The Hoster Audit Readiness Checklist

When a SPLA audit notice arrives, a Big Four firm will verify compliance for every monthly cycle across a 36 month lookback under the MBSA audit clause. The hosters who come through cleanly are the ones whose readiness was built into operations long before the notice. This checklist sets out what audit ready actually means for a hoster, organized so you can score your own estate against it.

How a SPLA audit tests you

The auditor has broad authority to request deployment records, server configuration data, customer contracts, and usage logs, and tests each month rather than your current position alone. Back fees at the price file rate are not negotiable. The penalty uplift, which ranges from 25 to 125 percent depending on severity, duration, and the nature of any under reporting, is negotiable. Readiness is what keeps the back fee small and gives you the evidence to argue the uplift down.

The reporting checklist

Reporting discipline is the structural defense. These are the items that make a month defensible.

• A monthly SAL report submitted on time for every month, with no missing cycles across the lookback.
• Sealed daily authentication counts that prove each user based SAL figure as it was reported.
• Processor and core counts recorded consistently where that metric applies, with no drift in method between months.
• The correct SPUR applied for each month, since the Services Provider Use Rights change over time and the right version governs.
• A record of any correction made, captured inside the short window when a reporting mistake can still be fixed.

The mapping checklist

Reporting is only defensible when every number traces to a customer and a product. These items close that loop.

• Customer mapping for each reported SAL block, so no estate is left unattributed.
• Product and version mapping, so each deployment is tied to the edition and version actually licensed.
• Documented multi tenant boundaries, so shared infrastructure is allocated cleanly between customers.
• Commission and decommission dates for each server, so partial months are counted correctly.
• Customer contracts on file that match the services you reported against them.

Scoring your readiness

The table below is a simple way to read where you stand. The bands are indicative.

These bands are indicative. The further you sit from audit ready, the more of the lookback the auditor reconstructs on assumptions, and the weaker your position on the negotiable uplift.

Turn the checklist into a register

A checklist tells you where the gaps are. A standing register keeps them closed. Building that register is covered in building a SPLA compliance register, and the customer side of the mapping is covered in customer mapping for every reported SAL. Together they convert a one time readiness check into an operating discipline that holds across the lookback.

Where to take it next

Running the checklist honestly often surfaces months that would not survive an audit today. That is useful to know before a notice arrives, while there is still room to strengthen records and correct mistakes in time. Our SPLA audit defense guide sets out the full discipline, and a strategy call is the fastest way to pressure test your readiness against how a Big Four auditor would actually test you.

Before you send anything back to the auditor, we defend the full 36 month lookback through our SPLA audit defense work.