Human beings, who are almost unique in having the ability to learn from the experience
of others, are also remarkable for their apparent disinclination to do so.

Douglas Adams, Last Chance to See

I’ve had the opportunity to work with an end-user organization following their receipt of a Microsoft SAM review letter. While there have been a number of organizations and consultants who have written about their respective learnings following these types of reviews audits, I found this organization's response interesting. Not only did this organization want to address the Microsoft request, it also fundamentally changed how they go about managing their software and it worked with Microsoft to create a win-win situation. My experience up until now has been one of organizations wanting to do anything possible (including paying a large settlement) to get the vendor out the door.
In 2014, Microsoft sent a letter requesting to audit the organizations facilities in EMEA to their primary contact. This was the organizations first vendor audit. The primary contact immediately responded saying they would cooperate. However, they also said it would be helpful to understand the entire process (what information Microsoft would need, and when) so that they could build their project plan.
Based on the efforts the organization made, here are my top six learnings for surviving a Microsoft license review:

  1. Microsoft (and other vendors) conduct hundreds and thousands of these reviews Vendors know how most organizations will respond based on history and data. Before responses and data are shared with any vendor, make certain you establish a team of key stakeholders and include one person who’s responsible for the data collection and analysis and only a single spokesperson who communicates with the audit team. You want to ensure data accuracy, accountability, and a consistent external voice.
  2. Be careful with what information you share. In this particular case, a mistake was made in sharing information that was outside of the scope of the original request. In short, the organization provided information on Microsoft installations outside of EMEA – thereby expanding the scope of the audit.
  3. Not surprisingly, Microsoft was thorough in its responses (and requests), but I was surprised by how they kept their questions open-ended. For instance, one was “License Risk please clarify”. I wonder how many organizations create liability simply from trying to answer that question in a helpful way.
  4. Microsoft would contact the organization (to the day) if more than two weeks went by without them hearing from them. This occurred on more than one occasion. My customer has a business to run – it helped in managing the situation when the organization could provide an expected date/timeframe for completion back to the license review team!
  5. Finalizing the Effective License Position (ELP – aka what’s in and out of compliance). This stage of the audit undoubtedly took the longest. While there was clear (but limited) exposure on certain desktop products, the real issues came into play with the organizations SQL installations – not because the organization didn’t have enough licenses, but because they were licensed for a newer, presumably more capable and secure version of SQL than they had installed. The organization also had servers running older copies of operating systems – decisions needed to be made on the approach and response the organization would make that included hardware, software and virtualization needs that would meet all license requirements. The organization wanted to respond to Microsoft with what was right but also recognized that it had some process problems that needed to be addressed to avoid these issues in the future. It took the time to assemble the right teams – secure agreement and buy-in for the approach the organization felt would benefit their organization and be acceptable to Microsoft.
  6. Addressing the requests of the auditor kept the organizations IT resources busy. In fact, a number of IT programs that were underway were delayed while the organization addressed the audit requests, worked through the planning, validated the system needs and changes that were required. In the end, the exercise was beneficial to the organization, but it slowed regular business operations fairly

At the end of the day, Microsoft agreed to the organizations proposal that was to make (much needed) changes in its IT including how it went about ensuring real-time license compliance for its desktops and servers. Yes, the organization had to acquire additional licenses, but in a way that worked for the organization. It also worked for Microsoft because the organization will remain in compliance with all its licenses.
What are the final learnings?
This was a relatively soft touch audit by Microsoft. What helped was having the team work through specifics of what the organizations needed – and working with Microsoft to show how compliance would be maintained in the future. The organization also learned that responses back to the vendor have to be considered and coordinated. If they are not, the vendor may see the response differently from what was intended by the organization.
Lastly, given the compliance position the organization had – especially considering that they had licenses to newer, more capable and more secure versions of the software than what they had installed, the organization embarked on an IT transformation. The organization not only used this audit as a learning experience, it is in the midst of implementing ISO ITAM processes (ISO 19770) into the organization. The company knows that implementing those processes will not mean an end to vendor audits, it does recognize that having established processes in place will make responding to future audits more efficient – with more accurate data – helping to ensure a more streamlined outcome the next time. Obviously, with real-time compliance positions, the organization expects to be able to generate compliance reports that satisfy any audit request before they even begin.
P.S. Microsoft never did share an overview of the entire process upfront. While this would have been helpful in knowing up front the what and the when, the people who worked with Microsoft reported that Microsoft was professional and was willing to listen and consider what turned out to be a reasonable resolution.