SPLA Audit: The First 30 Days Can Save You Millions
When you receive a SPLA Audit notice, you'll have 30+ days to prepare. Here's our advice on how to use this time wisely and avoid excessive audit penalties.
Today, we’ll discuss the critical 30 days at the beginning of the SPLA audit after receiving an official audit notice from Microsoft.
My name is Alexander Golev. I am responsible for the branch of SAMexpert’s business that takes care of service providers. We are a boutique consulting company specialising in everything related to your commercial relationship with Microsoft: discounts, negotiations, compliance, and audit support.
Why should you listen to us? We have supported organisations in over 100+ audits, and we have a 100% win rate. We are deliberately independent. We are not a Microsoft partner, and we don’t sell their licences, so we don’t depend on Microsoft in any way.
Today’s conversation is primarily for service providers. However, if you are not a service provider, you may learn important things about approaching any software vendor audit.
Our advice today is good enough for you to do DIY. It’s easier for me to explain how we do it when we work with providers, but listen attentively, and you can try to do it yourself.
What to do when you receive an audit notice
Calm down. If you need to talk, call us; it’s free of charge. You’ll probably speak to me as I lead the service provider support department in SAMexpert.
Look at the letter. If it came from the LCC department and clearly states that it is an official audit, it is an official one. On the other hand, if the email refers to a self-assessment, it’s a different type of review.
Whatever type of audit or review it is, please do not ignore it. Our most disliked YouTube videos are the ones where we tell you that you may not simply ignore an audit notice. But that’s the unfortunate truth. If I told you that you could ignore the notice and tell Microsoft to harass someone else, I would lie to you. Whether you like it or not, you must do what is stipulated in your licensing agreement.
Your legal department may try to cancel the audit if there are material errors in the notice or if it contradicts your contractual obligations. You can find those obligations in two documents: MBSA and SPLA. They don’t repeat each other. They complement each other. I must say that we have never seen a successful audit rejection at the notice stage. Have your expectations fine-tuned. You’ll probably have to do the audit.
Let’s quickly discuss the self-assessments. We used to say that self-assessments are not contractually stipulated. Microsoft listened. The self-assessment terms are now included in the MBSA, depending on the version you signed. We suggest you to check your MBSA because it’s your chance to refuse the self-assessment.
Be aware, however, that if you are on the radar for a compliance review and refuse a self-assessment, Microsoft may initiate a proper audit.
Be also aware that if you formally respond to the self-assessment in a manner, “we are compliant and owe you nothing”, it elevates the probability of an audit. Moreover, you won’t be able to use the “we didn’t know” excuse during the negotiations anymore. You knew. You assessed yourself. You signed the declaration.
Let’s go back to the official audits. Microsoft’s own obligation is to send you a notice 30 days prior to the audit. In their own words, “Microsoft will notify Customer at least 30 calendar days in advance of its intent to verify Customer’s compliance.”
First of all, if they insist on a kick-off meeting with an appointed auditor in a shorter timeframe, you may legally refuse it and postpone the kick-off.
Now, the question is, what do you do in these 30 days? Whatever you do or do not do in these initial days, decide between failure and success. Our internal statistics show the initial 30 days’ effect on the audit penalties (pre-negotiation) is around 30%. Any mistakes or inaction now make negotiations harder.
First of all, calm down and talk to someone who does it for a living. By all means, you can talk to your licensing reseller – they usually offer free-of-charge support. But be sober about your expectations. Microsoft partners depend on Microsoft and sales revenue. And that affects how in-depth their advice will be.
And then act. I’ll tell you what we do when we support providers. You can copy us and do it yourself.
What to do in the first 30 days? Prepare!
First and foremost, we need to notify and inform stakeholders and assign your internal resources to the initial stages of the audit for data gathering: inventory and documents.
The team must be led by a good negotiator, preferably at the executive level. Do not—I repeat, do not—throw the audit down the ladder to the IT department. Accountability must stay at the senior management level. Your negotiations begin from day one.
Do not assign an IT techie as the first point of contact with the auditor. It must be a risk-aware, business-minded, management-level stakeholder.
Involve your legal counsel and study the contractual obligations. Get everyone on the same page about the following:
Time-related obligations: after the audit notice, there are almost none. Your MBSA may limit the NDA stage to 14 days. In the end, there are 30 days to pay the bill. There’s nothing else. I repeat, there is nothing else. The agreement only compels you to perform the audit “timely” – this exact word.
