3 types of SPLA Compliance Audits by Microsoft
In the vast cosmos of technology, Microsoft stands out as a titan, its influence reaching out to virtually every corner of our digital existence. Your inbox dings, signalling the arrival of an audit notice from the tech giant. A rush of adrenaline ensues, but pause for a moment.
This isn't your typical audit notice; it’s not even a forgery. It’s a communication from a different internal team at Microsoft, masquerading as an 'audit'. They ask you to self-certify or send your data to a third-party Microsoft partner. Beware, this is not the 'real' audit you signed up for in your license agreement.
So, why should you treat these communications with caution? Let's explore the importance of discerning the authenticity of such audit notices and ensuring they align with the terms of your licensing agreement.
Full SPLA compliance audit
A comprehensive SPLA compliance audit - this is what you officially signed up for when you put your pen to the Service Provider License Agreement and the Microsoft Business and Services Agreement.
What does the notice look like?
Typically, it's an email backed up by a hard copy sent via post.
The sender isn't a generic email address but an individual, a high-ranking official from Microsoft's LCC (License Contract & Compliance) department.
It also informs you that the appointed auditor will be reaching out to schedule a "kick-off" call.
What gives them the right to audit you?
The answer lies in your MBSA and SPLA agreements - the Compliance Verification terms therein grant them the right to conduct an audit and obligate you to comply.
Do you have to react?
Absolutely. In fact, it's mandatory. You have a 30-day window to commence cooperation.
What should your next steps be?
First and foremost, don't let anxiety take the reins. Arm yourself with knowledge - our comprehensive Microsoft SPLA Audit Guide is a good place to start. We also recommend seeking assistance from a partner who specialises in SPLA Audit Defence.
Microsoft SPLA License Review Notification
Service providers in the United States may encounter an email alluding to a "SPLA License Review". Reports of similar communications sent to Canadian providers have been noted, although no concrete proof is available to us.
The email starts off with "Microsoft has the right to verify software license compliance" and goes on to state, "Microsoft requests you to complete the SPLA License Review process". Crucially, this is not an audit that you've contractually agreed to.
What does the notice look like?
It is an email from an unidentifiable account within the @microsoft.com domain,
No specific individual is associated with the email,
There is a third party (Microsoft partner) cc'ed in the email with an address that starts with "v-dash", such as "firstname.lastname@example.org",
Accompanying the email are instructions and workbooks,
You're requested to gather an inventory and return it to the original email,
It demands completing the inventory process in 10 calendar days,
A call setup is proposed, and you "must" schedule it within 5 days.
What authorises them to demand such a review?
Nothing. You didn't agree to this. You didn't sign off on it. It's not within their contractual rights, nor is it a contractual obligation of yours.
It's essential to understand that this review is entirely voluntary.
Top 5 issues with the SPLA License Review Notification
The fact that it's labelled a "Notification" while it's not. It is not the notice referred to in the MBSA. A more accurate term would be "Request". Using "Notification" is a manipulative tactic to make you believe it's mandatory.
Invoking the right to audit and then instructing you to partake in a process that is unrelated to the audit rights specified in the MBSA and SPLA.
Initially, there's no real person behind the communication. It's hard to determine if the email is genuine or a phishing attempt.
CCing a third party with whom you have no confidentiality agreement and asking for confidential information to be shared. An email address starting with "v-" (e.g., "email@example.com") doesn't belong to a Microsoft employee. "V" stands for "vendor".
Imposing unrealistic deadlines using strong language, even though the official audit you agreed to doesn't have time restrictions or deadlines.
Should you respond?
You're under no obligation to respond. You may choose to complete the review out of goodwill, but it's entirely your decision.
What should you do?
Firstly, don't let the notice intimidate you. It's designed to manipulate.
If, after considering all the risks, you decide to participate in the SPLA License Review, here's what we suggest:
Ignore the deadlines. Remember, they have no legal basis.
Respond to the original email asking them to authenticate themselves and to explain who is the third party in the CC.
Insist on an NDA with the third party. Don't proceed without it. Some of the data they ask for includes confidential information belonging to your hosted clients.
Respond with your own timeline, and make it clear that you do not commit to any dates – you control the timelines.
Thoroughly review all data before sharing. Some of the requested data includes confidential information belonging to your hosted clients.
Could it be a precursor to an audit?
Yes, it could. However, consider this:
Auditing companies have limited resources. There are simply too many providers for a "grown-up auditor" to visit each.
A real audit costs Microsoft money. If the auditor doesn't find non-compliance, Microsoft foots the bill.
Would completing the Review ward off an audit?
Unlikely. The Microsoft LCC department is famous for its independence. It doesn't report to other partner groups or local Microsoft offices and operates according to its own plan and schedule.
