This is the second in a series of four articles addressing Microsoft® software licensing audits. In the first article we discussed the importance of being prepared for an audit and steps that may be taken to ensure your organization is ready if you receive notification that an audit is forthcoming. This time we’ll be a bit more specific as we consider that which MS or the Business Software Alliance (BSA), or whoever will expect to see in the event of an audit and why it’s so important to take the possibility of a licensing audit very seriously.
Computer software must be treated as a tangible asset. Some individuals or organizations may be tempted to install or access software on more systems than they have licensed simply because they may do so without purchasing another physical item, but installing or accessing software without a valid license for each instance is theft and will be treated as such by the courts. Some individuals or organizations may be using software illegally without their intent or knowledge, but this does not absolve them of their legal obligations, nor is it likely to lessen the penalty in the event of an audit or prosecution.
It’s easy to invoke thoughts of worst case scenarios and legal action when considering software audits but in reality, legal prosecution is very rare and occurs for only the most blatant offences. A much more common scenario occurs when Microsoft® has reason to suspect that a company may be significantly out of compliance and the company is asked to perform a self-audit and report the results back to MS. If the company cooperates and agrees to pay for licenses to become compliant, that’s usually where the process ends. If the company ignores Microsoft®’s request for a self-audit or refuses to comply, the issue may be turned over to the Business Software Alliance (BSA) and the company may be subjected to a formal audit. If the BSA takes action and a company is found to be non-compliant, the fine is typically two to four times the cost of the software for each instance. In addition to the fine, the offending user will be required to purchase valid licenses or remove the software from their systems.
For Microsoft® VL customers, it’s not a question of if they’ll be audited, but rather, when it will occur. The terms of the VL Agreements grant MS the right to perform an audit once each year with thirty days’ notice. MS has implemented a policy whereby Select, Open, and EA customers should expect an audit at least once every three years. This may take the form of a self-assessment or an onsite audit. If the audit reveals unlicensed usage of 5% or more than they have licensed, the customer will be required to pay the retail price for all unlicensed products plus the cost of the audit.
Perhaps the most valuable element when preparing for either a self-assessment or a formal licensing audit is to be well organized and documented. This can be particularly difficult in a large organization where software (and hardware) may be obtained through multiple sources, but an auditor isn’t likely to care. The organization being audited will be expected to provide proof of purchase for every copy of the software installed or accessed. This may be in the form of invoices and receipts, Certificates of Authenticity, product keys, VL Agreements, and any applicable purchase records.
The organization needs to perform an inventory of all installed and accessed software (don’t forget employees working remotely). It’s important to note that just because the software may be licensed on a server, for example, you must also ensure that every user or device accessing the product is licensed with appropriate user or device Client Access Licenses (CALs). This can be particularly challenging since so many users access corporate assets from personally owned devices such home PCs, tablets, and smartphones. Among the most common violations is with virtual servers (primarily SQL) being accessed remotely. Of course the auditors know this and they will likely be particularly diligent in this area. Consider, for example, that if your organization purchases device CALs and fails to license personally owned devices that may require a CAL if they access company resources. If the organization is fined two to four times the price of the CAL for each violation (and there may be multiple violations on each device), multiply that by the number of potential users and devices and it’s easy to see why it’s so important to focus on this area.
There are a number of Software Asset Management (SAM) tools available to partially automate the inventory process but there will likely be a great deal of manual research and documentation required as well. Most inventory tools don’t account for CALs, nor do they perform adequate analysis of virtual scenarios. A SAM tool may be a good place to start, but there will almost certainly be additional work required to obtain an accurate and comprehensive usage assessment. Once you have an accurate inventory of all applicable software, devices, and users accessing that software you’ll need to match the proof of purchase with each installation or instance of the software. If you can’t demonstrate that everything has been properly licensed and purchased, you will be out of compliance and subject to purchase and/or penalty.
Accurately managing software can benefit a company in more ways than responding to an audit. It’s not uncommon for companies to discover that they have paid (or are paying) for more licenses than they need. This may be a result of having fewer employees than originally anticipated, reduction in business, changes in technology, decommissioned equipment, or a number of factors. By knowing exactly what a company has licensed and how it is being used, companies may be able to save money during their next true-up or license renewal. Since this can be a daunting task and the rules governing software licensing are very complex and always evolving, many companies elect to hire third party licensing consultants to assist them in the process. These experts can not only assist the company with becoming compliant, but they may also ensure that the company is using the most cost effective licensing model for their business needs.
Regardless of whether a company is being audited or not, the discipline and organization ensuring software licensing compliance needs to be a core business practice. As previously noted, ignorance is not a valid defense from a legal perspective, and knowingly being non-compliant is also a civil and potentially criminal offense.
For further information or if you have specific questions about Software licensing Audits by Microsoft®, please contact us at http://emerset.com/contact.