Like a number of IT executives, Microsoft has embarked in recent months to intensify its corporate audit policies - something that Oracle would have done as well . According to Gartner, questions related to Microsoft audits have increased by 78% (!) Over the period September 2015 and August 2016. In short, it is necessary to prepare for it and opt for a pro-active approach. or even implement Software Asset Management (SAM) practices.
Ben Jepson and Victoira Barber, the two authors of this report, have identified 7 steps that deliver a structured method for responding to an audit conducted by the Redmond publisher, be it a formal audit, conducted by an independent firm or a self-evaluation.
In its first recommendation, Gartner invites companies to check all of Microsoft's contractual details for audit and compliance requirements . " It's about understanding what type of audit is being talked about and what is coming into play. For example, if you have to comply with a formal audit, the company has the right to refuse an application for a voluntary SAM commitment. Logically - and this will be the 2 estep -, the audit should be conducted "in accordance with your governance and your established processes in this area," notes the two analysts. "It goes without saying that Microsoft has the right to audit, but customers have to control and manage the scope and the audit process," they say. For example, companies need to ensure that there is minimal impact in terms of availability and resource requirements, that an agreement is found on "scope and deliverables" and that "the methodologies used to conduct the audit are well understood.
Gartner also recommends ensuring there is no conflict of interest. "For formal audits, Microsoft primarily uses the four largest accounting firms, so make sure that the appointed auditor is not your financial auditor as well. "
Confront your data and update the records
It will then compare the information held by Microsoft and those held by the company. "All Volume Licensing customers have access to Microsoft's Volume Licensing Center (VLSC), where they can find documents related to their contracts and license purchases," says Gartner. For customers who have signed new MPSA contracts, the information is accessible via the Business Center portal for volume licenses. Overall, detailed data can also be provided via the Microsoft License Statement (MLS). "It is from this data that Microsoft or its third-party auditor will assess compliance," analysts say.
Same story for license allocation records. The firm recommends keeping them up to date "according to contractual requirements". "It's important to keep records of assignments and that change management processes include updating these records to demonstrate consistent compliance with the attribution rules," note the analysts.
"These licensing models, purchasing metrics, and complex software usage rights that are different and continually changing further reinforce the need for accurate and up-to-date attribution records," they add. further.
Dernière partie des recommandations de Gartner, le périmètre de l’audit et quels logiciels doivent bénéficier d’une priorité en matière de mise en conformité. Le cabinet conseille d’identifier précisément tous les produits couverts par l’audit, versions et éditions. Et pour cela, Gartner recommande de se doter d’un mécanisme qui « garantit que tous les appareils sont couverts et vous pouvez le démontrer. » Les données issues des outils d’inventaires peuvent ainsi être considérées comme une mesure pour l’éditeur. Données qu’il peut croiser avec d’autres, comme les services d’annuaires.
And the story may be complicated by what Gartner calls "high-risk products with complex licensing models." A complexity brought for example with the user licenses (CAL). "The inability of customers to count CALs is why their compliance issues with Microsoft persist. As CALs are access rights, rather than software products, their tracking, management, and verification of appropriate rights against the release are problematic, "the two analysts further illustrate.
Another example put forward is that "Microsoft Dynamics customers are often unaware of the impact of indirect access rules, which stipulate that when you move CRM or AX data via an automated process (active link, processing batch or multiplexing), anyone accessing the data requires a license. "
Gartner finally recommends to companies that to limit the impact of an audit, the best defense is still to have a policy of SAM (Software Asset Management), robust and pro-active.
0 Comments