Preparing for a Software Audit: 12 Things to Do Before a BSA Inspection
Summary: Software audit requests from organizations like BSA, Microsoft, or Adobe are a topic SMEs frequently face but are often caught unprepared by. Proper preparation shortens audit time, lowers penalty risk, and keeps additional license purchase costs at reasonable levels; this guide shows the 12 concrete preparation steps.
On a Monday morning, the company owner finds a letter on the desk from Microsoft Türkiye titled "software usage audit." The audit of years of Office, Windows, and server licenses must be completed within 30 days; otherwise legal proceedings may begin. In this scene many SMEs' first reaction is panic; yet with the right preparation, an audit is a manageable administrative process. This guide explains the 12 concrete steps you must complete before the audit.
What Is an Audit, and Who Conducts It?
A software audit is the process by which the software vendor (Microsoft, Adobe, Autodesk, Oracle, etc.) or organizations acting on their behalf such as BSA (Business Software Alliance) inspect their customers' license compliance. The most common audit bodies in Türkiye:
- BSA (Business Software Alliance): The Türkiye representative for Microsoft, Adobe, Autodesk members. Runs complaint- and sampling-based audits.
- Microsoft Türkiye: Periodically audits its large customers directly.
- SIIA (Software & Information Industry Association): For Adobe and other members.
Audits are not always "complaint" based. They can be triggered by random sampling, periodic sector audits, a tip from a former employee, or data provided by a CSP partner.
The 12-Item Preparation Checklist
1. Inventory All Software
Which software is on which device? Microsoft, Adobe, Autodesk, antivirus, custom software. If you collect this manually, start with Excel; for professional inventory, Lansweeper, Snipe-IT, Microsoft Configuration Manager (SCCM), or Intune help.
2. Gather License Certificates
Purchase invoices, OEM stickers, CSP portal exports, Open License forms. Collect them all in a single folder (digital + physical). Software whose license cannot be proven is effectively "unlicensed."
3. Used vs. Purchased Comparison
Write side by side in a table: "Microsoft Office Pro Plus 2021 — Purchased: 25 licenses, Installed: 32 devices." The 7 missing licenses are exactly what the audit will focus on.
4. Clean Up Devices of Departed Employees
The former employee's computer has been on the shelf for years; Office is still active on it. The audit counts this device as "in use." Software on unused devices must be deactivated, or the disk should be reformatted and the device decommissioned.
5. Identify Cracks and Pirated Software
KMS activators, key generators, Office downloaded from a torrent site — these crack tools require urgent detection + removal. Their leftover traces (registry keys, folders) must be cleaned; run an antivirus scan.
6. Resolve OEM vs Volume Mix-Ups
Some PCs run OEM Windows + a separate Volume Office. These are different license types, and the same person has different usage rights. A "mixed license" situation looks bad at audit; try to standardize on a single license type.
7. Document Virtual Machine Licenses
5 virtual Windows Servers run on VMware/Hyper-V/Proxmox. Does each need a separate license? With Datacenter Edition, 1 host runs unlimited VMs; with Standard Edition, 1 license is needed per 2 VMs. The audit asks this in detail; the architecture must be documented.
8. Match Microsoft 365 User Count
50 licenses purchased, 60 accounts active. The 10 extra accounts require additional licenses; either buy them or close the accounts. Equalize the count before the audit.
9. Review Third-Party Software
Is WinRAR, IDM, AnyDesk, TeamViewer paid or free? Using the "personal use" edition for business is a violation. Collect license files for the paid ones; if there is no free alternative, move to the licensed edition.
10. Check Developer Tools (IDEs)
Tools like Visual Studio, JetBrains, AutoCAD. Using a personal/student edition for business is a violation. Keep a separate audit list for developer tools.
11. Check Cloud Subscription Usage Limits
Adobe Creative Cloud Team plan for 5 users, 7 people using it. Microsoft Project for 1 user in the subscription, 3 people sharing. SaaS subscriptions are per-user; sharing is a violation.
