The 5 Steps of a Microsoft Audit
  • Savannah Zeller

The 5 Steps of a Microsoft Audit

You just received an audit notification letter from Microsoft, and a follow up letter from one of the big four accounting firms. Step One is easy: go ahead and schedule the kick-off call with the vendor. Here are few tips for this period:


  • Move ahead with normal business activities – planned purchases, decommissions.

  • Don’t panic purchase to cover shortfalls – this just sends up a red flag to the vendor.

  • Round up your data collection dream team – System Admin, SCCM Admin, Entitlement collection expert, Citrix expert.

After the kick-off call, Microsoft will establish the audit timeline. The vendor typically says it will take 7 weeks, but realistically, it will run 2-4 months, depending on your company size and complexity. Some clients are able to get an extension if they have a strong reason for doing so (i.e., not enough staff to handle data collection in two weeks), but most requests will be denied by the vendor (e.g., “we need more time because we’re in the middle of a migration”).

Step Two is about data collection. First, you’ll get an “Entitlement Request” from the auditor, which means a list of all the names under which you’ve ever purchased software. Make sure it includes any names of entities you’ve divested or merged with. They also want documentation for any “shrink wrapped” purchases (e.g., from Staples or Best Buy). It falls upon you to show what you’ve bought, where you bought it, and under which name you’ve purchased it in order to get entitlement credits.

The auditor then asks for the following:

  1. Directory of the active Microsoft user population (people and devices) in your environment

  2. SAM tool output to see what’s installed in your environment

  3. VMware/Hyper V

  4. End user products - Exchange, SharePoint, Skype, Project Server

  5. Antivirus output

  6. MSDN user names, what machines they’re using for test and development

  7. O365 users – they use this to cross check what these users are accessing

  8. SQL server licensing model

  9. RDS output

  10. Virtualization (Citrix, VDI)

  11. External applications outside the Directory (e.g., hospital systems that let patients log in)


In a typical Microsoft audit, there are several areas that present the most concern to clients, including:

  • User and machine names. If these are an issue for you, you can mask the data, or ask the auditor to mask it for you.

  • Low inventory coverage. If you’re scanning results in low coverage (less than 95% of your active environment) the auditors CAN extrapolate.

  • V-motion. Don’t wipe your V-motion history! Auditors can use the DRS settings to see if a machine is V-motioning and extrapolate. A lot of compliance issues happen here.


What happens to all this data? Step Three is when the data gets sent off to be analyzed and verified by the auditors, often offshore. Your data is combined into product-specific tables, old machine data is tossed out and clarifying questions are asked. Finally, the auditors compare your deployments to your entitlements and apply all licensing rules.


Step Four: Armed with this information, the auditors will set up a meeting with you to discuss their results and ask more questions. Often, they will request an on-site meeting, but this can easily be done via Skype. They will usually provide an ELP (Effective License Position) which shows preliminary information surrounding shortfalls. The most important thing to do here is to repeatedly ask yourself and your team “does this information look right?” We urge clients to check this information line-by-line, and make sure to understand their spreadsheets thoroughly before moving forward.


The auditors provide you the final ELP in Step Five and hand off the audit to Microsoft. The vendor will schedule a meeting with you to discuss audit findings and remediation.

At this meeting, we advise clients against pleading that “you didn’t mean to” exceed your licensing – Microsoft hears this all the time and is not interested. The best thing to do here is:

  1. Go into defense mode and attack the data first. Identify any and all findings that are wrong or seem to be over-reaching. This activity is key to building leverage with which to negotiate your counteroffer.

  2. Use the data to build a reasonable and credible counter proposal for Microsoft. This establishes a new starting point for negotiations to proceed, and to proceed is very important to Microsoft.

  3. Time your negotiations with an eye on Microsoft’s quarter end or June 30 year end date for more leverage.

  4. Leverage your true-up. You have a right to true-up once per year; you could argue that you were going to true-up on licenses and will do so -- without paying fees and penalties on the software you recently installed. It’s very hard for auditors to prove how long some software’s been installed, so this is a strong argument to use.

  5. Understand Microsoft incentives. This is when you loop in the sales team, which cares more about keeping you happy than the finance team. Your counteroffer may be of great interest to them and make them helpful during negotiations.


For more information surrounding Microsoft audits, view our webinar on the topic or read Top Findings in a Microsoft Audit or the Microsoft section of our Dubious Achievement Awards.


Savannah Zeller is a senior analyst on the ClearEdge compliance team and a former senior associate at KPMG, where she performed software audits for Microsoft and Autodesk. Tres Larsen is a ClearEdge Managing Director and leads the firm’s Audit Software Services. A former professional auditor, Tres established and lead KPMG’s Microsoft software compliance program. Both contributed to this blog.