Preparing for a Microsoft Audit: Reports and Evidence

What auditors check and why discrepancies appear

Auditors don’t look at a single report but at a set of facts: what is installed and used, who it is assigned to, and whether the company has the right to use it. Therefore requests almost always cover devices, users, licenses and supporting documents.

Most often they ask for device inventory exports (inventory and actual installations), user and Microsoft 365 assignment reports, and documents that explain changes: hires and terminations, role changes, transfers between branches, issue and return of equipment, and disposals.

Discrepancies pop up even for organizations that bought licenses legitimately. The reasons are usually mundane: licenses were purchased but not tied to the correct legal entity; some users left but assignments remained; devices were replaced but the old ones stayed in records; test accounts became production; branches keep records differently. Another common story: a purchase was made for a project, and later accesses and equipment ended up spread across other teams.

It’s important to separate actual use from the right to use. Actual use is visible in installations, activation logs and assignments. The right is confirmed by orders, contracts, invoices, license statements and internal acts that show an asset was decommissioned or a user no longer has access.

Timing usually requires a quick response: first the basic exports and list of evidence, then clarifications on disputed items. Formats are most often tabular (Excel) plus a folder of documents where each file can be easily matched to a table row (number, date, employee, device, license).

Who owns the data and how to assemble the team quickly

In an audit, responsibility matters more than “perfect reports”: who provides the numbers, who confirms the documents, who collects and approves the final package. Without clear roles you'll almost certainly get multiple versions of the same data and spend weeks reconciling them.

Assign an owner of the preparation (often the IT director or head of infrastructure) and a coordinator who gathers materials and records decisions. Then form a small team where each member owns a piece of evidence:

• IT: device inventory, records for virtual environments, Microsoft 365 exports, admin panel access.
• Procurement: purchase orders, invoices, purchase confirmations, renewal correspondence.
• Accounting: asset capitalization, depreciation records, documents on fixed asset movement.
• HR: hires, terminations, transfers, leaves, contractor status.
• Security: access rules, device issuance logs, confirmation of account deactivation.

Agree the audit perimeter immediately. A common mistake is focusing only on the head office, while branches, subsidiaries, test tenants, temporary projects and contractors with access show up in the data. Write the perimeter in one sentence and record who will supply data for each legal entity and site.

For the working version of the evidence package choose a single storage location with a clear folder structure and versioning. Also decide in advance who signs off the final package: typically an authorized manager, not just IT.

A shared vocabulary saves a lot of time. Agree on naming rules and apply them across all tables and files. Usually four entities are enough: device (inventory + serial + department), user (personnel number + UPN + status), license (exact SKU + type + term), document (number + date + legal entity + what it relates to). If you record these rules on one page, collecting reports and evidence becomes noticeably faster.

Device inventory: what details must match

Inventory is almost always a source of discrepancies: records show one set of devices while other devices are actually in use. For a Microsoft audit it’s important that data from different sources tell the same story.

Consolidate devices into a single registry and ensure each item has the same basic set of fields filled: inventory ID (or internal asset ID), serial number, owner or responsible person (employee or department), location (office, branch, room), status (in use, in stock, under repair, disposed).

Highlight categories that commonly fall out of records. Laptops travel for business and change location. Shared PCs (e.g., reception or training rooms) are not tied to one person. Thin clients and terminal workstations can be mistaken for full PCs, although their usage and accounting differ.

Collect sources in parallel: an export from Intune/Endpoint Manager (or another management tool) and your inventory list (CMDB or a well‑kept Excel). Match by serial number and mark rows where owner, address or status differ.

For temporary issues and loan replacements use a simple rule: record the date, to whom the device was issued, which serial number was replaced and which one was issued. An issuance act or a service desk ticket usually explains why a device appears in management but is missing from the main registry.

If some devices were purchased from a local manufacturer, pre‑gather primary documents where serial numbers are readable and match what the management system shows. That often speeds up reconciliations.

