SPLA Audit How-to Guide 2024
SPLA audit. If you are a service provider and Microsoft hasn't knocked on your door with an audit yet, it's because it's not yet your turn.
It will happen, and it's not a pleasant experience. The process is disruptive and time-consuming, the approach is confusing, and the results are always unexpected.
But worry no more. We have put together this comprehensive Microsoft SPLA audit guide to help you through, including:
What is a SPLA audit, and how is it different from other compliance audits,
Your contractual rights and obligations,
Detailed step-by-step Microsoft SPLA audit process guide,
How to prepare for an inevitable audit,
And ultimately, how to get through it with minimal damage.
We learned, tried and tested everything you read here on over a hundred audit defence engagements. SPLA audit is our speciality, as well as SPLA governance. We don't sell SPLA licences or collaborate with Microsoft. All we do is protect service providers like you.
What is a SPLA audit?
SPLA audit is a process of verifying your compliance with the terms and conditions of the Services Provider License Agreement.
They gather the data related to your hosting services and verify the following:
Did you report adequate licenses in every monthly reporting cycle?
Are you complying with other agreement terms not related to licensing?
Microsoft may issue a penalty or even terminate the agreement, depending on their findings.
Who and what gives Microsoft the right to audit?
You agree to audits when you sign a SPLA agreement. All major software publishers include audit terms in their multi-year licensing contracts.
Two documents stipulate the audit terms and describe the process:
MBSA - Microsoft Business and Services Agreement,
SPLA - Services Provider License Agreement.
MBSA defines universal terms and conditions for all agreements except the Microsoft Customer Agreement (CSP). It includes:
Right to verify compliance,
Your obligation to provide the appointed independent auditor access to data and systems,
The 30-day advance notice,
Your right to a confidentiality agreement with the auditor,
"Remedies for non-compliance" - audit penalties and the 30-day payment term.
SPLA extends, explains, and partially overrides the audit terms stipulated in MBSA. It defines and clarifies the following:
Microsoft may audit you up to two years after the expiration or termination of the agreement,
Kinds of information and access you must provide related to SPLA services,
Special terms for "anti-corruption audits" (unrelated to license compliance verification).
The core difference between regular and SPLA audits
Misunderstanding how SPLA audits differ from regular compliance audits may bite you where it hurts – your finances. They require a completely different approach.
Look at the Effective Licensing Position (ELP) report mock-up in the picture above. You should notice that it has one column per calendar month.
In a regular software audit, you get only one – current – licensing position. But SPLA is a "pay as you consume" agreement. Therefore, your license compliance is verified per month.
The auditor will present you with multiple monthly licensing positions.
In a "normal" audit, you may try and negotiate your past mistakes away by saying, for example: "We are decommissioning these servers". And in some cases, you may be excused. It's not going to work in SPLA. If the auditor finds a past error in your data, it will add to your monthly shortfalls in that period.
When you don't have robust data for a specific month, the auditor will extrapolate it from the data you managed to collect. SPLA stipulates: "Microsoft will presume that unreported use began upon commencement of each End User relationship unless Customer reasonably demonstrates a different scope and duration."
It's imperative to keep as much reliable historical data as possible to "demonstrate a different scope and duration".
Here are a few more things you need to know about the SPLA audit
Most service providers underestimate the shortfalls by 80%. If you think your debt is $1 million, it's probably between $3 and $7 million. We are rarely wrong when we estimate it this way.
The most significant shortfalls relate to user licences — SALs. These account for between 50 and 80% on average.
The shortfalls in Windows Server licences are the most difficult to mitigate.
SPLA audit process, bird's-eye view
At a high level, the process is similar to any other license verification audit.
It is preceded by the initiation phase, from the audit letter to the kick-off meeting.
Then, you collect and provide the data to the auditor.
The auditor presents you with a draft report.
You review the draft report, defend your position and provide the necessary evidence.
When you sign off the final report, the technical phase ends, and the auditor disengages.
You engage in commercial negotiations with Microsoft, in which you defend your case further.
Things to remember:
The auditor's role is technical. Their analysts deal with data and data only. They will take Microsoft's side when there's an ambiguity or lack of evidence.
