How to Respond to the Microsoft Audit Letter

So you’ve received an audit letter from Microsoft. What should you do? Can Microsoft audit my company? This article will focus on what a Microsoft audit letter really means, and what steps you should take. 

First lets discuss what Microsoft means when they say they are going to audit you. 

There are generally 3 different types of audits and depending on which type, you may or may not be legally required to follow through at all. When it comes to software audits, given their vast library of products and complicated licensing models, an audit can overwhelm even the most seasoned IT professional. While an audit is something you should take seriously, if you’re prepared enough there is no reason to panic.

The types of Microsoft Audits

  1. The Self Audit
  2. The SAM Engagement
  3. LLC (License Contracts and Compliance Audit)
  1. The Self Audit

Let’s start with the Self Audit. As the name suggests, this is where Microsoft asks you to conduct your own review of your license compliance by filling out some spreadsheets with information about your organization’s usage of Microsoft Software. Of the different types of audits, this is definitely the friendliest one and the one you want to find yourself in. Microsoft will typically provide you some worksheets to fill out along with some instructions on how to perform a software inventory on your network. This will also usually come from a Microsoft contracted worker with a v-something@microsoft.com email address. 

The self audit is not a mandatory audit. It is a request from Microsoft to self assess and determine your effective license position without any expense on Microsoft’s side. You can choose not to participate, but you should understand the consequences of doing so. Not cooperating may indicate you have something to hide. If you politely ask Microsoft to “go away,” have a good reason. Being in the middle of a large project with no resources available to participate in a license review will usually do it. But you should suggest a time in the future when you would be ready to complete the self audit, so that you can align your resources on your schedule and not on Microsoft’s. This allows you time to properly analyse your license position on your own before handing over anything to Microsoft. The reason you want to provide them with a time that is more convenient is that MS will be back, only next time it might not be a self audit but a more formal SAM engagement. 

The deliverables for a self audit are typically a completed spreadsheet and some output reports from the Microsoft MAP toolkit which is what Microsoft uses to inventory your devices and active directory. (Therefore you should be honest and accurate in your spreadsheet answers as the MAP inventory will show everything that was found in your environment!) You can download our full guide to using MAP here for free.

2. The SAM Engagement

The Microsoft SAM Engagement is Microsoft’s way of determining compliance, or rather bringing you into compliance. This type of audit is typically mandated through your contractual obligations of the Enterprise Agreement. That’s right, by signing an EA you agree that Microsoft reserves the right to audit you at will. Microsoft will pay for the expense of this exercise (pay their time and resources, not yours.)

Sam Engagements are typically performed by Microsoft partners such as Deloitte, PWC, Ernst & Young, or one of their tele-sales partners such as Inviso, SWI and others.

If you find yourself in this type of audit, contact us for help right away. We can quickly provide you with the guidance and expertise needed to navigate through this audit from start to finish. Rest assured that we have your best interests in mind and will do everything to minimize the disruption of going through this exercise, and help mitigate any license exposure you might have.

3. The Legal Contracts and Compliance (LLC) Audit

This type of audit is usually sparked by a complaint (whistleblower) within the company who contacts the BSA (Business Software Alliance) about some piracy, or lack of compliance within your organization. The BSA is a large anti-piracy software group used by predominant vendors to perform an invasive audit. Penalties if any, can be in the form of fines of up to $150,000 per instance.

If you find yourself in this situation, get legal counsel immediately.

For questions about Microsoft or other audits, please contact us for a free consultation.