The average Microsoft software audit costs an enterprise $280,000–$630,000 in total — staff time, external consultants, and true-up liability combined. The organisations that spend at the lower end of that range are not lucky; they have continuously maintained compliance documentation and can prove their licence position in 10 business days rather than 12 weeks. Audit readiness is not a one-time project you complete before an audit letter arrives. It is a set of metrics you track continuously so that when Microsoft's auditor calls, your response is a data export rather than a crisis.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We prepare organisations for Microsoft audits before the letter arrives.
View Advisory Services →The 12 Audit Readiness Metrics
| Metric | What It Measures | Target | Risk Level if Below Target | Data Source |
|---|---|---|---|---|
| Entitlement documentation completeness | % of licence purchases with retrievable purchase records | 100% | Critical — undocumented entitlements are treated as unlicensed by auditors | VLSC/VLMS |
| Inventory currency | Days since last software inventory scan | <30 days | High if >90 days — stale inventory cannot defend against audit findings | SAM tool / SCCM |
| Deployment-entitlement reconciliation frequency | Times per year entitlement count is compared to deployment count | Monthly minimum | High — gaps compound silently without reconciliation | SAM tool vs VLSC |
| Compliance gap (shortfall licences) | Deployed units – licensed units, by product | 0 (fully licensed) | Critical if >5% gap — direct audit liability | SAM reconciliation |
| Virtualisation documentation | % of server workloads with documented virtualisation licence model | 100% of virtualised server products | Critical for SQL Server and Windows Server — virtualisation is #1 Microsoft audit finding | vSphere/Hyper-V inventory |
| Licence reassignment records | % of licence reassignments (between users/devices) with dated records | 100% | Medium — undocumented reassignments may be counted as additional deployments | ITSM / procurement log |
| EA documentation accessibility | Days to retrieve signed EA, amendments, and purchase history | <2 business days | Medium — inability to produce EA quickly signals disorganisation to auditors | Legal / procurement archive |
| Product use rights version currency | % of products where PUR version in force matches current Microsoft publication | 100% verified annually | Medium — outdated PUR knowledge leads to incorrect licence counting | Microsoft PUR portal |
| M&A integration status | % of acquired entities integrated into EA licence position | 100% within 90 days of acquisition close | High — acquired entity deployments are the buyer's liability under EA affiliation rules | Legal / IT integration tracking |
| SAM programme documentation | Existence of a documented SAM policy, process, and responsible owner | Documented, reviewed annually | Medium — absence signals compliance immaturity to Microsoft | Governance documentation |
| True-Up submission accuracy | % variance between True-Up submitted and SAM-calculated position | <3% variance | High if >10% — systematic under-reporting triggers audit scrutiny | True-Up records vs SAM |
| Audit response time capability | Estimated days to produce complete audit response documentation | <10 business days | Medium — slow response extends audit duration and cost | Self-assessment exercise |
The Highest-Risk Audit Finding: Virtualisation
In 20 years of Microsoft licensing advisory, virtualisation licensing is the single most common finding in Microsoft software audits — and the most expensive. The core problem: Microsoft's virtualisation licensing rules for Windows Server and SQL Server are complex, product-version-specific, and counterintuitive in VMware and Hyper-V environments. Many organisations believe they are correctly licensed because they have purchased sufficient licences by count. Auditors find non-compliance because the licences were not applied correctly to the physical host, or because the virtualisation model chosen (per-VM rather than per-host) creates unintended exposure as VMs migrate across hosts.
Windows Server Virtualisation Audit Risk
Windows Server Datacenter edition licences the physical host for unlimited VMs. Windows Server Standard edition licences two VMs per licence, but requires licences for every physical core on the host — creating complexity in high-density VMware environments. The audit risk arises when organisations purchase Standard edition for specific VMs (cost-optimising vs Datacenter) but fail to account for VM migration — when a Standard-licensed VM migrates to a host where the Standard licences are already fully consumed by other VMs, a compliance gap is created in real time. The virtualisation inventory metric must track not just current VM placement but licence coverage under worst-case VM distribution. For the full virtualisation framework, see our Windows Server virtualisation licensing guide.
SQL Server Virtualisation Audit Risk
SQL Server is licensed per physical core in VMware environments unless Soft-Partitioning Exception is available (only available for Hyper-V with hard affinity). A SQL Server Standard edition VM running on a 32-core host requires 32 core licences — not 4 for the VM's assigned vCPUs. This is the most expensive Microsoft audit finding in our engagement history: a 5,000-user enterprise with 40 SQL Server VMs across four 32-core VMware hosts required 160 core licences each (4 hosts × 32 cores = 128 cores minimum per edition), but had deployed SQL Server on a per-VM licence model. True-up liability: $4.2M for the physical core gap. The virtualisation documentation metric directly prevents this outcome by requiring explicit per-host coverage documentation for every SQL Server deployment.
Get an Independent Second Opinion
Before a Microsoft auditor arrives, let an independent adviser assess your compliance posture and documentation.
