January 2017: Is your company in compliance when it comes to software? Microsoft appears to be stepping up licensing audits, so if you’re using Windows, Office, Server or any of Microsoft’s more complex software solutions like virtualization, you need to be able to prove you have up-to-date licenses.
It’s easy to inadvertently get out of compliance — employees come and go, hard drives crash and get rebuilt, and volume licensing agreements can be confusing. But auditors don’t care. They will fine you. Here’s what to do to prepare:
The two kinds of Microsoft audits
1. Microsoft Software Assessment Management (SAM): A SAM audit is Microsoft’s more low-key audit. It’s a request to participate in a software licensing verification process to determine if your company is paying for the Microsoft software it’s using. The requests come by email so you may think it’s phishing but it’s not. Your participation is voluntary — and you can also self-initiate using Microsoft’s web tools — but if you don’t participate with the SAM auditor when asked, you’ll get to experience the other kind of Microsoft audit.
2. Legal Contracts and Compliance (LCC): This kind of audit is not low-key — it’s basically accusing you of software piracy. This audit is conducted by an industry trade group, usually the Business Software Alliance or BSA that’s made up of global software giants, and involves onsite visits to your business.
Auditors look to see how many licensed products you’re using and ask you to produce evidence that you’ve purchased each one. If you can’t produce the evidence, you’ll be charged a penalty in addition to the cost of bringing all software into compliance. These third-party auditors have a reputation for turning over every IT stone because they have a financial stake in the outcome — they get a piece of everything they find that’s out of compliance.
If you refuse to pay the fines or true-up on the licensing, Microsoft (or BSA) can sue you. Microsoft has put companies out of business by doing so. Microsoft has also been accused of being overly aggressive in its tactics (and has been fined for it) yet it still ranks third for aggressiveness behind Oracle and IBM. Keep in mind that these three companies aren’t the only software giants that conduct audits.
When an organization has been found to be out of compliance, it’s not a secret. You may be more likely to be audited by other companies, too.
If you’re out of compliance, true-up as soon as you can
A lot of organizations — especially growing organizations — lose track of how many licenses they’re using. So if you’re out of compliance you’re not alone. Let’s say, for example, you bought a license to activate 10 computers when you hired a few new employees. Then you had some employee turnover — three employees left and you hired four more. Then two employees left and you hired five more. If you’re not careful about tracking the license, you could become out of compliance without realizing it.
And if you’ve rebuilt and reinstalled software on the same computer, it can get even more confusing.
So while the software-licensing honor system makes things easier on the front end, it can also make things harder because there’s less incentive to track licenses properly. Subscription-based Office 365 simplifies tracking for those specific online licenses, but adding cloud apps to the already complex task of software license management can make your head spin if you don’t have a good system in place. The same team responsible for buying computers and the software that runs on them should be responsible for keeping your company in compliance.
Getting in compliance could even save you money
Conversely, many companies are inadvertently paying to renew software licenses that they’re no longer using. If you’re one of them, an audit (internal or otherwise) will keep you from throwing more money out the window. If an audit reveals you’ve been overpaying, however, don’t expect to get a refund.
Audits can be triggered by your purchasing history, the size of your business (the larger the business, the more potential compliance issues), or if your company has recently merged with or acquired another company. Your audit can also be triggered just because it’s your time to be audited.
Often, however, it’s a disgruntled employee or a competitor reporting suspected piracy. The BSA pays whistleblowers.
If you get an audit notice, regardless of what you think may have triggered it, don’t ignore it. It won’t go away. Instead, prepare.
And it’s best to be prepared before you get an audit notice! Now is a great time to implement your own SAM if you haven’t already. There are plenty of SAM training programs available as well as SAM certifications. Here’s an overview of the steps:
1. Look at your purchase history to find all of the licenses you’ve bought.
Remember to include OEM (Original Equipment Manufacturer) licensing that came with the computers you bought. Those licenses are not portable, which means it’s tied to that specific computer. You may have to physically look at the receipt for OEM to find the licensing.
2. Do an inventory to match up.
Match the licenses you’ve purchased to the software you’re currently using. This is a lot easier if you’re using an asset management system. If not, you can start now by using a free one you find online like SysAid or Snipe-IT, or a low-cost one like Belarc. Consider this a self-audit — something to do before you face a real audit.
3. Have IT remove any software you don’t need.
Software sprawl is when you have software installed that’s not being used. It can reach epidemic levels if you don’t pay attention. Get rid of those apps. Microsoft Access is a good example of an app that requires licensing but few people actually use.
4. Get in compliance.
Now that you know what you’ve licensed, match up your licenses to the software you’re using and know which software you’re not licensed for, it’s time to call your Microsoft retailer. Your retailer will help you find the cost-effective way to get compliant. If you wait for the official audit, the auditors will get you compliant in the least cost-effective way!
If you true-up on your own before an audit, there’s no fine. If you get audited and you’re out of compliance, you will pay fines in addition to the costs associated with getting in compliance. And your reputation could take a hit, too.
When Leapfrog operates as the procurement arm for our clients, we’re the ones who buy the computers and licenses, and we also keep the records. So if Microsoft (or Oracle, SAP or another software company) initiates an audit, they contact us and we handle it for our clients. If you have any questions about software audits or how managed IT services can relieve you of the burden of getting and staying in compliance yourself, feel free to contact us.