Microsoft 365 assignments: user and license reports

In Microsoft audits, discrepancies often stem not from purchases but from assignments: a license remains on a person who no longer works, a guest user has broader access than intended, or licenses are given via groups and exceptions are forgotten.

Start with two lists that must align: who is actually active and which licenses those people have assigned. Export not only employees but also guest (B2B) and service accounts if they are used.

Reports to prepare

Usually a set you can quickly refresh before each request is enough:

• list of active users and guest accounts with last sign‑in date and status (enabled or disabled)
• report of assigned licenses and plans (paid, trial and free) per user
• breakdown by assignment method (direct or via groups) with exceptions noted
• list of admin roles and special privileges that may affect required licensing

What auditors look at and what is often forgotten

Check groups used to assign licenses. If assignment is via group, show the logic: who is in the group, who is excluded and why. Otherwise it looks like licenses were assigned “to everyone by default” and then fixed manually.

Clearly mark trial and free plans. They create noise in reports and can hide real consumption. In the materials indicate which plans you consider irrelevant to the calculation and why.

A common scenario: a manager leaves but the account stays active “just in case”, and the Microsoft 365 license continues to be billed. A month later a new hire arrives and the company purchases an additional license, while an existing one could have been freed. At audit this appears as a control problem.

Staff changes: which HR evidence to prepare

Licenses usually “break” because of people, not technology. Auditors look at who was given a license and on what basis, and whether that matches the person’s actual status. It helps to consolidate HR statuses and accounts into a clear set of evidence.

Check not only “active or terminated” but also borderline cases: leave, maternity leave, long business trips, temporary staff, external part‑timers. For each person it should be obvious whether they should currently have access and on what grounds.

Documents commonly requested

Collect HR documents so you can reconstruct access history. Usually copies or exports from the HR system are sufficient but they must be readable and dated:

• order or contract of hire (start date)
• order of transfer or change of position/department
• termination order (end date)
• documents about temporary absence (maternity leave, long leave, business trip)
• staffing register or list of employees as of the audit date

Also review “shared” entities: shared mailboxes, departmental inboxes and service accounts (e.g., scanners, integrations, backups). Auditors need to see these are not “hidden users.” Assign an owner (department and responsible person), purpose (why it exists) and a review rule (for example, quarterly) for such entities.

Contractors and temporary staff

For contractors define in advance who owns the account and who pays for licenses. Set simple rules: to whom the account belongs (client or contractor), who approves issuance and revocation of access, how long access is granted, which license is allowed and why.

A frequent example: an employee went on maternity leave but their Microsoft 365 license remained active. If there is an order and a note that access was moved to a shared mailbox without a license (or closed), the risk of a dispute drops sharply.

Disposal and decommissioning: how to prove an asset is not used

If records list devices that no longer operate in the company, auditors often treat this as “extra installations” or “extra users.” It’s important to show not only the fact of disposal but that the asset was decommissioned on a specific date.

Documents that work best as evidence

Usually a package of 2–3 documents per device is enough, but they must match on serial or inventory number and date:

• disposal or transfer act (for example, for recycling or transfer to another organization)
• documents on lease return or termination (if the device was rented)
• acceptance/transfer for repair and return act (if it was in repair for a long time)
• internal order or directive (reason, date, responsible person)
• a mark in the inventory system with status “decommissioned”, “recycled”, or “transferred”

Key point: the decommission date should match between paperwork and IT traces (for example, when the device was removed from management and ceased to be counted as active).

Keep warehouse and repair as separate statuses so these devices are not counted as actively used. If a laptop is in stock as a spare, record its storage location, responsible person, receipt date and a plan (when it will be issued or disposed). If a device is in repair for more than a couple of weeks, periodic confirmation that it wasn’t issued to a user is useful.

Virtual machines and hosts are a separate risk area. If they appear in inventory, keep proof of deletion or stoppage: date, who initiated it, reason and confirmation that resources are no longer used.