The auditor won't present you with any financial figures. It is Microsoft's prerogative.
If you have a business case or plan to appeal to "common sense", leave it for the negotiation with Microsoft.
The auditor's report is not your last sentence. You may still defend your case and negotiate the outcome.
SPLA audit letter
One day, you open your inbox and find an email from Microsoft License Contract and Compliance (LCC). It says: "We selected you for a formal license compliance review." Your adrenalin level rises. It's never the right time. You don't know where to start.
At this stage, it's essential to relax. Nothing terrible has happened yet. Read the email calmly, casually, but carefully.
Take notes of:
Your company (legal entity). If you are in a group of companies, Microsoft may still select an isolated entity, and the audit should not encroach onto the entire group.
The MBSA number. Find the contract and ensure the same legal entity signed it.
The period. Microsoft will mention the starting month. The last month is a moving target. It is usually the month you submit the initial data set to the auditor and close the most critical gaps in the data so they can begin calculating. However, the formula is open to interpretation, so let your legal department read it too.
It will refer to the 30-day notice period. You cannot do much about it. You have already signed the agreement that stipulates the 30-day notice. Microsoft doesn't require your acknowledgement or readiness. You only have 30 days from the notice letter to your first conversation with the auditors.
But that should not worry you either. Here's why:
It is the only strictly stipulated period apart from the 30 days to pay the penalties at the end of the audit process.
There is a kick-off period when you may and should take control of the audit timeline.
Tips to be ready for the SPLA audit letter
Have all your agreement paperwork organised, safely stored and available to your stakeholders.
Have your legal department trained on SPLA and well-versed in Microsoft's legal framework.
Have emergency processes, tools and trained personnel.
NDA between you and the auditors
If you wish, you may insist on a confidentiality agreement between you and the auditor. Microsoft even explicitly permits you that in the most recent versions of MBSA. However, you are in your legal right regardless of their benevolence. If the auditor pushes back, involve your legal counsellor.
Usually, auditors don't share detailed data behind the audit findings with Microsoft. However, that is not stipulated in the agreement. You may insist on it being included in the NDA.
The only limitation stated in the agreement is that the NDA may not restrict the auditor's access to relevant data.
Kick-off meeting with the auditors
The active phase begins with the kick-off meeting. Usually, you would meet only with the auditors. However, Microsoft may also desire to be involved. You may insist on your preference — whether you want Microsoft to join the call or not.
What happens during the kick-off meeting?
The auditors will bring:
A presentation deck to walk you through the steps, data requirements, outcomes and other relevant information,
Questionnaires that they will ask you to populate with your answers about your company, infrastructure, Microsoft software you use, the managed services you provide,
Scripts that the auditors will ask you to run on your servers and hosted virtual machines,
Instructions on how to run the scripts.
They will also present you with a project plan and a desirable timeline.
They may ask high-level questions about your service provider business, infrastructure, and the types of managed services.
There will also be questions about your points of contact and stakeholders.
Do you have to run their scripts? Can you use your existing tool?
Our clients often ask this question in the context of the kick-off meeting. Yes, you may use existing inventory tools if they provide all the data the auditors require and if they cover the entire estate. The auditors would usually include the requirements in the presentation deck.
If your tool does not provide all the necessary information, you will be asked to use the auditor's scripts.
Our advice for the kick-off meeting
Listen carefully and take notes of everything even remotely noteworthy. For example, the auditors may explain what services and scenarios are out of scope. They will usually present a classification of hosting scenarios. Please take note of it. Various scenarios may have different data requirements. You don't have to agree to comply, but it is essential to clearly understand what the auditors want from you in each case.
If anything is unclear, ask as many questions as needed.
Clarify the scope: legal entities, starting month, and the closing month of the "audited period". Remember, the goal of the Microsoft SPLA audit is to verify your compliance per each calendar month in the past. It is not a point-in-time assessment like an Enterprise Agreement audit.
Insist on your control of the timeline. This audit is a disruption to your business. You may depend on third parties – your Software Services Resellers and end customers. Remember, there is no contractual obligation to stick to the proposed project plan.
