This is the third in our series of articles on software licensing audits. The first article dealt with the importance of audit preparedness. The second looked a bit more deeply into that which Microsoft® or the Business Software Alliance (BSA) may look for during an audit. In this installment we’ll consider what to do after an audit, particularly if the results are significantly unfavorable.
Microsoft® attempts to audit all of their Volume Licensing customers once every three years. In most cases, this is in the form of a Software Asset Management (SAM) Review in which the customer is asked to perform an inventory of their installed software themselves and ensure that they have all appropriate licenses. If they discover that they are not properly licensed for every instance they are required to purchase appropriate licenses (often at retail pricing) to become fully compliant. In some cases the audit may be performed on the customer’s site by an independent third party. Whether the customer performs a self-assessment or endures an onsite review, with few exceptions, Microsoft® does not typically suspect that the customer is intentionally out of compliance. Volume Licensing generates approximately $40 billion annually for MS so it’s obviously critical to their business and needs to be managed appropriately. In a similar manner, whether a company has only a few employees or tens of thousands, IT typically represents a significant investment and must be managed appropriately. Software Asset Management is often more complex than many would expect but the consequences of failing to make this a priority can devastate a company.
Microsoft®’s Agreements state that the customer will incur the cost of the audit if it revealed a deficiency greater than 5% of the number of required licenses. As a result, if the customer is found to be substantially out of compliance they may be required to pay for the audit in addition to the cost to true-up. There are a number of other costs; some of which are more tangible than others. The time and distraction as internal resources are forced to focus on an audit must be considered. Additionally, the customer’s credibility will have been damaged in the eyes of Microsoft®. We noted earlier that MS rarely assumes that a customer is intentionally out of compliance but when they do, it can make future negotiations particularly difficult.
If the Volume License (VL) customer is unwilling or unable to reach a mitigation agreement with Microsoft® the case may be turned over to the Business Software Association. By the time the BSA becomes involved the company has already incurred substantial costs and it’s unlikely they will be reduced.
The Business Software Association typically has the authority to negotiate a settlement on behalf of Microsoft® but it’s important to note that if a company can’t reach an agreement with Microsoft® it’s unlikely the BSA will be any easier. Whereas Microsoft® may otherwise benefit from future sales to the offending company so they have incentive to retain them as a customer; the BSA has no similar potential. On the contrary, the role of the BSA is to prevent piracy and non-compliance so it’s very unlikely they will be more lenient than Microsoft®.
It’s important to carefully evaluate reported infractions after any audit. Just as with automated SAM inventory tools, there will almost always be a need for people close to the situation to scrutinize the data. At Emerset, we have discovered approximately forty areas which are frequently reported inaccurately during an audit. The list below is just a sample of errors we have recently discovered while assisting one of our clients with licensing mitigation:
- Device CALs vs. User CALs (audit counted all devices and did not recognize that many were licensed under User CALs)
- Multiple copies of Office® installed on a single device and counted as multiple machines
- Multiple versions of Visio® and Project (Standard and Pro on the same machine, a new and old version that wasn’t removed when the product was upgraded)
- Inactive users within Active Directory® that haven’t been removed
- BYOD devices that were counted as organizational devices
- Counting virtual Windows® Servers as physical licenses
- Use of wrong licensing metrics for SQL Server® Windows® Servers
- Failure to recognize historical entitlements (products purchases 3-9 years ago) that can be used to mitigate current licensing gaps
- Licenses from mergers and acquisitions
The preceding list is just a sample of from over forty areas which are frequently reported inaccurately during an audit but should provide insight as to why it’s so important to carefully review and where appropriate, challenge the findings of an audit.
Regardless of whether a company discovers errors following an audit it’s important to try to work with Microsoft® toward some sort of settlement. Microsoft® doesn’t want to lose a customer, but they obviously don’t want their customers using their software illegally either. One thing a customer should always try to include in a settlement, whether with MS or the BSA, is that the violation and settlement not be publicly disclosed. This becomes increasingly difficult if the negotiations move to the BSA as they often want to make penalties public as a means to deter others from doing the same. If the case makes it to court it will likely become public record. The damage caused by such negative publicity could be greater than the offense and fines.
For further information or if you would like assistance as you prepare for the somewhat inevitable audit, please contact us at http://emerset.com/contact.