Blog · Hoster Compliance Operations

Monthly SAL Reporting Without Errors

Published February 5, 2026Updated May 28, 2026Hoster trackReading time about 9 minutes

Under SPLA, every monthly report is a permanent record that a Big Four auditor can test across a 36 month lookback. Reporting subscriber access licenses without errors is not a clerical nicety. It is the structural defense that decides what an audit can find.

Each month is a separate exam

SPLA is pay as you consume, and compliance is verified for every monthly reporting cycle, not just your current position. When a Big Four firm conducts an audit under the audit clause, it does not look at where you are today. It reconstructs every month across a 36 month lookback and tests each one against what you reported. That structure changes how you should think about a SAL report. A subscriber access license figure submitted this month is not a snapshot you can revise later. It is evidence that will be examined in three years.

The audit does not ask what you owe now. It asks what you reported every month for three years, and whether the records agree.

Where SAL reporting goes wrong

Most reporting errors are not deliberate. They come from process gaps that repeat quietly month after month until the lookback magnifies them. The same handful of mistakes account for most of what an auditor finds.

  • Under reporting, where access that was provisioned is not counted, which is direct compliance risk and back fees
  • Over reporting, where licenses are counted for users or servers no longer active, which quietly wastes margin
  • Misapplied Services Provider Use Rights, where the wrong product version or edition sets the wrong count
  • Customer estates left unmapped, so a reported SAL block cannot be tied to who consumed it
  • Late or skipped months, which the auditor treats as a reporting failure rather than a zero

The SPUR is the rulebook that turns deployment into a reportable count, and applying it correctly is where accuracy is won or lost. Misapplied SPUR drives both under reporting and over reporting, so getting the rules right protects compliance and margin at the same time.

The data that makes a SAL report defensible

A report you can defend is one that is reconstructed from primary data, not assembled from memory at month end. The same sources the auditor will ask for are the sources you should be reporting from.

EvidenceWhat it proves in a report
Sealed daily authentication countsThe actual peak of users with access in the month, the basis for SAL
Customer mappingThat every reported SAL block ties to a specific customer estate
Product version mappingThat the correct SPUR rule and edition were applied to each deployment
Documented multi tenant boundariesThat isolation between customers is real, so counts are not blurred

Sealed daily authentication counts are the quiet backbone of accurate SAL reporting. They give you a defensible peak for each month that does not depend on anyone's recollection, and they are the record that settles a dispute when the auditor's reconstruction differs from yours.

A simple monthly routine

Error free reporting is a routine, not a talent. The aim is that the SAL figure for each month is produced the same way every time, from the same sources, and closed before the window to correct it passes.

  • Collect and seal daily authentication counts through the month so the peak is captured as it happens
  • Apply the current SPUR by product version and edition, not last year's assumption
  • Reconcile reported SAL blocks against customer mapping so nothing is unattributed
  • Review additions and removals so neither under reporting nor over reporting creeps in
  • Submit on time, every month, and archive the supporting data with the report

There is only a short window to correct a reporting mistake, which is why month end discipline matters more than annual cleanup. A figure caught and corrected in its own cycle is a non event. The same figure discovered three years later in a lookback is back fees at the price file rate, plus a penalty uplift on top.

Why accuracy is the cheapest defense

When an audit comes, back fees at the price file rate are not negotiable. What is negotiable is the penalty uplift, which ranges from 25 to 125 percent depending on the severity, duration, and nature of any under reporting. Clean monthly reports, backed by sealed counts and customer mapping, are the strongest argument for the low end of that range. Accurate reporting does not just reduce what an audit finds. It reframes you as a disciplined reporter rather than a careless one, and that framing is worth real money when the uplift is decided.

The next step

Monthly SAL accuracy is the foundation of SPLA audit defense. Start from our pillar, the SPLA Audit Defense Guide, then read how right sizing SPLA protects margin and how the hoster self assessment before Microsoft calls tests your reporting before an auditor does. The opening position in a SPLA audit is built on your own records. Make them clean and you control what it can say.

If you want a second set of eyes first, our SPLA reporting discipline service puts the monthly evidence in order before an auditor ever asks.

Make every monthly SAL report defensible

Download the SPLA Audit Defense Guide, the buyer side playbook for reporting discipline. Fixed Fee from $18,000 or Gainshare, no risk to you, both backed by our guarantee.

Download the SPLA Audit Defense Guide

The Audit Brief

Weekly intelligence on Microsoft and SPLA audit moves and the buyer side defenses that work.

Get a Quote · Book a Strategy Call · The Audit Brief · About · Pricing · Blog · Contact · Privacy · Terms · New York · London Not affiliated with Microsoft Corporation. Independent buyer side advisory only.