The takeaway up front. In a SPLA audit, change records are what explain why a month looks the way it does. A documented trail of customer onboarding, product version changes, and infrastructure moves turns unexplained variation into evidenced fact, and evidenced fact is what holds against an auditor across the 36 month lookback.
Why change is where audits get hard
SPLA exposure rarely comes from a steady state. It comes from change, a customer onboarded mid month, a product upgraded to a version with different use rights, a workload migrated between hosts, a tenant suspended but left provisioned. Each change shifts the right number for that month. Without a record of the change, the auditor sees only the variation and counts the higher figure. With a record, you can explain the variation and count the right figure.
The change records that matter most
- Customer onboarding and offboarding, with dates, so each tenant is counted only for the months it was actually live.
- Suspension and reactivation, so dormant tenants are excluded from active counts for the months they were dormant.
- Product version changes, so the correct use rights apply to each month, because the rules attach to versions.
- Infrastructure moves, such as workloads migrating between hosts, so capacity counts are not double counted across the move.
- Disaster recovery activation and stand down, so recovery instances are counted only when the disaster recovery terms do not exempt them.
How a change record overturns a finding
| Auditor observation | Change record | Corrected position |
|---|---|---|
| Tenant counted as active all month | Suspension logged on day 6 | Counted for partial activity per the use rights |
| Newer product version assumed all year | Upgrade record dated to month 8 | Earlier months counted under the prior version rights |
| Workload counted on two hosts | Migration record between hosts | Counted once across the move |
The figures and dates are indicative, but each row shows the same mechanic. The auditor's count is a snapshot inference. The change record is the timeline that corrects it.
Where change records sit in the defense
Change records work alongside the rest of the reporting discipline that defends a SPLA audit, monthly SAL reports filed on time, sealed daily authentication counts, customer mapping for each reported block, product version mapping, and documented multi tenant boundaries. Authentication logs show who used a product. Change records explain why the population using it shifted. Together they let you reconstruct any month and defend the reconstruction.
Building the trail without slowing operations
The aim is not a heavy bureaucracy. It is to capture the small set of changes that move the licensing number, automatically where possible, from the systems you already run. Provisioning systems already know onboarding dates. Configuration tooling already records version changes. Hypervisor management already logs migrations. The work is to retain those records, tie them to the licensing impact, and keep them for the full lookback so they are there when an audit tests a month from two years ago.
Why this is worth doing before an audit
Change records are far easier to capture as change happens than to reconstruct under audit pressure. Back fees follow the reconstructed consumption and are not negotiable, so the accuracy that change records protect is permanent value. The uplift of 25 to 125 percent is negotiable, and a clean change trail is exactly the good faith evidence that argues it down. A hoster with disciplined change records walks into an audit able to explain every month. A hoster without them spends the audit trying to remember.
What to do next
If your change records today live across scattered systems with no licensing view, that is the gap to close before a notice arrives. Book a Strategy Call and we will map which changes matter, how to retain them, and how they feed a reconstruction.
If the timeline is already running, our SPLA audit defense team challenges the counting before back fees are set.