Furthermore, if, during a review, Microsoft uncovers evidence or even suspicions of further issues with your historical SPLA reporting, your chances of being subjected to a "proper" SPLA audit may increase.
Can they initiate an audit if you ignore the request?
Possibly. See above.
Microsoft SPLA License Review (Self-Assessment)
There is another kind of a SPLA License Review Notice. This practice started in Europe in 2022 but has since spread to other regions including North America.
Although its template bears similarities with the SPLA License Review we discussed above, the process is fundamentally different. It also begins with "Microsoft has the right to verify software license compliance" and proceeds to say. "Microsoft requests you to complete an internal self-assessment process".
The good thing is, if you decide to comply, you won't share any data unless you decide to share some of it – read further. They want your declaration, not your inventory.
Importantly though, it's not an audit that you agreed to contractually.
What does the notice look like?
It comes as an email from an anonymous account in the @microsoft.com email domain,
There is no named person behind the email,
There is no third party involved, unlike in the North American process,
It asks you to do a self-assessment and respond to the original email with either "we found no non-compliance" or with "adjustment details" in case you find yourselves non-compliant, which means both: paying for "any past deficiencies" found and correcting your reporting moving forward,
It alludes that you need to work with your SPLA reseller to submit a corrective order ("true-up order") in case you find yourselves non-compliant.
What gives them the right to ask you to complete a self-assessment?
Nothing. You did not agree to it. You did not put your signature under it. It is not their contractual right. And it is not your contractual obligation.
You must understand that the self-assessment is voluntary.
Problems with the SPLA License Self-assessment Review notice
Referring to the right to audit and then asking you to complete a process that is not related to the right to audit as stipulated in MBSA and SPLA.
Initially, there is no human being behind it. It's difficult to understand whether that's even a legitimate email, not a phishing attempt. Most of the time, they are legitimate emails, but it doesn't mean a malicious person will not piggyback on them, so check authenticity every time. Some notices contain SPLA and MBSA IDs making them more authentic. Some don't.
Even though the language is less intimidating than in the USA "notice", Microsoft asks you to complete the process in 45 days, which you are not obligated to do.
Do you have to react?
You don't have to react. You may decide to be nice and complete the review, but it is up to you.
What we suggest doing
If, after assessing all the risks, you decide to complete the SPLA License Review Self-assessment, here is what we suggest doing:
Ignore the deadlines. Again, ignore the deadlines. They have no legal weight.
Respond back to the original email asking them to authenticate themselves, just in case.
Respond with your own timeline, and make it clear that you do not commit to any dates – you control the timeline.
Ask them to confirm that if you place a corrective order ("true-up"), Microsoft will accept it in the context of any potential real SPLA audit. SPLA does not stipulate positive corrections at all. The agreement has no legal or contractual framework for positive corrective orders — when you pay to correct the mistake. The only provision mentions the cases when you overpay.
Do a proper self-assessment. Look back 3-5 years. Correct the mistakes, and place a corrective order.
Do not respond with a one-liner if you did not find any non-compliance. Write a detailed letter explaining what tools you used, how the process went, and what calculations and comparisons you did. And get it reviewed by a SPLA licensing expert before you send it, so they check that your interpretations and calculations are correct and compliant with SPUR.
Can it be a precursor to an audit?
Probably. We know cases when a "real" audit came just a few months after the self-assessment declaration.
That is why it is essential to take it very seriously. Either ignore it entirely or do a proper self-assessment, correct past mistakes, update your process moving forward and let Microsoft know what you did.
The biggest mistake you can make is to respond with just "we found no non-compliance".
They know, and we know, that achieving 100% SPLA compliance is extremely difficult, and past mistakes are impossible to correct. After you report to your SPLA reseller for the previous calendar month, you only have 60 days to correct any mistakes.
So, responding with "we are squeaky clean" is a red flag for Microsoft.
If you are indeed compliant, and it means that you have been compliant in the last 3-5 years – the notice does not specify the "depth" of reporting history, then write a detailed letter explaining what tools you used, how the process went, what calculations and comparisons you did. Convince them.
If I complete the Self-assessment process, will it prevent an audit?
Even if you do it properly, there is no guarantee. The Microsoft LCC department is famous for being "independent". They do not report to other partner groups and local Microsoft offices. They have their own plan and schedule.
Moreover, we have reasons to suspect that your self-assessment declaration may be used against you during an audit as legal proof that you knew what was going on in your estate, and you won't be able to call the "benefit of the doubt" card later.
Talk to a SPLA expert
We are not Microsoft partners, affiliates, resellers or dependants. All the advice you get from us is real, with zero nonsense and zero hidden agenda.
Contact us immediately after receiving a notice from Microsoft, and we'll give you so-much-needed peace of mind. Write to us even if you are mid-way to make sure you do everything correctly.