Key Documents Needed for a Microsoft Audit
- Software Licenses: Copies of all software licenses.
- Purchase Records: Receipts and invoices for software purchases.
- Contracts: Original agreements with Microsoft or resellers.
- Software Usage Records: Logs showing how software is used.
- Volume Licensing Agreements: Details of enterprise agreements.
- Subscription Details: Information about active subscriptions.
Key Documents Needed for a Microsoft Software Audit
A Microsoft software audit can be overwhelming if you’re unprepared, but the process can be streamlined significantly with the right documentation.
Ensuring your organization complies with Microsoft’s licensing terms requires maintaining a detailed and organized set of records.
Here, we’ll guide you through the essential documents needed for a Microsoft audit and how to prepare them effectively to ensure a smooth audit experience.
License Entitlement Documentation
Original Purchase Records
The foundation of your audit documentation starts with proof of legitimate software acquisition. Microsoft uses this core evidence to verify that your software licenses are valid.
To prepare for the audit, gather comprehensive records for the following:
- OEM Licenses (Original Equipment Manufacturer) are typically sold with new hardware, such as laptops or servers, and are permanently tied to that device.
- Electronic Software Distribution (ESD) Licenses: Licenses purchased digitally through Microsoft’s platform or a trusted vendor.
- Full Packaged Product (FPP) Licenses: Physical software packages purchased off-the-shelf, including their packaging and product keys.
- Software Assurance Licenses: Any additional assurance or upgrade rights purchased along with your original licenses.
- Transferred License Agreements: If you have acquired licenses through mergers, acquisitions, or license transfers, ensure all agreement records are available.
- Microsoft License Statements: Periodic statements from Microsoft that summarize your volume license holdings and help ensure compliance.
Certificates of Authenticity (COAs)
Certificates of Authenticity are essential for proving the legitimacy of your software. This documentation is critical during an audit, validating that your installations are properly licensed. Ensure you have:
- Physical COA Stickers: These are often found on the hardware for OEM licenses.
- Paper Certificates: Certificates that came with boxed software.
- BIOS Keys and Product Keys: Documentation for any embedded product keys or software activation codes.
Deployment Documentation
Software Inventory Reports
A comprehensive software inventory is fundamental to a successful audit. Your inventory should include a detailed report of all Microsoft software installed across your organization. Be sure to document:
- Desktop and Laptop Installations: Software installed on each user device.
- Physical Server Deployments: The specific software running on each physical server.
- Virtual Machine Configurations: Any Microsoft software running in virtual environments.
- Mobile Device Installations (Where Applicable): Software used on mobile devices like tablets and smartphones.
Server Documentation
For server-based products, documentation must include:
- Number of Installed Server Instances: Record each installation of server products.
- Client Access Licenses (CALs): Ensure documentation shows which users or devices are licensed to access server software.
- SQL Database Access Records: Document how SQL databases are accessed and by whom.
- Exchange Server Configurations: Record how Microsoft Exchange is deployed and accessed.
User Access Documentation
Client Access Licenses (CALs)
CALs, which govern user and device access to Microsoft server products, are often a major audit focus.
You need to document:
- User CALs: How many users are accessing each server?
- Device CALs: The number of devices authorized to connect to server software.
- Server Access Permissions: Records of who can access which server and under what licensing terms.
Deployment Summary
A Microsoft deployment summary outlines the specifics of your software usage. Ensure you have documentation that provides the following:
- Quantity of Each Software Version Installed: This includes older versions still in use.
- Active Software Usage Counts: How many installations are in active use?
- Server Product Deployments: Which servers host which Microsoft products?
- CAL Distributions: Documentation of how CALs are allocated.
Infrastructure Documentation
Virtual Environment Records
Virtual environments add an extra layer of complexity during an audit. For virtualized infrastructure, maintain:
- Virtual Machine Counts: Number of virtual machines in use.
- Host Server Configurations: Details of the physical hosts running the virtual environments.
- Software Installations per VM: Documentation of Microsoft software installations on each virtual machine.
- License Assignments Across Virtual Infrastructure: Record how licenses are assigned within virtual environments.
Hypervisor Documentation
In virtualized environments, hypervisors play a key role in managing virtual machines. Ensure you maintain:
- Hypervisor Configuration Details: Document the settings and configurations of hypervisors like VMware, Hyper-V, or others.
