When a Big Four firm opens a SPLA audit, it is not auditing this month. It is auditing how you have run your reporting for the last three years, and whether the way you run it produces records that can be trusted. Governance is what the auditor is really examining, even when the conversation is about a single product or a single customer. A hoster with strong governance can answer any question with a record. A hoster with weak governance answers with a story, and stories do not reduce back fees. This article sets out the governance that turns a SPLA audit from an investigation into a verification, and explains why each piece carries the weight it does.
What the auditor is actually testing
SPLA is Microsoft's monthly licensing program for hosters, managed service providers, and outsourcers that deliver Microsoft software to external customers. It is pay as you consume, which means compliance is verified for every monthly reporting cycle, not just your current position. A Big Four firm conducts the audit under the MBSA audit clause as an independent third party with broad authority to request deployment records, server configuration data, customer contracts, and usage logs across a 36 month lookback. The auditor reconstructs what you consumed each month and compares it to what you reported. Where the reconstruction exceeds the report, the difference becomes back fees at the price file rate, which are not negotiable, plus a penalty uplift between 25 and 125 percent, which is.
The crucial point is that the auditor reconstructs consumption from your own data, and the quality of your governance determines whether that reconstruction lands close to your reported numbers or far above them. Good governance does not hide consumption. It makes the real consumption legible, so the auditor has no room to assume a higher figure than the truth.
The five governance pillars that hold up
Reporting discipline is not one control. It is a small number of habits, run every month without exception, that together make your position defensible. Each pillar closes a specific gap an auditor would otherwise exploit.
Monthly SAL reports filed on time, every month
The foundation is simply filing a complete report every single month, on time, with no gaps. A missing month is not a neutral event in a SPLA audit. It invites the auditor to estimate that month from surrounding data, and estimates trend high. Twelve consistent monthly reports tell a far better story than ten good months and two blanks. The governance habit here is procedural: a named owner, a fixed filing date, and a check that the report actually went in.
Sealed daily authentication counts behind every SAL number
Each reported Subscriber Access License count should rest on a sealed daily authentication count, a contemporaneous daily record of the distinct identities that used each licensed product. Sealing means the daily figure is fixed when it is recorded and cannot be quietly changed later, which is what gives it evidential weight. This is covered in depth in sealing daily authentication counts, and it is the single record that most often determines whether the auditor's reconstruction matches your report.
Customer mapping for every reported block
Every SAL block and every processor count should map to a named external customer. This matters in both directions. It lets you prove that the users you reported were genuine external consumption, and it lets you remove users who should never have been counted, such as a customer who churned but stayed in the report. When the auditor questions a number, customer mapping is what lets you answer at the level of the individual account rather than the aggregate.
Product and version mapping to the current SPUR
The Services Provider Use Rights change, and the obligation attached to a product depends on its exact edition and version. Governance means every reported product is mapped to the SPUR rules that actually applied in the month it was reported. Without this, an edition upgrade that raised the licensing obligation can sit unnoticed for months, turning into an under reporting finding the auditor prices at the top of the band.
Documented multi tenant boundaries
In a shared hosting estate, who can reach a licensed workload is a licensing question, not just a security one. Documented multi tenant isolation defines exactly which users could access which licensed products, so the count includes everyone who should be counted and excludes everyone who should not. The detail of this pillar is set out in documenting multi tenant isolation for hosters, and it is often the difference between a clean count and an inflated one.
How governance changes the audit arithmetic
The value of governance shows up directly in the number you settle on. The figures below are indicative and chosen only to show the shape of the effect, not to quote any real outcome. Picture the same product line audited under two governance regimes.
| Element | Weak governance | Strong governance |
|---|---|---|
| Reconstructed consumption | assumed high | matches sealed records |
| Back fees, price file rate | large, not negotiable | small, matches reality |
| Penalty uplift band argued | top of 25 to 125 percent | bottom of 25 to 125 percent |
| Settlement position | defend a reconstruction | verify the record |
Indicative illustration of how governance shifts both the non negotiable back fees and the negotiable uplift, not a quoted outcome.
The two columns settle at very different numbers from the same underlying business. The back fees move because strong governance keeps the reconstructed consumption honest, so there is less unlicensed use to price. The uplift moves because a documented, disciplined operation lets you argue that any genuine shortfall was narrow and inadvertent rather than a systematic pattern, which is the single strongest lever on where the uplift lands inside its range.
The short window to correct a mistake
One feature of SPLA makes governance especially valuable: there is only a short window in which a reporting mistake can be corrected before it hardens into an audit finding. A hoster running monthly reconciliation catches an edition change or a missed customer in the same cycle it happens, corrects it, and moves on. A hoster reconstructing later finds the same error three years on, when it has compounded across every month since and there is no longer any way to correct it cleanly. Governance is what shrinks the distance between when a mistake occurs and when it is caught, and that distance is exactly what an auditor turns into duration, one of the factors that pushes the uplift higher.
Building governance you can hand to an auditor
The aim is not a binder of policies. It is an operation that produces evidence as a byproduct of running normally. That means the daily counts are sealed automatically, the monthly report is reconciled against those counts before it is filed, the customer and version mappings are maintained as the estate changes rather than rebuilt at audit time, and the multi tenant boundaries are documented as part of how the platform is run. When all of this happens in the ordinary course, an audit request is answered by retrieving records, not by launching a project. That is the test of governance that survives: can you produce the evidence on the day the auditor asks, for any month in the lookback, without reconstructing anything.
For hosters who are not there yet, the gap is rarely capability. It is usually that no one owns the reconciliation as a monthly discipline, so it happens inconsistently. Naming an owner, fixing the monthly steps, and pressure testing the output against the way a Big Four auditor reads it closes most of the distance. The wider posture this fits into is laid out in the SPLA Audit Defense Guide.
The next step
If you are not certain your governance would produce clean evidence for every month of a 36 month lookback, that uncertainty is your exposure. A Strategy Call will pressure test your current reporting and record keeping against the way a Big Four auditor will actually read it, and show you where the gaps sit before an audit does. We work on a Fixed Fee from $18,000 or on Gainshare, a share of verified savings or avoided penalty with zero retainer and no risk to you, and our guarantee stands behind both: we reduce your exposure, or we reimburse our service fee.
Walk into the lookback with evidence, not explanations.
Book a Strategy Call to pressure test your monthly SPLA governance against the way a Big Four auditor will read your 36 month lookback.
Book a Strategy CallIf you want a second set of eyes first, we defend the full 36 month lookback through our SPLA audit defense work.