Penalties. Penalties are comprised of three parts. Licenses you did not report, a 25% penalty on top of that, and the auditor’s fees.
It’s crucial that all stakeholders are on the same page from day one. You must understand your rights, not only your obligations. Being able to resist hard deadlines and time pressure saves not only your nerve cells but also your money.
Then we review your entire business from the point of view of Microsoft licensing. We’ll start with the scope. This is a SPLA audit, so the scope boundaries must be clearly, visibly, firmly drawn:
Your data centres and clusters. Count them all. Then, exclude pure internal use. Be careful with ”management clusters” as they may be in scope. Your goal, however, is to minimise the scope.
Do you provide SPLA services from each cluster, or is it pure collocation?
Are there any clusters dedicated to a particular customer? What is the nature of the services there? What licenses do you provide to that customer, and what are they responsible for? In such cases, immediately begin gathering evidence. Do not delay.
Do you provide Business Process Outsourcing services? Then, if the end customer does not access the systems, it’s not hosting. It may be outside of the SPLA scope; however, that needs to be ascertained.
What Microsoft licenses do you provide to end clients? Many large Cloud Infrastructure providers only provide Windows Server and sometimes SQL Server. Where is the evidence? Is it on your website? In your Terms of Use? In your contracts?
What about your clients deploying Microsoft products on their own, without you providing the licenses or even asking? Do you allow BYOL? Do you have the relevant terms and conditions? Do you clearly divide responsibility?
Your goal is to have a complete story, a risk map, and a clearly defined scope well before you meet with the auditor for the first time. This will save you time, effort, internal resources, and, ultimately, money. One of the biggest headaches and risks is oversharing or sharing incorrect information. Correcting it is hard.
Then, we would conduct an internal review of your compliance, pre-audit. By no means would we suggest you hide anything. It would be a punishable offence. However, there are always (always!) what we call “honest mistakes”.
For example, an untrained sysadmin may, for troubleshooting purposes, open access to a server to the entire domain. ”Temporarily”. And then forget to remove it. When you can prove that this was not the intended design but an honest mistake, it is widely accepted by audit defence experts, not only us, that you have the moral right to correct it. You may also try to negotiate it later if you so choose.
Of course, it’s not the only example. We’ve seen many more, some of which may be impossible to correct immediately. All too often, sysadmins deploy SQL Enterprise where they are instructed to install SQL Standard or even SQL Express. You probably won’t correct it quickly enough, and it may raise the auditor’s questions during data analysis. What can you do instead? Start preparing for the negotiations.
First and foremost, find evidence supporting the intended design. Do it now. Check what you billed your end client for. Find the itemised bills. Start building your story now.
Decide whether you want to use data from your SPLA tool if you have one. Unfortunately, in many cases, SPLA tools are deployed but not correctly implemented. There may be scope inconsistencies, software recognition errors, license responsibility not clearly defined and many more things that make the data from the tool that isn’t fine-tuned unreliable and potentially damaging.
If you want to use the tool’s data, ensure it’s consistent and correct. But if you realise that it’ll take too long, default to the provider scripts. We’ve seen unfortunate delays when providers had to fall back to the scripts a bit late in the process, thus creating unnecessary delays and friction.
If you let me summarise:
Assemble the team and inform executive stakeholders. Assign resources and responsibilities.
Refresh your knowledge of your rights and obligations. Read your agreement!
Refresh your knowledge about your own business to ensure you know the right scope and details behind your customers and services.
Conduct an internal review and see what honest mistakes you can correct. For more serious honest mistakes, start gathering evidence and excuses now; don’t delay it.
When that’s done, you are ready for the kick-off meeting with the auditor and the data-gathering stage. I suggest you review the recording of our previous event, in which we discussed further stages of the audit.
Remember, your audit negotiations start well before the actual negotiations. Do not outsource accountability, and do not lose control.
When you follow our advice, the first 30 days preceding the audit can, on average, reduce the penalty risk by 30%. Of course, your figures will be unique to you, but you’ll always see the positive effect.
You also don’t have to wait until the audit notice. You can start preparations tomorrow, so when they knock on your door, you have your ducks in a row, saving yourselves quite a bit of time and having the necessary peace of mind.
If you think we could help you prepare for an audit, please contact us via our website or LinkedIn.
We can send you a checklist if you want to do it yourselves. Drop us an email at ask@samexpert.com
Thank you for your time today. Have a great rest of the week. I’m Alexander Golev from SAMexpert. And I’ll see you at our future events.