Hosters who decide to leave SPLA often hope the exit itself closes the question of compliance. It does not. The 36 month lookback survives the agreement, which means the years you operated under SPLA remain auditable after you stop reporting. That single fact reshapes the timing question entirely. The wrong sequence, a sudden termination while your monthly reporting is unverified, can look like the exact pattern that draws scrutiny. The right sequence, an exit made from a clean and verified position, removes the reason to look. This article sets out how to time a SPLA exit so the calendar works for you.
Why the lookback governs the timing
SPLA compliance is verified for every monthly reporting cycle across a 36 month lookback, conducted by a Big Four firm under the MBSA audit clause. Crucially, the auditor's authority is tied to that lookback, not to whether you are currently an active SPLA provider. Leaving the program does not reset the clock on the months you were in it. For roughly three years after your final report, those months remain inside the window an audit can reconstruct. So the real exposure is not the exit date. It is the state of the reporting in the trailing 36 months at the moment you exit.
Why a poorly timed exit can invite an audit
Microsoft and its auditors notice patterns. A provider that has been under reporting and then abruptly terminates its SPLA, with no clean verification of the final years, presents a profile that can read as flight from exposure rather than a considered commercial move. An exit is not itself a trigger, but an exit layered on top of weak reporting, a sudden volume drop, or unresolved discrepancies can raise the very risk it was meant to avoid. The lesson is not to delay leaving. It is to leave in good order, so the exit tells a clean story rather than an alarming one.
Verify first, then exit
The defensible sequence is to put the trailing position in order before you terminate, not after. That means running your own internal reconstruction of the lookback months while you still control the records, correcting any reporting gaps within the program where the short correction window still allows it, and exiting from a position you have verified rather than one you are hoping holds. A provider who can show that the final 36 months were reconciled and accurate has nothing for an audit to find, and the exit becomes a non event. A provider who exits first and reconstructs later has handed the initiative to the auditor.
A sequence that holds up
The order below is the spine of a defensible exit. Each step protects the one after it.
- Reconstruct the trailing 36 months of SAL and processor reporting from your own authoritative records
- Reconcile that reconstruction against deployment, customer mapping, and product version mapping
- Correct any gap within the program while the short correction window is still open
- Document the verified final position so the closing months tell a clean story
- Plan the CSP transition so customer service continues without a compliance gap
- Terminate SPLA from the verified position, keeping the records for the full lookback
Notice that termination is the last step, not the first. The work that makes an exit safe all happens while you are still inside the program and still hold the leverage of being able to correct.
A worked illustration of two timings
The figures below are indicative and chosen only to contrast two sequences, not to quote any real outcome.
| Step | Exit first | Verify first |
|---|---|---|
| Trailing 36 months | unverified at exit | reconstructed and reconciled |
| Correction window | closed after exit | used while open |
| Exit profile | abrupt, unexplained | clean, documented |
| Audit footing | auditor sets the agenda | you hold the evidence |
| Likely result | exposure carried forward | exposure closed out |
Indicative contrast of two sequences, not a quoted outcome.
What if an audit is already in motion
If you have already received an audit notice, the timing question changes. You generally do not want to terminate SPLA in the middle of an active audit, because it can complicate the engagement and rarely removes any exposure. The better path is to defend the audit to a settled position first and then exit cleanly afterward, with the migration planned but held until the audit closes. An exit timed into the teeth of an active audit tends to add noise without adding protection.
Either way, the principle holds. Continuity of service to your customers must not break during the move, because a gap there creates its own problems. For how to keep that continuity intact, see compliance continuity during a SPLA exit, and for the full order of operations, read sequencing a SPLA to CSP migration. Both sit under the pillar guide.
The next step
Timing a SPLA exit well is mostly about knowing your trailing position before you act, and that is exactly the work an audit would otherwise do to you. The SPLA Audit Defense Guide covers how the lookback survives an exit, and a Strategy Call will help you sequence the move so the calendar protects you rather than exposes you.
Exit from a verified position, not a hopeful one.
Book a Strategy Call to sequence your SPLA exit so the 36 month lookback is reconciled before you terminate, not after.
Book a Strategy CallIf this is live on your desk right now, we plan the exit through our SPLA to CSP migration work so compliance never lapses mid move.