- Hypervisor Software Licenses: Keep records of licenses for the hypervisor software itself.
- VM Migration Records: Document any migrations of VMs between hosts, especially if they impact software license requirements.
Compliance Evidence
Usage Tracking
Accurate usage tracking helps demonstrate compliance. Keep records of:
- Active User Counts: Number of active users utilizing the software.
- Software Deployment Locations: Where each piece of software is installed and used.
- Installation Dates: Date records for each software installation.
- Version Tracking: Version of software to ensure licensing aligns with installation.
License Usage Optimization
Tracking the use of software also helps optimize license allocations. Maintain documentation on:
- License Allocation Efficiency: Track whether all licenses are fully utilized or if there are opportunities to reduce excess.
- Usage Metrics and Analytics: Use analytics to determine underused licenses and potential cost savings.
- Reassignment of Licenses: Document any reassignment of licenses between users or departments to maintain compliance.
Best Practices for Documentation Management
Centralized Record Keeping
Having a master document that consolidates all your licensing and deployment information can significantly streamline an audit. This master document should include:
- Complete Software Inventory: A list of all Microsoft products installed.
- All Product Keys: The activation keys for each installation.
- License Proofs and Purchase Records: Digital and physical copies of all licenses and proof of purchases.
Documentation Organization
Organize your records to make them easy to find and verify. Some organizational strategies include:
- Chronological Records: Maintain records based on when licenses were purchased or deployed.
- Separate Sections for Different Product Types: Divide records for server products, desktop software, virtual environments, etc.
- Digital and Physical Copies: Maintain both formats to reduce the risk of loss.
- Clear Filing System: Establish a well-defined electronic and paper records filing system.
Audit Response Documentation
Communication Records
During an audit, you will communicate extensively with Microsoft auditors.
Keep records of:
- Audit Notification Correspondence: The initial notice and any follow-up communication.
- Response Communications: Copies of all emails, letters, or documents shared with Microsoft.
- Meeting Minutes: Notes from any meetings or calls with auditors.
- Information Requests and Responses: Record of requests made by auditors and your organization’s responses.
Escalation and Internal Communication
It is equally important to keep track of internal communication regarding the audit. Ensure records include:
- Escalation Reports: Internal memos and reports related to the escalation of audit issues to management.
- Internal Coordination Emails: Correspondence between departments, such as IT and legal teams, discussing audit-related actions.
- Internal Audit Plans: Any internal plans for addressing audit requirements before engaging with Microsoft.
Remediation Documentation
If any discrepancies are identified, it is critical to document the steps taken to achieve compliance, such as:
- New License Purchases: Proof of licenses purchased to close compliance gaps.
- Software Removal Confirmations: Records showing the uninstallation of unlicensed software.
- Updated Deployment Records: Revisions were made to the software deployment.
Audit Summary Reports
After the audit is completed, create a summary report that includes:
- Audit Findings: Summary of the auditor’s findings and discrepancies.
- Remediation Actions Taken: A list of corrective actions to resolve non-compliance issues.
- Lessons Learned: Key insights from the audit to help improve future compliance efforts.
Technical Documentation
System Configuration Reports
Technical documentation of your IT infrastructure helps demonstrate the environment in which your licenses are used. Include:
- Network Architecture Diagrams: Diagrams that illustrate how systems are interconnected.
- Server Configurations: Details of the server setups, including installed software.
- User Access Matrices: Documentation of which users have access to what systems.
- Software Deployment Maps: Graphical representation of software across your infrastructure.
Technical Change Management Records
Changes in IT infrastructure can impact licensing compliance. Keep detailed records of:
- Change Requests and Approvals: All change requests related to deploying or decommissioning Microsoft software.
- Configuration Changes: Updates made to the system configurations that affect license requirements.
- Impact Analysis: Documentation of the potential impact of changes on licensing and compliance.
Regular Maintenance
Documentation Updates
To be audit-ready, you must maintain current documentation. Set up routines for:
- Monthly License Reconciliation: Compare active licenses against deployed software each month.
- Quarterly Deployment Reviews: Regular reviews to identify any discrepancies between deployments and available licenses.
