In a SPLA audit, the number that decides your exposure is not a single snapshot of today. It is the sum of every month you reported across a 36 month lookback. SPLA is pay as you consume, and compliance is verified for every monthly reporting cycle, not just the current position. That structure means your exposure is built one month at a time, and so is your defense. Understanding how monthly reporting drives the result is the first step to controlling it.
This article explains how the monthly mechanics of SPLA turn into audit exposure, where the risk concentrates, and what reporting discipline actually protects. For the full method, read the SPLA audit defense guide.
SPLA is a monthly obligation, not an annual one
SPLA is Microsoft's monthly licensing program for hosters, managed service providers, and outsourcers that deliver Microsoft software to external customers. Every month you report what you consumed, applying the Services Provider Use Rights, the SPUR, and reporting SAL or processor counts. There is no annual reconciliation that smooths the year out. Each month stands on its own, and each month is a data point the auditor will examine.
SPLA does not ask what you owe today. It asks what you owed every month for the last three years.
The 36 month lookback compounds every error
A Big Four firm conducts the SPLA audit under the MBSA audit clause, with broad authority to request deployment records, server configuration data, customer contracts, and usage logs. The auditor does not just check this month. It reconstructs what you should have reported for each of the trailing 36 months and compares it to what you actually reported. A single misapplied use right is not one error. It is potentially the same error repeated across every month it was in effect, summed into a base that can be far larger than any one month suggests.
| Pattern | One month view | Across 36 months |
|---|---|---|
| A small under reported SAL block | Looks minor | Multiplied by every month it persisted |
| A misread use right | One judgment call | Repeated across the lookback |
| A late or missed report | A single gap | A pattern the auditor weighs into the uplift |
Under reporting and over reporting both hurt
Misapplied SPUR drives error in both directions, and both cost you. Under reporting is compliance risk: it builds the under reported count that back fees and the penalty uplift are calculated from. Over reporting is the quieter problem: it wastes margin month after month by paying for consumption you did not actually owe. A disciplined monthly process is the only thing that keeps both in check, because it forces the use rights to be applied correctly before the report is filed rather than reconstructed years later under audit.
- Under reporting builds the count that drives back fees and the negotiable uplift
- Over reporting silently erodes margin by paying for more than you consumed
- Both come from the same root, which is SPUR applied without monthly discipline
Where the monthly exposure concentrates
Not every month carries equal risk. The exposure concentrates in a few recurring places, and knowing them tells you where to put your reporting discipline. The mapping between a reported SAL block and a real customer, the version of the product actually delivered, and the boundary between tenants are the points where monthly reporting most often goes wrong, and therefore where the auditor most often finds the gap.
- Customer mapping, where reported SAL blocks are not cleanly tied to a named customer
- Product version mapping, where the version delivered does not match what was reported
- Multi tenant boundaries, where shared infrastructure blurs who consumed what
- Timing, where reports are filed late or out of cycle and lose their evidentiary weight
Reporting discipline is the structural defense
Because exposure is built monthly, the defense has to be built monthly too. The structural defense is reporting discipline: monthly SAL reports submitted on time for every month, sealed daily authentication counts, customer mapping for each reported SAL block, product version mapping, and documented multi tenant isolation. There is only a short window to correct a reporting mistake, so the discipline has to live in the monthly cycle, not in an annual cleanup. A hoster with a clean, contemporaneous monthly record walks into an audit with the evidence already in hand. A hoster reconstructing three years under pressure does not.
You cannot rebuild three years of discipline in the weeks after the audit letter. You build it one month at a time, before.
What this means for your exposure
Your SPLA exposure is the accumulated result of 36 monthly decisions about how you applied the SPUR and what you reported. That is sobering if the months were undisciplined, and reassuring if they were not. The lever you control is the quality of each month's report, because the under reported count that drives back fees and the negotiable uplift is built from exactly those reports. Tighten the monthly cycle and you shrink the base before any auditor ever looks at it.
A buyer side advisor helps you build that discipline and defend the months under review. We reconstruct the monthly base from your operations data, separate the fixed back fee from the negotiable uplift, and map every reported SAL to a customer and a product version. To see the complete method, download the SPLA audit defense guide.
Before you send anything back to the auditor, our SPLA reporting discipline service puts the monthly evidence in order before an auditor ever asks.