If you don't have an independent advisor by your side in the meeting, try only to provide high-level answers to any technical or business questions. Do not overshare or submit any data before an expert reviews it.
Data collection and provision
MBSA stipulates that you must provide the auditor access to your systems running Microsoft software. The reality is different. Auditors prefer not to touch your systems.
Usually, your IT team will either run the provided scripts or extract the required data from reliable inventory tools.
Throughout the audit, it is crucial to understand that declarations are generally not accepted. Auditors will reject declared data without evidence when you can gather the data with a tool or a script.
Some auditors may ask you to provide screenshots or other secondary data together with the gathered information. They do it to verify the script output and data extracts from the tools. If it's too time-consuming, you don't have to do it. They will conduct an in-person verification exercise anyway.
In addition to technical data, you may be asked to provide:
Customer contracts — you may limit these to the relevant bits: separation of licensing responsibility, go-live dates, demo and evaluation periods,
Change records to prove the duration of services and hardware decommission dates,
Historical records and inventory data snapshots,
License Verification Forms. License Mobility Partnership is obsolete from October 2022, but the forms may be required:
to verify your historic end-customer relationships and
for the licenses brought by your end customers via the Flexible Virtualization Benefit.
and more, depending on your circumstances.
Most importantly, even if they don't ask you to provide it, find and organise your historical reporting records for the entire period. Find and organise your SPLA reseller invoices.
Our advice for the data-gathering stage
Know your scope. Do not run scripts or extract data from non-SPLA servers.
It is better to limit the provided information than to overshare. You can always share additional bits later. If you overshare, the auditor can add it to your Microsoft SPLA licensing debt, and you will have to ask for it to be de-scoped. Do not make your audit defence more complicated.
Here's a scary story. We have recently been involved in a case where a services provider submitted audit inventory data from an internal-use development data centre. The auditors included that data in the SPLA scope and then categorically refused to de-scope it when the provider found the mistake. Microsoft, unsurprisingly, took the auditor's side.
Review everything before you share it. Look for "red flags", especially around authorised users. SPLA conditions and business logic dictate that you are responsible for your misuse of Microsoft software. However, we believe there may be honest mistakes your IT personnel made, and you should have a chance to correct them.
It is always a good idea to have an experienced SPLA audit defence consultant by your side to help you with:
Understanding what managed services require SPLA licenses and which ones don't,
Clarifying what parts of the infrastructure are in SPLA scope and what data you don't have to provide, as oversharing is often strategically harmful,
Assessing the quality and completeness of the data you collected and advising you on how to mitigate the shortcomings,
Identifying, collecting and providing additional information to stop the auditor from making unreasonable assumptions.
How SPLA auditors analyse the data
They calculate what you owe to report to Microsoft
The auditor takes the information you provided and estimates how many licences you had to report in each calendar month in the audit scope.
If you don't provide historical information — monthly data snapshots, change records, other evidence — they will extrapolate, infer and assume your SPLA licensing debt from the current dataset.
Auditors always assume the worst case. It is your responsibility to prove otherwise.
In another example, suppose you deployed a server in March 2020 for a client that signed your services agreement in April 2018. If there is no evidence to support the server deployment date, the auditor will assume that you had to pay for the licences starting in April 2018.
Then they calculate your "position" per month
At this step, the auditor compares calculated monthly requirements to what you submitted to your reseller in the corresponding monthly report (per month).
The following is essential to understand:
Monthly shortfalls (under-reporting) will add up,
Monthly surpluses (over-reporting) will be ignored.
You can bring up your surpluses later in the commercial negotiation phase with Microsoft. But the auditors usually don't take them into account.
What else do they verify?
The auditor will also usually verify your compliance with the contractual terms, including:
That you reported contact details of your end customers that consume more than $1000 per month (Microsoft licensing only),
That all your end customers have signed End User License Terms.
Validate the audit report and push back
The first draft report, which is usually a Microsoft Excel worksheet, will often have:
Errors in formulae.
Here is what you should do, preferably with help from a SPLA expert:
Validate all formulae,
Check for assumed consumption periods, provide additional evidence and push back on misinterpretations,
See what gaps the auditor listed in the report and provide accurate data to close the gaps,
Ensure that the scope is correct.
