Evidence Retention for Audit Defense

When an auditor builds an Effective License Position, they reconcile what is deployed against what you are entitled to use. Every line in that reconciliation is a claim, and every claim is either supported by a record or left to the auditor's judgment. Where you cannot show the record, the auditor fills the gap with an assumption, and those assumptions almost always favor the vendor. The whole arc of a defense is the work of replacing assumption with evidence, and that work is far easier when the evidence already exists.

This is why evidence retention is not an administrative chore. It is the raw material of every argument you will make. A license you bought five years ago only counts if you can produce the proof of entitlement. A downgrade right only applies if you can show the original version and the contract that grants it. A device that no longer runs the software only comes off the count if you can show when it was decommissioned. None of these are hard claims to win. They are simply impossible to win without the document.

For end customers, the auditor reconciles deployment against entitlement and then applies the contract. Under the MBSA audit clause, if unlicensed use reaches 5 percent or more of total use, you reimburse the verification costs and acquire the missing licenses at 125 percent of the current price. That threshold turns a small number of unprovable positions into a large bill, because a handful of deployments you cannot account for can push you over the line. The records that keep you under it are proofs of entitlement, deployment inventories tied to a date, decommission logs, and the contract documents that grant downgrade and reassignment rights.

For hosters under SPLA, the demand is different in shape but identical in spirit. SPLA is monthly pay as you consume, and compliance is verified for every monthly cycle across a 36 month lookback. The auditor does not ask what you run today. They ask what you ran in each of the last 36 months, and they expect a record for each. The evidence that answers them is the set of monthly SAL reports, the sealed daily authentication counts behind those reports, the customer mapping for each reported block, and the product version mapping that shows which SPUR rules applied. Back fees at the price file rate are fixed, but the penalty uplift, which runs from 25 to 125 percent, turns heavily on whether your records show discipline or disorder.

The mistake most organizations make is treating retention as storage. Keeping files is not the same as keeping evidence. Evidence has to be findable, dated, and tied to the position it supports, or it might as well not exist when the clock is running. A working practice has four traits. It is complete, covering the full lookback the relevant program demands. It is dated, so each record maps to the month or the deployment state it describes. It is sealed, meaning the daily and monthly figures are captured at the time and cannot be quietly revised later. And it is owned, with a named person responsible for the file and a place it lives that does not depend on one employee's memory.

For hosters, the lookback sets the floor. Because the audit reaches back 36 months, your retention has to reach back at least as far, and sealed daily authentication counts are the backbone of that record because they are what a reported SAL figure is built from. For end customers there is no fixed window, but the practical rule is to retain proof for as long as a license remains in use plus the period any agreement could be audited, which in most estates means keeping entitlement records indefinitely. The cost of storage is trivial against the cost of a position you cannot defend.

The strongest reason to retain evidence well is that it lets you assess yourself before the vendor does. When your records are complete and current, you can reconcile your own Effective License Position on your own schedule, decline a voluntary SAM review with confidence, and respond to any formal demand from a controlled position rather than a scramble. Evidence retention is the standing layer beneath that whole posture, which is why we treat it as part of governance rather than a one time clean up. The routine that keeps it alive is set out in building an internal audit routine, and the way to report its health upward is covered in audit readiness metrics for the board.

The reconciliation method that all of this evidence feeds, for end customers and for the position behind a SPLA defense alike, is the Effective License Position guide. Read it next if you want the framework that turns your retained records into a defensible number.

We help you build the evidence file, and we stand ready to defend the position it supports. We sit between you and Microsoft and its appointed auditor, on your side of the table, and we never take vendor money. We work on a Fixed Fee from $18,000, or on Gainshare, a share of verified savings or avoided penalty with zero retainer and no risk to you. Our guarantee is plain: we reduce your exposure or we reimburse our service fee.