Most discussion of SPLA reporting treats accuracy as a compliance question. Report enough and the auditor stays away. That framing is only half the picture, and the missing half is where a lot of hoster profit goes to die. SPLA is pay as you consume, so every reported unit is a unit you pay Microsoft for at the price file rate. Report too little and you carry audit risk that surfaces as back fees and penalty uplift. Report too much and you pay, month after month, for licensing you never needed, with nobody ever sending you an invoice for the mistake. Right reporting is the practice of landing on the exact number, because that number is the one that protects compliance and margin at the same time.
This article looks at how loose reporting leaks margin, why over reporting is so easy to miss, and how to build the reporting discipline that protects both sides of the ledger. It sits in the hoster compliance operations cluster and builds on the SPLA Audit Defense Guide, which covers the audit mechanics that make accurate reporting matter.
Two ways to be wrong, both expensive
A SPLA report can miss the true number in two directions, and the two failures are punished very differently. Under reporting is the one everyone watches, because it is the one the audit catches. When a Big Four firm reviews the 36 month lookback under the audit clause and finds months where you reported less than the deployment required, the back fees at the price file rate are not negotiable. They are owed. On top of those sits a penalty uplift, ranging from 25 to 125 percent, that depends on severity, duration, and the nature of the under reporting. That is the visible cost, and it is real.
Under reporting is a bill you eventually get. Over reporting is a bill you pay every month and never see.
Over reporting is the invisible cost. There is no audit for paying too much, no auditor who arrives to tell you that you over declared SAL counts for two years. The money simply leaves with each monthly report and never comes back. Because it never triggers an event, it can run for years inside a reporting process that everyone considers safe precisely because it errs high. A hoster anxious about audits often over reports on purpose, treating the excess as insurance. It is expensive insurance against a risk that good records would cover for free.
Where the margin actually leaks
Over reporting is rarely a single bad decision. It accumulates through small, defensible looking habits that nobody revisits. The common leaks are predictable, which means they can be found and closed.
| Leak | How it happens | Margin effect |
|---|---|---|
| Reporting decommissioned services | A customer offboards but the reported block is never removed | You pay for software no one is using, indefinitely |
| Safety padding | Counts are rounded up to avoid any chance of a shortfall | A standing premium on every cycle, multiplied across products |
| Wrong SPUR edition | A higher edition is reported than the deployment uses | Paying a premium rate for entitlements you do not deploy |
| Double counting shared infrastructure | Multi tenant capacity is reported per customer without applying isolation rules | The same underlying capacity is paid for several times over |
None of these will ever appear in an audit finding, because they all favour Microsoft. That is exactly why they survive. The discipline that catches under reporting, a monthly reconciliation of required against reported, is the same discipline that catches these. The hoster that runs it protects margin as a side effect of protecting compliance.
A worked view of right reporting
Consider a single product reported monthly. The figures are indicative and meant only to show how the two errors play out against the right number.
| Approach | Reported units | Required units | Outcome |
|---|---|---|---|
| Under reporting | 80 | 100 | 20 units of back fees plus negotiable uplift at audit |
| Over reporting | 120 | 100 | 20 units of margin paid away every month, never recovered |
| Right reporting | 100 | 100 | No audit exposure and no wasted spend |
The right reporting row is the only one that is correct on both axes. It carries no audit risk, because the report matches the deployment, and it wastes no margin, because nothing is declared that is not owed. Reaching that row consistently is not luck. It is the product of a reporting operation that knows, each month, exactly what the deployment requires.
Building reporting that protects both sides
Right reporting comes from the same operational discipline that defends an audit, applied with margin in mind as well as compliance. Four moves get a hoster there.
The pattern is the same one that runs through all of hoster compliance. A monthly reconciliation, current mappings, and evidence kept as you go. The difference is the lens. When you run that discipline and read the variance in both directions, you stop treating over reporting as safe and start treating it as the cost it is. The reward is reporting that an auditor cannot fault and a finance team can defend.
From right reporting to a protected position
Right reporting protects margin month to month, but realising the full benefit usually means looking back as well as forward. There may be over reporting already baked into your current cycles, and there may be under reported months in the lookback that need addressing before an audit forces the issue. Untangling both at once, recovering margin where you have been over declaring while closing genuine gaps, is delicate work, because the moves interact and the correction window is short. This is where buyer side help earns its place. We model your reporting in both directions, separate genuine exposure from wasted spend, and design the reporting operation that holds the right number going forward.
Our guarantee stands behind the engagement: we reduce your exposure or we reimburse our service fee. Pricing is a fixed fee from $18,000, or gainshare, a share of the verified savings or avoided penalty with zero retainer and no risk to you, which fits this work well because much of the value shows up as margin recovered and penalty avoided. If you suspect your reporting is wrong in either direction, and most is, the right next step is a conversation about where.
If this is live on your desk right now, our SPLA reporting discipline service puts the monthly evidence in order before an auditor ever asks.