Don't wait to correct SPLA reporting mistakes
When you find reporting mistakes, whether with your friendly SPLA expert or when you receive the report from the auditor, correct them immediately. You don't want them to be carried over to future reporting periods.
If it helps, re-architect your services. Invest in a reliable SPLA tool or develop an automated solution in-house.
Every month you delay the improvements, your debt to Microsoft grows.
The final SPLA audit report
After a few iterations, when corrective measures are exhausted or you decide to stop, the auditor will issue the final report.
Here's what you should do:
Ensure that all disagreements with the auditor are included in the report,
Do not agree in writing with the results — sign it off as complete work, but don't accept the numbers.
Remember that the auditor is not empowered to hold commercial negotiations and discuss the intricacies of your business processes. That is Microsoft's prerogative.
We advise our clients — service providers we work with — to push back on every bit of disagreement. Ask yourself, is it better to negotiate from $60 million or $30 million, regardless of whether it is a wrong and assumptive figure?
Negotiating the outcome with Microsoft
Most of the time, Microsoft's goal is not to punish you. Of course, any business is interested in recovering lost revenue. But Microsoft often prefers looking into the future. You will have a chance to have a commercial discussion and alternative remedies. For example, Microsoft may be interested in you committing to increase your Azure consumption.
Having a professional Microsoft negotiator on your side is always a good idea. They will know what works and what doesn't. They may guide you while staying in the shadow or being present as a part of your team.
Paying the penalties
Whether you will have to pay the penalty and its amount depends on the outcome of the negotiations.
MBSA stipulates that you must purchase the missing licences in 30 days.
SPLA clarifies that you'll have to pay 125% of the list price. In addition, if your non-compliance exceeds 5%, you will have to cover all audit expenses.
How do you know you are ready for an audit?
We have compiled this SPLA audit readiness checklist for you. If you prefer it in a document format, please contact us using the form below the article.
The more points you tick, the better you are prepared for an audit.
We have reliable, near-real-time data from all the servers in our hosting estate.
We realise that Microsoft will presume that we are liable for all the Microsoft software deployed in our hosting estate, whether we support or maintain it.
We, and our SPLA reseller, can provide all the monthly reports and payment evidence for at least five years upon request.
We have all the monthly data snapshots used to calculate reported numbers for at least five years, and we can provide them upon request.
In an organised manner, we maintain change records for all end-user environments, and we can provide full evidence and history of the contractual and technical relationship.
We have included compulsory SPLA End User License Terms in all our end-user contracts and our terms and conditions that are published online.
We have contractual stipulations or other conclusive evidence for the cases when our end-users intend to use their own licences on dedicated hardware.
We require all end-users to go through License Verification before bringing their own licences to our shared hosting environment. We can provide all the evidence at request for at least five years.
For all the instances of reporting SAL for SA, we maintain all the evidence of eligibility.
We understand our SPLA scope and can separate SPLA assets from internal or non-SPLA usage in our data centres.
We do not mix SPLA and our Volume licences on the same hardware.
Our internal SPLA usage is monitored and accounted for.
Our machine naming conventions and CMDB make it easy to identify asset owners.
We have a robust way of identifying service and discountable records in Active Directory.
We regularly purge disabled and inactive records in the Active Directory.
Talk to a SPLA audit defence expert
Don't leave it to chance if you don't have previous SPLA audit experience.
SPLA is our speciality. We have helped mitigate over $500 million of avoidable audit penalties. We also don't sell licenses or partner with Microsoft, so our advice is unbiased.
The earlier we have a chat, the better. Of course, the best time to talk to us is when you receive the audit letter. But worry not. Your case is not lost even if you have already gone through the initial stages.
Here's what we will do for you:
We will analyse your scope, business, processes and information.
We know how auditors think so we can help you compellingly present the evidence.
We will then build a solid case together and help you defend it.
We will validate and scrutinise the report and advise on pushing back.
And finally, we'll support you in negotiations.
We can provide an ROI guarantee, so you have additional peace of mind.
Please don't hesitate to message us using the form below. We respond quickly. Our senior team member will contact you to understand your situation better and develop a proper strategy.