A SPLA audit reaches back 36 months, and very few hosting providers kept flawless, sealed records for every one of those months. Staff changed, tooling changed, a reporting process that was solid last year was improvised the year before. When the auditor finds a month it cannot fully evidence, the natural move is to fill the gap with an assumption, and assumptions in an audit run in the vendor's favor. The whole game, when records are incomplete, is to keep those gaps from being filled against you.
This article covers how to defend an audit you are not perfectly prepared for: triaging the lookback, evidencing what you can, reconstructing credible proxies for what you cannot, and using good faith to hold down the uplift. For the wider mechanics, see what a Microsoft SPLA audit is.
The real risk is the assumption, not the gap
An incomplete record is not, by itself, a finding. It becomes one when the auditor substitutes its own estimate for the missing data. Left unchallenged, those estimates default to the most conservative reading: the highest plausible SAL or processor count, applied across every unevidenced month. Over a three year lookback, a string of worst case assumptions compounds into a number far larger than your actual use.
Silence on a missing month is not neutral. It is an invitation for the auditor to assume the maximum.
So the objective is not to pretend the records are complete. It is to make sure every month is governed by evidence or by a reasoned, documented reconstruction rather than by an unexamined worst case. A credible proxy that you build and defend beats an assumption the auditor imposes, almost every time.
Triage the lookback first
Not all months are equal, and you cannot reconstruct everything at once. Start by sorting the lookback so you spend effort where it matters most.
- Months with complete, sealed records, which you defend directly and quickly
- Months with partial records, where you can build a strong reconstruction from what survives
- Months with little or nothing, where you need a defensible proxy and a clear rationale
- High value months, where your customer base or deployment was largest and the exposure concentrates
Triage tells you where the money is. A handful of high value months with weak records usually drive most of the disputed exposure, and that is where a careful reconstruction earns the most. Defending a low activity month to the same depth is effort better spent elsewhere.
Build credible proxies for the gaps
For months you cannot evidence directly, the answer is a reconstruction that a Big Four auditor will accept as reasonable. The strength of a proxy comes from anchoring it to data you do have and documenting the logic so it can be followed.
A well built proxy does two things. It gives the auditor something concrete to evaluate instead of a blank, and it shifts the conversation from assumption to evidence, which is the conversation you want.
A reasoned proxy beats an imposed assumption
An indicative comparison shows why the effort is worth it. Figures are illustrative only.
| Unevidenced month | Auditor assumption | Reasoned reconstruction | Basis |
|---|---|---|---|
| Month X | 600 SAL | 440 SAL | Anchored to evidenced neighbors and customer count |
| Month Y | 600 SAL | 410 SAL | Corroborated by billing and provisioning records |
| Month Z | 600 SAL | 0 SAL for one product | Product not yet deployed that month, shown by contracts |
The auditor's flat assumption ignores that demand varied and that some products were not even live in a given month. A reconstruction grounded in the records you do have replaces a uniform worst case with the real shape of the business, and the difference flows straight through to a lower back fee and a lower uplift.
Use good faith to hold down the uplift
Incomplete records affect more than the count. They also feed the penalty uplift, which ranges from 25 to 125 percent and turns partly on the nature of the under reporting. An auditor that sees genuine gaps filled with honest, documented reconstruction reads cooperation and good faith. An auditor that meets resistance, missing data, and no explanation reads the opposite, and prices the uplift accordingly. How you handle the gaps is itself evidence in the uplift argument.
This is why the response to incomplete records is never to stonewall. It is to be transparent about what is missing, rigorous about reconstructing it, and disciplined in documenting the method. That posture protects the count and the uplift at the same time, and it sets up the going forward reporting discipline that keeps the next audit from looking like this one.
You can defend an audit you were not ready for
Imperfect records are the normal starting point, not a lost cause. The hosters that come through a SPLA audit well are rarely the ones with flawless archives. They are the ones who triaged honestly, evidenced what they could, reconstructed the rest credibly, and never let a gap be filled against them by default. That is a defense you can run even when the records are thin.
A buyer side advisor does exactly this work: triaging the lookback, building defensible proxies, mapping reconstructed counts to customers, and carrying the good faith case into the uplift negotiation. Our guarantee applies: we reduce your exposure or we reimburse our service fee, and with gainshare you pay only from verified savings. To prepare properly, download the SPLA audit defense guide.
If you want a second set of eyes first, our SPLA audit defense service manages the Big Four auditor on your behalf.