Example: an employee left and the laptop was leased. The evidence folder contains an order about decommissioning, a return act to the lessor with a serial number and an inventory record marked “returned.” This looks like a closed case with no questions about where the device is now.

Matching purchases with usage: a simple evidence table

The most convincing evidence is when three things converge in one place: what was purchased, what rights were obtained and how those rights were actually used. Such a table often answers half of the auditor’s questions because it removes confusion between accounting documents, admin data and actual assignments.

First split purchases by type because they have different rules: subscriptions (for example Microsoft 365), perpetual licenses, OEM on devices, enterprise agreements. Then attach confirmations: invoices and contracts, specifications, license certificates or statements, and activation confirmations or keys (if applicable). Don’t mix different products or conditions in one row.

Below is an example structure of a table that is convenient to provide with Microsoft 365 exports and device inventory:

To make the table credible check a few things: the document has a unique identifier (number and date), rights do not exceed purchased quantity at any date, assignment and removal dates are visible, devices show serial/inventory numbers, and disputed cases are noted with comments (replacement, repair, decommission).

A simple control example: if an employee left on June 20, the row should show license removal on that date and the license reassigned if applicable. Then questions about “extra” assignments usually end quickly.

A 2–4 week preparation plan: steps without extra bureaucracy

To avoid turning audit preparation into endless paperwork, work in short sprints and freeze the state at a specific date. The main thing is to agree which changes can be left temporarily alone and which cannot (for example, hires and terminations).

Week 1: capture reality and remove obvious tails

If possible, freeze changes for the reconciliation period: do not create new tenants, do not move users between groups, do not change the licensing model. Then take exports from systems so everyone has the same baseline: device inventory (name, serial, owner, status, last activity date), users and Microsoft 365 assignments as of the snapshot date, list of assets in disposal and who approved it, list of accounts to close (duplicates, terminated, contractors).

Quickly clean the data: merge duplicate user accounts, close unused accounts, mark devices that haven’t checked in for a long time. This often yields the biggest gains with minimal effort.

Weeks 2–4: reconcile, gather evidence, build the single package

Combine the three flows into one picture: devices, license assignments and staffing changes. If someone was dismissed there should be a link: HR termination date, account closure, and confirmation that the device was either transferred or decommissioned.

Close gaps: prepare missing acts (transfer, disposal, decommission) or short internal notes for exceptions; review disputed cases (shared mailboxes, temporary access, test accounts); assemble the auditor’s package (exports, reconciliation table, acts, explanations and a contact for questions).

Assign a single process owner (usually IT or SAM) who answers the auditor and records which materials have been delivered. This prevents different participants from sending different versions of the same files.

Typical mistakes that cause additional charges

Additional charges usually arise not from intent but from holes in records. Auditors look at facts: who uses what, how it is proved, and whether history of changes can be traced.

The first common mistake is licenses and accesses remaining assigned to terminated, intern or temporary accounts. The person left but the account stayed active or the license wasn’t removed. In Microsoft 365 exports this shows as an extra user and is treated as usage.

The second pain point is devices that “disappear” from inventory. If a laptop or PC is missing from IT records and there are no disposal, transfer, repair or decommissioning acts, it’s almost impossible to prove it’s not used. The auditor then asks: where is the asset and why is it not visible?

The third mistake is mixing perimeters in one dataset: branches, subsidiaries and contractors end up in a single export without explanation. Then the auditor cannot easily see what is in scope and interprets the data broadly.

Also common is “multiple sources of truth”: IT records say one thing, accounting another, HR a third. Mismatches in names, personnel numbers, hire/termination dates and device assignment immediately look like a risk.

Finally, relying on memory. Without snapshot dates, report versions, an owner and a short note “what exactly is in this file”, materials quickly lose value. The minimum to always record: date and source of each report, report owner (who confirms correctness), period covered and a note on exceptions (contractors, branches, test accounts).