- Annual Compliance Checks: Conduct a full compliance check annually to verify your records.
- Regular Documentation Updates: Keep all documents current, including product keys and usage records.
Continuous Improvement Programs
Consider implementing ongoing programs to enhance compliance readiness:
- Training Programs: Regular training for IT and procurement teams on Microsoft licensing requirements.
- Internal Compliance Workshops: Hold workshops to educate staff on best practices for software license compliance.
- Feedback Mechanisms: Collect feedback from staff to maintain compliance documentation and improve processes.
Risk Management Documentation
Maintaining compliance means proactive risk management. Document:
- Regular Self-Audits: Periodically audit your usage and compliance.
- Compliance Checking Procedures: Describe the processes your organization uses to ensure compliance.
- Risk Assessment Reports: Identify and evaluate risks associated with license compliance.
- Remediation Plans: Develop a plan to address any potential risks or gaps in compliance.
Special Considerations
Enterprise Agreements
If your organization has an Enterprise Agreement (EA) with Microsoft, additional documentation is required to comply. Ensure that you have:
- True-Up Reports: These reconcile any discrepancies annually based on actual usage.
- Annual Reconciliation Documents: Statements that clearly depict what has been deployed versus licensed.
- Volume Licensing Portal Access Records: Maintain access to Microsoft’s portal for volume licensing to confirm compliance.
- Agreement Compliance Documentation: Any other documents required by the terms of your EA.
Software Assurance Benefits
Organizations with Software Assurance (SA) also need to document their usage of SA benefits, including:
- Upgrade Rights Documentation: Proof of rights to use upgraded versions of software.
- Training and Support Entitlements: Records showing the usage of training vouchers or support incidents covered by SA.
- License Mobility Rights: Documentation of license mobility across servers or cloud environments.
Preparation Checklist
Pre-Audit Organization
Preparation is key to a successful audit. Before the auditors arrive, be sure to:
- Inform Relevant Stakeholders: Ensure management and IT teams know about the audit.
- Appoint an Audit Response Team: Designate people responsible for working directly with the auditors.
- Organize Documentation: Have all required documents ready and easily accessible.
- Verify License Counts: Double-check that you have sufficient licenses to cover all deployments.
Documentation Security
It is important to protect audit-related documentation:
- Secure Storage Systems: Store documents in secure locations with backups.
- Access Control Protocols: Restrict access to audit documents to authorized personnel only.
- Backup Procedures: Regularly back up all licensing documentation.
- Version Control: Use version control to keep track of changes and ensure no critical documents are lost.
FAQ: Key Documents Needed for a Microsoft Audit
What documents should I keep for a Microsoft audit?
You should keep records of software licenses, purchase receipts, contracts, usage logs, and volume licensing agreements.
Why are software licenses important in an audit?
They verify that your organization has the legal right to use the software.
What role do purchase records play in a Microsoft audit?
They confirm that you’ve bought the software legally and in the right quantities.
What if I don’t have original contracts with Microsoft?
Without them, it can be challenging to prove the terms of your software usage.
How can I show software usage during an audit?
By providing usage logs or reports detailing how each software is being used.
Are subscription details needed for the audit?
Yes, they show whether you are up to date with your licenses or subscriptions.
What happens if I don’t have proof of purchase?
Lack of proof may result in fines or purchasing additional licenses.
How long should I keep these documents?
You should retain them for at least 3 years after the software is no longer used.
Can I get an audit exemption?
Exemptions are rare, but you may negotiate terms with Microsoft if you have a compliance history.
Do I need a licensing consultant for the audit?
While not required, a consultant can help navigate complex audit processes.
What if Microsoft finds a compliance issue?
You may be required to purchase additional licenses, pay fines, or both.
Can a third-party vendor handle the audit for me?
Yes, a third party can help manage and prepare the documents, but you remain responsible.
What’s the difference between volume and retail licensing?
Volume licensing covers enterprise-level purchases, while retail is for individual or small-scale use.
How do I prepare my software for an audit?
Ensure all software is installed correctly and matches your licensing records.
Can Microsoft audit me if I don’t have all the documents?
Yes, they may still audit you, and not having documents could result in penalties.
Read about Microsoft Audit Defense Case Studies.