12. Close Missing Licenses Before the Audit
It is possible to buy missing software after the audit notice arrives and appear "legal." The audit requests purchase records up to the audit cutoff; the date stamp matters. A customer who closes gaps early usually faces lower penalties; sometimes the penalty is waived entirely.
How the Audit Process Works
Typical flow:
- Notice letter: An inventory request within 30-60 days. Usually addressed to the authorized contact (CEO/owner).
- Request list: Which software is in scope, which documents are required.
- Customer inventory: The table you submit. Company name, device, software, license proof.
- On-site or remote scan (optional): Some audits scan devices with tools (Microsoft MAP, Belarc Advisor).
- Reconciliation: The submitted inventory is matched against purchases.
- Outcome report: If there are gaps, a list of missing licenses + a penalty.
- Resolution: Buy the missing licenses + pay the penalty + confirm that your software inventory has been reviewed.
Penalty and Cost Expectations
The typical formula for software shortfalls in Türkiye: the purchase price of the missing license + a penalty of 1-3x that price. So a case of a TRY 50,000 missing Office license can land between TRY 100,000-200,000 total. Customers who acknowledge early and cooperate get the penalty layer reduced; customers who contest or refuse to cooperate face legal proceedings.
Common Mistakes
- Ignoring the audit notice: The worst response. If 30 days go by without a reply, legal proceedings accelerate.
- Making false statements: Saying "we only have 20 devices" while hiding most of them. Audit firms can determine the truth with technical tools; false statements raise the penalty layer.
- Trying to manage a large audit without a lawyer: License law demands special expertise. For cases over TRY 100K, legal counsel is essential.
- Installing trial editions to plug urgent gaps: Trial is not a solution in production; it is only temporary. Audits do not count trial editions.
- Not taking measures for the future: The audit closes, but the same problem returns a year later. A permanent inventory system and monthly compliance checks are essential.
Frequently Asked Questions
Frequently Asked Questions
Is BSA Türkiye an authorized body?
BSA is a private organization authorized by Microsoft and other software vendors for license compliance. It is not an official government inspector but it exercises the legal rights of the software vendor. The right to take a case to court rests with the software vendor; BSA acts as the negotiator.
Can I refuse the audit?
Legally yes, but in practice no. License agreements contain an audit rights clause; refusal counts as breach of contract. That opens the door to direct litigation, which is bad both in cost and time. Cooperating is much more economical.
Is open-source software included in the audit?
Generally no — Linux, LibreOffice, GIMP, VLC and similar open-source software. But add-on products of those (e.g., Red Hat Enterprise Linux's support subscription) can be paid; their use must be documented. License proof for open-source software is the GPL/MIT license text.
Can cloud subscriptions be audited?
Yes. Services like Microsoft 365, Adobe Creative Cloud, and AWS keep usage metrics in the background. User counts, concurrent sessions, and the number of installed devices can be tracked. SaaS audits are usually easier because the data is already with the provider.
How quickly can I be audit-ready?
A detailed inventory and license collection takes 2-4 weeks. A 30-day window is enough for an SME with 100+ devices; for 500+ devices, professional support is needed. Most importantly: keep this inventory already before the notice letter arrives. With a monthly compliance check routine, audits become normal business and stop being a source of panic.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Software and License Management solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Microsoft Licensing Types: Which Plan Is Right for an SME?
The differences between Microsoft 365 Business Basic, Standard, Premium and Enterprise E1/E3/E5 are confusing. This guide explains which plan fits which scenario at SME scale across usage, security, and cost.
OEM vs Volume vs CSP Licensing: What to Know Before Deciding
Microsoft software is sold through three different channels: OEM, Volume Licensing, and CSP. For SMEs, choosing the right channel makes a critical difference in cost, flexibility, and compliance; this guide compares the three in detail.
Managing SaaS Subscriptions: Cost and Shadow IT Control
The number of SaaS subscriptions in an SME silently grows to 20-40, often purchased without informing management. This guide covers SaaS management, cost control, and shadow IT through the FinOps approach.