In a SPLA audit your server deployment records are the evidence. If they are complete and consistent across the 36 month lookback, the auditor works from your facts. If they are thin, the auditor fills the gaps.
SPLA is Microsoft monthly licensing program for hosters, managed service providers, and outsourcers that deliver Microsoft software to external customers. It is pay as you consume, and compliance is verified for every monthly reporting cycle across a 36 month lookback, not just your current position. When a Big Four firm conducts that audit under the MBSA audit clause, it works from records. The quality of your server deployment records decides whether the audit runs on your evidence or on the auditor assumptions. This article sets out what to capture and why.
A SPLA audit is not a snapshot. The auditor has authority to request deployment records, server configuration data, customer contracts, and usage logs, and to test every month in the lookback. Where your records are complete, the auditor reconciles against them. Where they are missing, the auditor estimates, and estimates are rarely in your favor. Back fees at the price file rate are not negotiable, so any month the auditor has to reconstruct from assumptions tends to cost more than a month you can evidence.
Good server deployment records tie each server to what ran on it, who it served, and for how long. The aim is that any month in the lookback can be reconstructed from your own data.
The table below shows what a defensible monthly record looks like for a single reporting cycle. The figures are indicative.
| Server | Product and version | Metric | Customer | Reported count |
|---|---|---|---|---|
| Host A | Windows Server, current version | Processor and core | Customer 1 | 2 processors |
| Host B | RDS, current version | SAL per user | Customer 2 | 40 SAL |
| Host C | SQL Server, current version | Core based | Customer 3 | 8 cores |
These figures are indicative. The point is that every reported number traces to a server, a product version, a metric, and a customer. A record like this leaves the auditor nothing to reconstruct.
For user based metrics, the defensible practice is to seal daily authentication counts so the SAL figure you reported each month can be proven later. Authentication data captured at the time, and stored unchanged, is far stronger evidence than a reconstruction built months afterward. We go deeper on this in customer mapping for every reported SAL, and on the wider record set in building a SPLA compliance register.
Server deployment records are the foundation of the structural defense that protects a hoster, which is reporting discipline applied every month. Records make the reporting provable, and provable reporting is what holds up across a 36 month lookback. Our SPLA audit defense guide sets out that full discipline, and the hoster readiness workbook turns it into a checklist you can run against your own estate. Strong records are where it all starts.
Get the hoster readiness workbook, the buyer side reference for the records and reporting discipline that hold up across a SPLA lookback.
Download the guideIf you want a second set of eyes first, our SPLA audit defense team challenges the counting before back fees are set.
Weekly intelligence on Microsoft and SPLA audit moves and the buyer side defenses that work. Prefer to talk first? Ask us to Book a Strategy Call in your message above.