SAMexpert logo

3 types of SPLA Compliance Audits by Microsoft

When you receive an email or a letter from Microsoft that begins with "Microsoft has a right to audit your SPLA compliance", it does not necessarily mean that you are under an actual audit.

There are three types of "compliance verification" notice letters. Let's see what they are and what we suggest doing when you get one.

Full SPLA compliance audit

This is the SPLA audit you agreed to in writing when you signed your Service Provider License Agreement and Microsoft Business and Services Agreement.

What does the notice look like?

  • It is often sent by email with a copy by post,

  • It comes from an actual person, a top-level manager in the Microsoft LCC (License Contract & Compliance) department,

  • It refers to your MBSA agreement number(s),

  • It appoints a well-known auditing company, usually one of the four: EY, KPMG, Deloitte, or PwC,

  • It mentions that the auditor will contact you to set up a kick-off call.

What gives them the right to audit you?

The Compliance Verification terms are included in your MBSA and SPLA agreements. It is their contractual right and your contractual obligation.

Do you have to react?

Yes. You must react. You have 30 days to begin collaborating.

What we suggest doing

First of all, don't panic. Read our comprehensive Microsoft SPLA Audit Guide. We also suggest finding a partner with niche experience in SPLA Audit Defence.

Microsoft SPLA License Review Notification

Service providers in the United States of America may receive an email referring to a "SPLA License Review". We have heard of similar emails sent to Canadian providers, but we have no evidence.

It begins with "Microsoft has the right to verify software license compliance" and proceeds to say, "Microsoft requests you to complete the SPLA License Review process".

Importantly, it's not an audit that you agreed to contractually.

What does the notice look like?

  • It comes as an email from an anonymous account in the @microsoft.com email domain,

  • There is no named person behind the email,

  • There is a third party (Microsoft partner) in the CC field which may have an email starting with "v-dash", e.g. "v-somename@microsoft.com",

  • There are attached instructions and workbooks,

  • It asks you to collect inventory and send it back to the original email,

  • It demands completing the inventory process in 10 calendar days,

  • It does offer to set up a call, and you "must" do it in 5 days.

What gives them the right to ask you to complete such a review?

Nothing. You did not agree to it. You did not put your signature under it. It is not their contractual right. And it is not your contractual obligation.

You must understand that this review is voluntary.

Problems with the SPLA License Review Notification

  1. The fact that it is called "Notification", whilst it is not. It is not the notice that is mentioned in the MBSA. It should be called "Request". Calling it "Notification" is a manipulation to trick you into thinking it is mandatory.

  2. Referring to the right to audit and then asking you to complete a process unrelated to the right to audit as stipulated in MBSA and SPLA.

  3. Initially, there is no human being behind it. It's difficult to understand whether that's even a legitimate email, not a phishing attempt.

  4. CCing a third party with which you have no confidentiality agreement and asking to share confidential information. A person with a "v-somename@microsoft.com" email (beginning with "v-") is not a Microsoft employee. "V" means "vendor".

  5. Imposing ridiculous deadlines on you using intimidating language, whilst even the official audit you agreed to has no duration restrictions or deadlines.

Do you have to react?

You don't have to react. You may decide to be nice and complete the review, but it is up to you.

What we suggest doing

First of all, don't be intimidated. The notice is written to manipulate you.

Only if, after assessing all the risks, you decide to complete the SPLA License Review, here is what we suggest doing:

  1. Ignore the deadlines. Again, ignore the deadlines. They have no legal weight.

  2. Respond to the original email asking them to authenticate themselves and to explain who the third party in the CC is.

  3. Demand an NDA with the third party. Do not proceed without it. Part of the data they request contains confidential data of your hosted clients.

  4. Respond with your own timeline, and make it clear that you do not commit to any dates – you control the timelines.

  5. Review all the data before sharing it. Part of the data they request contains confidential data of your hosted clients.

Can it be a precursor to an audit?

Yes, it can be. Then so what? The reasons the License Review process exists are:

  • Auditing companies have limited resources. There are simply too many providers to send a "grown-up auditor" to.

  • A real audit is expensive for Microsoft. If an auditor doesn't find non-compliance, Microsoft pays for the audit.

Will they send you an audit if you ignore the request? Maybe.

If I complete the Review process, will it prevent an audit?

We doubt it. The Microsoft LCC department is famous for being "independent". They do not report to other partner groups and local Microsoft offices. They have their own plan and schedule.

Moreover, if, during a review, Microsoft finds evidence or even hints that there are more problems with your historic SPLA reporting, it will increase your chances of getting a "proper" SPLA audit.

