to perform a Self-Certification. Previously, this applied to organizations of all sizes, but in recent years has only been targeted at Microsoft’s smaller customers. During the Self-Certification process, Microsoft will send you a number of questionnaires and datasheets, or an online form to complete in order for it to get an understanding of your license position.
It is important that you provide Microsoft with accurate data and responses to the questions. You need to understand what the data means – what risks it is highlighting – so that you are fully prepared should Microsoft ask for a review or an audit.
There is no fee for you to perform a Self-Certification, and if you are short by a few licenses Microsoft will simply advise you to purchase the difference (and your discounted price) within 15-30 approx. days and provide them with the evidence that you have done so.
TAKEAWAYS FOR REVIEWS, AUDITS & SELF-CERTIFICATIONS
- Do not ignore a review or audit letter.
- Do not delay a review or audit for more than six months.
- For an audit, do not perform a mass uninstallation of Microsoft products after the formal audit date.
- Do not bulk purchase license to rectify compliance issues after the audit start date. They will not count towards the audit results.
- Do not go through the audit or review process without the expertise and support of a Microsoft Partner or independent Microsoft expert. It will only increase your workload and you may miss key licensing issues.
DO
- Do respond as soon as possible to the audit or review request.
- Do engage with a Certified Microsoft SAM Partner to help you through the process.
- Do learn from the experience. How will the experience help you avoid getting in this situation again?
- Do think about SAM and inventory technologies (if you haven’t got any) to help with the optimization of existing assets and future audit defense.
- Do use accurate information from Snow License Manager to help provide data to Microsoft or the auditors.
Continuing our series of blogs on Microsoft reviews and audits, we’ll be explaining how you should react to an audit and leverage the expectations of your organization by the auditor and how you can manage the process. Snow License Manager is the most used SAM technology for Microsoft Partners when dealing with a review or an audit for organizations that do not have existing technologies in place.
Book a test drive today to see why it is the technology of choice for Microsoft Partners and organizations around the world.