If you prepare materials in advance these mistakes can usually be fixed in 1–2 weeks: remove extra Microsoft 365 assignments, tidy account statuses, collect disposal acts and agree on a single data version between IT, HR and accounting.

Quick checklist before handing over materials

Spend 30–60 minutes on a final check before sending the package. This simple step removes questions before the correspondence begins and saves days of clarifications.

Make sure there are no gray areas for users and licenses. Each active account should have a clear owner (employee, contractor, shared mailbox) and an up‑to‑date status. For disputed entries (duplicates, old test accounts, former contractors) record the decision: block, delete, archive, or convert to a shared resource with justification.

A short control list before sending:

• user and Microsoft 365 assignment lists match current staffing and active accounts
• no licenses are assigned to unused, blocked or “unclear” accounts (or there is a written explanation why)
• each device has a stated status confirmed by inventory data (in use, stock, repair, disposed)
• transfer, movement and disposal acts are collected in one registry, numbered and easy to find from the table row
• the purchase–installation/use–owner reconciliation table is updated to the current date and agreed by responsible parties

If you find a discrepancy, don’t hide it. Attach a short note: what doesn’t match, why it happened and the deadline for correction. An “exceptions log” often reduces follow‑up requests.

Example: a company with branches, M365 and regular turnover

Company: head office in Almaty and three regional branches. Some employees work remotely and receive laptops. Microsoft 365 is used for mail, Teams and file sharing. Turnover is significant: each month there are hires and terminations.

During audit preparation typical gaps were found: active accounts of former employees remained in Microsoft 365, and inventory listed old laptops that were actually disposed of or idle without paperwork. Branch approaches varied: some tracked in Excel, others only by delivery notes.

The evidence package was organized so it could be shown and quickly updated:

• export of users and licenses from Microsoft 365 (who is active, which plans are assigned, last sign‑in)
• device registry (serial number, user, department, issue date, status)
• HR registry of changes (hire, transfer, termination, date and order number)
• asset documents (disposal acts, returns to stock, repairs, replacements)

Gaps were closed by priority: first remove extra license consumption (remove assignments, block sign‑ins, set deactivation rules on termination). Then prepare missing equipment documents and mark exceptions where a device was lost or under investigation.

The result was presented not as a pile of files but in one master list: a row per user and a row per device, with fields “evidence” and “where the document is stored.” Next to it, a folder of evidence by section (users, licenses, devices, HR, disposal). For each disputed item it was clear what was purchased, who uses it and what proves it.

Next steps: keep audit readiness ongoing

Audits are easiest when accounting is a habit, not a one‑off project. Then preparation reduces to exporting current data rather than hunting for who installed what.

Regular cadence

Set a short monthly reconciliation of 30–60 minutes to catch discrepancies before they become problems. It’s convenient to do it on the same day each month, for example within the first five business days.

Minimum checks each time: staff changes (hired, fired, transferred), Microsoft 365 assignments (what was given and removed, any extra licenses), new devices (what appeared and to whom issued), disposals and decommissions (what was removed and confirmed by acts), and exceptions (temporary contractors, shared accounts, test stands).

After the check record the result in a simple note: what was found, who fixes it, deadline. This is both discipline and a change history that auditors often request.

Roles and tools

Appoint a process owner for SAM (not necessarily a separate position). Their task is to keep a calendar of checkpoints and gather data from IT, HR and procurement. You need a single registry: devices, users, statuses (in use, stock, disposed) and dates and bases for HR changes.

If internal resources are limited, consider engaging a system integrator: set up accounting rules, act templates and regular reports. This is usually faster than rebuilding the process each time.

Transparent equipment lifecycle also helps: when workstations and servers are delivered with clear support and documents, it’s easier to track inventory, movements and disposals. In Kazakhstan these processes can be built together with a local manufacturer and integrator GSE.kz, especially if you simultaneously formalize accounting and support procedures across all branches.