The First 48 Hours of a SPLA Audit

A SPLA audit opens with a letter and a Big Four firm. The first 48 hours will not decide the outcome, but they set the posture for everything that follows. Move calmly, control the channel, and resist the urge to be helpful before you are ready.

What you are actually facing

SPLA is Microsoft's monthly licensing program for hosters, managed service providers, and outsourcers that deliver Microsoft software to external customers. It is pay as you consume, and compliance is verified for every monthly reporting cycle, not just your current position, across a 36 month lookback. The audit runs under the MBSA audit clause, conducted by a Big Four firm with broad authority to request deployment records, server configuration data, customer contracts, and usage logs. That scope is wide, which is exactly why the opening hours are about control rather than speed.

The first 48 hours, hour by phase

These steps fit comfortably inside two days and protect you for the months ahead.

1. Acknowledge, do not engageConfirm receipt professionally and say you are organizing your response. Do not answer substantive questions, share data, or agree to a kickoff agenda yet.
2. Name one channelAppoint a single owner for all auditor communication. Instruct every team that no logs, exports, or estimates go out except through that owner.
3. Check the contractual basisIdentify the agreement and clause cited, confirm the named entity, and note the stated scope and the 36 month window. Anything beyond the clause can be addressed in writing.
4. Lock down your recordsPreserve your monthly SAL reports, authentication counts, customer mappings, and version mappings as they stand. Do not edit historical reports. Altering the record is far worse than an error in it.
5. Pull your own monthly pictureBegin reconstructing your reported position month by month so you know where you stand before the auditor tells you.
6. Bring in buyer side helpEngage independent support before the first working session, so the auditor never sets the rules unopposed.

What not to do in the opening days

The early mistakes are the expensive ones because they are hard to walk back.

• Do not grant access to live infrastructure, hypervisors, or authentication systems
• Do not submit revised or backdated monthly reports to tidy the history
• Do not offer estimates of past consumption before reconstructing the real figures
• Do not accept the auditor's counting approach as settled
• Do not let an informal kickoff call turn into an unrecorded data exchange

Why the monthly history is everything

Unlike an end customer audit that reconciles a single current position, a SPLA audit tests every month in the lookback. Hosters apply the SPUR, the Services Provider Use Rights, and report SAL or processor counts each month. The auditor will examine whether each month was reported on time and counted correctly. Your defense is your reporting record, so the first 48 hours are spent protecting and understanding that record, not improvising around it.

A worked view of the exposure structure

The figures are indicative and show how a SPLA settlement is built, not a quote.

Component	Status	Where the defense sits
Back fees at price file rate	Not negotiable	Reduce the underlying count through accurate reconstruction
Penalty uplift, 25 to 125 percent	Negotiable	Demonstrated reporting discipline and good faith
Scope of lookback	36 months	Hold the auditor to the clause

The next step

The first 48 hours are about posture, control the channel, protect the record, and bring in help before the auditor sets the rules. The full sequence is laid out in our SPLA Audit Defense Field Guide, and the related articles below cover the data request and the settlement. Download the guide now and brief your team before the kickoff.

Related reading

If this is live on your desk right now, our SPLA audit defense team challenges the counting before back fees are set.