Request a Consultation →Compliance Risk Exposure Calculation
Compliance risk exposure is the dollar value of your current licensing gap — the amount Microsoft could claim in true-up liability if an audit were conducted today. Calculating this metric requires three inputs: the number of unlicensed or incorrectly licensed product deployments, the Microsoft list price for the affected SKUs, and the applicable licence model (per user, per core, per device).
The formula: Compliance Risk Exposure = Σ(Unlicensed Units × List Price per Unit × Applicable Term). For perpetual licences, the calculation uses current list price. For subscription licences, the calculation uses annual list rate multiplied by the number of years of non-compliance (typically the EA term or the SAM tool history window, whichever is shorter). A simple example: 50 SQL Server Standard core licences unlicensed (deployed without licence on a VMware host) × $3,586 list price per 2-core pack × 25 packs equivalent = $89,650. For SQL Server Enterprise, the same calculation at $15,123 per 2-core pack produces $378,075 in exposure on the same deployment gap.
Track compliance risk exposure monthly. An increasing trend — even without an audit — signals a compliance programme that is not keeping pace with deployment growth, and must be addressed before the next EA True-Up or renewal.
The Continuous Compliance Programme Architecture
The organisations that consistently score best across the 12 audit readiness metrics operate a continuous compliance programme rather than periodic audit preparation exercises. A continuous compliance programme has four components. First, automated monthly inventory: SAM tool or SCCM/Intune automated discovery produces a current software deployment count monthly without manual intervention. Second, automated monthly reconciliation: the inventory count is automatically compared against the VLSC entitlement data, producing a gap report that feeds the compliance risk exposure metric. Third, exception management process: any reconciliation gap triggers a defined process — assigned owner, root cause investigation, remediation action, and documented sign-off. Fourth, quarterly compliance review: the CIO/IT Director reviews the aggregate 12-metric scorecard, approves remediation of any material gaps, and confirms the audit readiness assessment.
What Microsoft Looks For in an Audit
Understanding Microsoft's audit methodology helps organisations focus documentation effort where it generates the most risk reduction. Microsoft's auditors (typically KPMG or PwC under contract) follow a standardised Microsoft audit protocol that focuses on five product categories in order of historical yield: SQL Server (virtualisation exposure), Windows Server (host-level licensing), Office (version and user count discrepancies), Client Access Licences (user vs device counting errors), and Cloud Services (M365 overage and product mixing). For each category, auditors request: a count of deployed instances or active users, the licence model applied (per user, per device, per core, per host), and documentation proving the entitlement to cover that deployment.
For a complete audit response framework and documentation checklist, see the Microsoft Audit Defence Playbook and the third-party audit defence guide.
Frequently Asked Questions
What triggers a Microsoft software licence audit?
Microsoft audits are triggered by three primary factors: self-reporting anomalies, automated telemetry detection by Microsoft's compliance systems (unusual deployment patterns, version mix inconsistencies), and commercial triggers — competitors receiving audit letters, EA renewal approaching, or missed True-Up payments. Organisations that proactively maintain SAM programmes are less likely to receive audit letters, as Microsoft prioritises targets with lower documentation maturity.
What documentation does Microsoft require during an audit?
A Microsoft software audit typically requires: signed EA and all amendments, purchase order history from VLSC/VLMS for the audit period, current software inventory from endpoint management tools, deployment counts by product and version, virtualisation documentation for server products, licence reassignment records, and business justification for any deployment-entitlement gaps. Organisations with continuous SAM programmes can provide all documentation within 2 weeks; undocumented organisations typically need 8–12 weeks to reconstruct records.
How much does a Microsoft audit typically cost?
Total cost for a 2,000–5,000 user enterprise: $180,000–$450,000 in internal staff time, $80,000–$180,000 in external consultant fees if third-party SAM support is needed, and $0–$800,000+ in true-up liability depending on compliance gap. Organisations with mature SAM programmes reduce total audit response cost by 60–70% through faster documentation production and lower compliance gap exposure.
What is the difference between a Microsoft compliance review and an audit?
A Microsoft Compliance Review (MCR) is a voluntary, Microsoft-assisted process that is less adversarial than a formal audit. It uses Microsoft-provided tooling and typically results in a commercial remediation offer rather than legal enforcement. A formal audit under EA Section 5.4 is a contractual right that can be enforced through auditor appointment without buyer consent. MCRs typically precede formal audits if the buyer does not engage.
How often does Microsoft audit enterprise customers?
Standard Microsoft EA terms permit one audit per contract term (3 years) plus 3 years post-expiry. In practice, Microsoft prioritises audits based on risk scoring. Our engagement data shows approximately 8–12% of enterprises with active EAs receive an audit letter in any given year. Organisations with complex virtualisation, recent M&A activity, or missed compliance programme participation receive more frequent attention.
📄 Free Guide: Microsoft Audit Defence Playbook
Complete audit response framework, documentation checklist, and negotiation strategy for Microsoft compliance reviews.
Download Free Guide →