Microsoft Western Europe License Review (Self-Assessment)

As the heading of this paragraph suggests, if you are in Europe, Microsoft Ireland can send you another kind of License Review notice email. We are unaware whether a similar process exists in other parts of the world, but we can imagine how this practice can spread to other Microsoft regions.

Although the template bears similarities with the North American SPLA License Review, the process is fundamentally different.

It also begins with "Microsoft has the right to verify software license compliance" and proceeds to say. "Microsoft requests you to complete an internal self-assessment process".

The good thing is, if you decide to comply, you won't share any data unless you decide to share some of it – read further. They want your declaration, not your inventory.

Importantly though, it's not an audit that you agreed to contractually.

What does the notice look like?

  • It comes as an email from an anonymous account in the @microsoft.com email domain,

  • There is no named person behind the email,

  • There is no third party involved, unlike in the North American process,

  • It asks you to do a self-assessment and respond to the original email with either "we found no non-compliance" or with "adjustment details" in case you find yourselves non-compliant, which means both: paying for "any past deficiencies" found and correcting your reporting moving forward,

  • It alludes that you need to work with your SPLA reseller to submit a corrective order ("true-up order") in case you find yourselves non-compliant.

What gives them the right to ask you to complete a self-assessment?

Nothing. You did not agree to it. You did not put your signature under it. It is not their contractual right. And it is not your contractual obligation.

You must understand that the self-assessment is voluntary.

Problems with the SPLA License Self-assessment Review notice

  1. Referring to the right to audit and then asking you to complete a process that is not related to the right to audit as stipulated in MBSA and SPLA.

  2. Initially, there is no human being behind it. It's difficult to understand whether that's even a legitimate email, not a phishing attempt. Most of the time, they are legitimate emails, but it doesn't mean a malicious person will not piggyback on them, so check authenticity every time. Some notices contain SPLA and MBSA IDs making them more authentic. Some don't.

  3. Even though the language is less intimidating than in the USA "notice", Microsoft asks you to complete the process in 45 days, which you are not obligated to do.

Do you have to react?

You don't have to react. You may decide to be nice and complete the review, but it is up to you.

What we suggest doing

If, after assessing all the risks, you decide to complete the SPLA License Review Self-assessment, here is what we suggest doing:

  1. Ignore the deadlines. Again, ignore the deadlines. They have no legal weight.

  2. Respond back to the original email asking them to authenticate themselves, just in case.

  3. Respond with your own timeline, and make it clear that you do not commit to any dates – you control the timeline.

  4. Ask them to confirm that if you place a corrective order ("true-up"), Microsoft will accept it in the context of any potential real SPLA audit. SPLA does not stipulate positive corrections at all. The agreement has no legal or contractual framework for positive corrective orders — when you pay to correct the mistake. The only provision mentions the cases when you overpay.

  5. Do a proper self-assessment. Look back 3-5 years. Correct the mistakes, and place a corrective order.

  6. Do not respond with a one-liner if you did not find any non-compliance. Write a detailed letter explaining what tools you used, how the process went, and what calculations and comparisons you did. And get it reviewed by a SPLA licensing expert before you send it, so they check that your interpretations and calculations are correct and compliant with SPUR.

Can it be a precursor to an audit?

Probably. We know cases when a "real" audit came just a few months after the self-assessment declaration.

That is why it is essential to take it very seriously. Either ignore it entirely or do a proper self-assessment, correct past mistakes, update your process moving forward and let Microsoft know what you did.

The biggest mistake you can make is to respond with just "we found no non-compliance".

They know, and we know, that achieving 100% SPLA compliance is extremely difficult, and past mistakes are impossible to correct. After you report to your SPLA reseller for the previous calendar month, you only have 60 days to correct any mistakes.

So, responding with "we are squeaky clean" is a red flag for Microsoft.

If you are indeed compliant, and it means that you have been compliant in the last 3-5 years – the notice does not specify the "depth" of reporting history, then write a detailed letter explaining what tools you used, how the process went, what calculations and comparisons you did. Convince them.

If I complete the Self-assessment process, will it prevent an audit?

Even if you do it properly, there is no guarantee. The Microsoft LCC department is famous for being "independent". They do not report to other partner groups and local Microsoft offices. They have their own plan and schedule.

Moreover, we have reasons to suspect that your self-assessment declaration may be used against you during an audit as legal proof that you knew what was going on in your estate, and you won't be able to call the "benefit of the doubt" card later.

Talk to a SPLA expert

We are not Microsoft partners, affiliates, resellers or dependants. All the advice you get from us is real, with zero nonsense and zero hidden agenda.

Contact us immediately after receiving a notice from Microsoft, and we'll give you so-much-needed peace of mind. Write to us even if you are mid-way to make sure you do everything correctly.